Noscript is compromised

liltinkerer.surge.sh/noscript.html
Stumped on it when I was browsing hn...
I'm just done.
Done.
The only one thing I want to do right now is taking my fucking thinkpad and throw it on the wall.
How the fuck do I protect myself if noscript is compromised!
Maybe should I look at librejs... Or maybe should I use only cli browser. It would be awful, but the fuck...

Other urls found in this thread:

trac.torproject.org/projects/tor/ticket/19280
archive.fo/HFYjp
en.wikipedia.org/wiki/Logistic_function#In_ecology:_modeling_population_growth
addons.mozilla.org/en-US/firefox/addon/tails-download-and-verify/
github.com/gorhill/uMatrix/wiki/Very-bare-walkthrough-for-first-time-users.
twitter.com/NSFWRedditImage

Use uMatrix you stupid nigger.

Read HN comments, faggot. People on HN recommended uMatrix as replacement.

This means only one thing: most of the mozilla add on are compromised themselfs.
Don't even talk about Ublock or Umatrix. These things smells like shit kilometers around. All of these add on are fucked.
The only one I still consider is request policy and Adblock edge since... They are droped out.

This is with this mouth than you kiss your mother?

How does this actually affect the addon? Is this "boohoo adblock plus sells whitelists you can disable in a second" all over again or am I missing something?

OP is a faggot.

You trust Adblock Edge but you don't trust its recommendation of a replacement?

Exactly.
I do not trust anyone anymore. Bullshit after bullshit. I'll try to find another way with freejs or something from my own.

It is about noScript website displaying ad that delivers malware to Windows users.

trac.torproject.org/projects/tor/ticket/19280
Some Tor ticket about replacing NoScript.

(BTW, every tor browser use NoScript... Just think about it).

Some apologize and explication from the coder:
archive.fo/HFYjp

But why don't you trust uBlock Origin? Is this the "everyone seems to like it" thing again?

uMatrix needs to get webgl and canvas blockers and it would be literally 10/10.

I need 2 extra addons just to disable those. Sometimes I just want to enable javascript, but not give the website what is essentially access to my graphics card and shit.

This needs to be fixed at the source, by reworking the incentives so that ads aren't the only way of making money for random sites on the net.

I use random agent spoofer for webgl and canvas blocker. It blocks a shitload of other stuff too. The other stuff might be redundant with umatrix, I've never used it.

Why have I never noticed this despite using NoScript for as long as I have? It doesn't seem like anything is wrong.

I currently use NoScript, RequestPolicy Continued, and uMatrix.

lurk for a year then post

Botnet is the future. Accept reality.
There are too many people on the earth already; in the coming decades there will be disgustingly more in exponential growth. The only way to manage this huge disgusting mass of humanity is botnet. The freedoms of the past are no longer realistic.

en.wikipedia.org/wiki/Logistic_function#In_ecology:_modeling_population_growth
Literally the only major population growth remaining in the world is Africa because dirt poor niggers.

This /thread.

You should, images and vids are dangerous.

There are terminal browsers with image support.

Thanks faggot, I read the OP article as well. My point is: Why should I care? This seems exactly like the retarded whining about ABP.

Image support from a long time
And wait... You're still using the regular video player from your browser, and not any external player?
Please.

Yeah. I haven't touched noscript in a while.

It's nothing.

Use common sense. NoScript is only for the extremely paranoid.

NoScript is pretty basic and comfy tbh. There are many higher levels on the proper paranoia scale.

it's about ABP and shweindows.
obviously Holla Forums people don't use that crap

He didn't type with his mouth, you stupid faggot.

what

browsers are very conservative when deciding which formats to support and the chance of finding a 0day in a 20 years old codec are pretty much zero

uMatrix is such a pain in the ass but I guess I'll either go with that or w3m.

Please reveal some of the ways senpai~~

Giorgio Giorgio give me the malwario

...

nah man its easy to use tbh. I switch from no script to ublock origin to umatrix.

I feel safer with noscript because it disables all javascript, I feel safer with ublock/umatrix because it can block all images and 3rd party requests. That and just tell firefox to not save cookies and junk.

I mean that basically covers everything no? anything that can potentially screw you over that is.

And where's the archive faggot? Do you own that clickbait?

uMatrix doesn't take that long to configure at all. Their UI is ingenius.

uMatrix is actually pretty great once you get used to it. The way it's set up makes it easier to tell what scripts you need to allow when a page is broken as you can have ad domains completely blacklisted.

I'm not surprised. The entire concept of piling on tons of "fixes" on top of a shaky foundation never sat well with me. And that's basically what this script-based solution is: some workarounds for what the browser should have already built-in from the very beginning and as a high priority in the design.
I've been using Xombrero precisely for that reason (it handles its own whitelists) but it's not the ideal solution because it uses the webkit library, which isn't maintained all that well.
At this point, I tend to run Xombrero with javascript always disabled except for a few sites that I have to trust (like my bank, for example), and I shy away from random sites that use javascript. And since I avoid js in general, I can use other browsers like Lynx, Links, and Dillo, which are based on their own smaller codebase and not the huge webkit.

Someone brought up the idea of flaws in image viewers on the openbsd-misc mailiing lists some months ago. Theo agreed that there was a potential for dangerous bugs (and thus exploits) and he added that nobody today even considers securing this (because they're short-sighted).

The type of guy who implements active subversion of ad-blockers/no-script on his website for malicious ads is also the type of guy to implement some type of malicious shenanigry inside of no-script itself, and do a decent job of hiding it

You are worse than /g/

Congratulations you're the 40th retard :^)

...

I was expecting this to be about the 'WAN IP'' feature in noscript that phones home, instead it's nothing.

If noscript is so "shady" and does "bad" things then why hasn't someone forked it and removed all that shit?
Oh right because its all just FUD.

Or alternatively by Making Ads Great Again, which is what Brave is attempting to do.


What for? There are better addons available already.

Brave is cancer. To fix the real problem you need to rework the pricing structure of internet service. I'm thinking flat rate for speed tier + small charge per unit data transferred for connections you make + smaller credit per unit data transferred for connections others make to you. The problem is ensuring that the pricing isn't too complicated for plebs to understand.

This gives people an actual money incentive to seed bittorrent 24/7. There would be absolute fucking chaos.

I see no problem with that. Consumer grade routers will need to up their game though.

Another issue is that it gives an incentive for websites to get bigger without much limit. That incentive can be removed by making the charges/credit be higher for initial amounts of data before dropping to lower amounts the more data per connection is transferred. But that makes the billing more complicated. Would require some experimentation to get right, I think.

Just turn off JS completely.

The AdBlocker snafu is hardly something I'm going to hold against NoScript. It's been an awesome addon for years and one agitprop article isn't going to get me to abandon it.

Is this an ass dropping a turd?

Not OP, but I use both, since they are not exactly equivalent (firewall vs scrip blocker).

I'm not sure that's a solution. librejs will merrily run malicious js, as long as it's freely-as-in-freedom licensed malicious js.

btw, the noscript guy is associated with Tails too.

addons.mozilla.org/en-US/firefox/addon/tails-download-and-verify/

But your scheme does not fix the problem. Why would website owner remove ads instead of getting ad money + data transfer money?

Yeah, no. He wrote a dead simple Firefox browser addon that downloads Tails for you. As far as I can tell, he's not involved with the actual Tails project in any way.

Stop spreading FUD, polesmoker.

You can block all js with umatrix. Just switch scope to *, disable, and save.

...

Ads were never great. In the history of ads no one has ever said "hey, ads are great!"

Seriously, stop with the memeing if you don't understand it user.

...

He didn't do a decent job of hiding anything he's done for money before, so why now? Fuck off, retard

sssh, don't talk against the hugbox

Ads were never great and are just useless noise. You're better off to ditch them entirely, along with big graphics and heavy js and other bandwidth hogs.

It removes the incentive for new websites to serve ads, since they already have a perfectly good source of potential money. It changes the incentives for existing ads to encourage less obnoxiousness and more self hosting, as if they aren't served by you or if they aren't served at all then they aren't getting you transfer money. Finally, it gets rid of the "but won't someone think of the content creators" argument, thus allowing ads to be seen purely as the malware vector they are and adblockers as every person's right to not request ads.

This is ancient news, OP. Install uMatrix; the only thing I miss from NoScript was the way it could force specific sites to load in https which was useful for sites like Holla Forums which aren't supported by HTTPSEverywhere. Apart from that though, uMatrix is a million times more powerful and allows you to control what goes into your browser on a much deeper level.

too bad it cant control what goes into your mom

brb killing myself

How do you know?


If you know how to use it, you can make site work exactly as you need without advertising to facebook what you are looking for.


If it could, it would be harmful software.

Your mom is harmful meatware.

I don't know if I'd say the extension is compromised, but I sure as fuck don't trust the guy working on it now when he specifically chose an ad that serves malware to host on his site. That he made it to get around adblockers is irrelevant, that it's a static banner that he would have to specifically choose to host is the problem.

Even if the article is retarded clickbait, it's been known for years that NoScript sends your data to Informaction. And besides that, it's bloated as fuck in comparison to uMatrix, which is an important feature in an add-on to a browser that's already bloated and laggy as fuck. There's no reason why anyone on Holla Forums should still be using NoScript.

ggwp

Just adjust uMatrix's default filter then. Takes ten seconds. The defaults actually block a lot of things, just not as much as NoScript. It can block at least as much as NoScript.

HUH?

"The defaults actually block a lot of things,"
It doesn't block as much as NoScript BY DEFAULT, but IT'S CAPABLE OF blocking more than NoScript.

This shouldn't be hard to understand.

How exactly does it work? Is it like NS and requestpolicy/ghostery etc. combined?

This is a screenshot from github.com/gorhill/uMatrix/wiki/Very-bare-walkthrough-for-first-time-users.

The rows represent domains and subdomains. The columns represent content types.

If a rectangle is a shade of red, the corresponding content type is being blocked for the corresponding domain. If it's a shade of green, it's allowed. You can whitelist or blacklist individual rectangles or entire content types or domains. At the left top there's the "All" rectangle, which is the default rule for everything. A more specific rule overrides a less specific rule, so you can blacklist example.org but allow its CSS.

You can very easily block all requests to a domain if you want, not just script execution, but you can also block just script execution or just images. It's very powerful. I think it's much more powerful than NoScript, but it's been something like two years since I last used NoScript so I'm not 100% sure.

I'm currently using NS, ublock origin, disconnect, ghostery, request policy
If I use umatrix, can i drop some of these?

You can drop all of them, although leaving uBlock Origin is helpful because it has cosmetic rules too.

You can already drop some of them. Having Disconnect and Ghostery is redundant, at least. Ghostery sells (anonymized) usage data to advertisers and trackers so I would recommend against Ghostery in general.

...

What about privacy badger? Is that snake-oil as well?

Basically what said.

uMatrix is like RequestPolicy on so many steroids it takes a bigger get than the GigaNigga to kill it. This also includes NoScript functionality, but you have to configure it manually since it allows first party scripts by default.

uBlock Origin used to be used alongside uMatrix for those cosmetic filters, but I think uMatrix includes that option now.

Ghostery is shitty advertising spyware. You should drop it altogether. Also, consider getting HTTPS Everywhere. It's now in the Mozilla Store.

Is there a way to block everything by default for µmatrix? Also how does it do performance wise?

Yes, block everything in the global scope and it'll make it so every website blocks everything by default. To go to the global scope, click on the current domain name on the upper left corner. When the dropdown comes down, click on "*"

Keep in mind that when you tell uMatrix to block everything that includes images and CSS. You might want to whitelist some content types.

To add to this, you can whitelist the images and CSS that come from the 1st party website only

I switched to * and disabled 1st party scripts and saved it.
Feels safe man.

Looks like some spergs are jealous of noscript's success

But uMatrix is better.

Why bother with umatrix when ublock origins does everything

No, it doesn't. The matrix interface of ublock is very limited.

Can you get uMatrix for Pale Moon?

Use the Firefox version, it's compatible with Pale Moon.

what's the difference between light/dark colored fields?

Explicit and implicit rules. The dark ones are manually marked. The light ones are marked because of rules that were specified in other fields.

So you are telling me to ditch my adblocker and NoScript and just rely on this matrix thingie?

Keep your adblocker, but ditch your NoScript, Disconnect, Ghostery, Request Policy, etcetera for uMatrix.

I thought the adblocker is not needed anymore either?

It's not needed but it handles the hiding better than uMatrix. uMatrix blocks requests, so the ads wouldn't load, but uBlock Origin also removes the elements so that you don't get ugly frames and adblock warnings. You can do without the blocker but I recommend keeping it.

uBlock+uMatrix is the best way to go.

A dumbed down and somewhat inaccurate summary is this:
uBlock blocks known problems with blacklists. Very little page breaking.
uMatrix blocks unknown problems, acting as a sort of whitelist based on the type of thing and where that thing is being loaded from. It gives medium to fine grain control, but is more likely to outright break modern pages filled with bullshit and botnets by default.

## GHOSTERY IS PROPRIETARY MALWARE (OP is a faggot, as always)

????????

I've done this, and also removed flash completely.

Browsing is a painful experience now.

Now I can spend my time on more productive things, thanks autism!

I could follow the link and blindly uninstall noscript, OR I could actually go to the websites myself and verify that the author is full of shit.

Here is how it looks when I am visiting uniblue (which allegedly is paying noscript), and noscripts home page.

Now, where are the weird popups and ads again? 'Cause I ain't seeing any.

I'm this guy

I used adblock plus and windows when I took the screenshots. It would be cool if people stopped believing everyone on the internet so fast. The noscript developer apparently apologized for this a long time ago and it was removed, it's not relevant anymore.

This happened back in 2009. Also it wasn't the last time this guy went out of his way to mess with other addons. NS is deprecated because the author is untrustworthy.

THIS WAS IN 2009, YOU DIP

He already got shit for it and already fixed the fucking issue.

I shouldn't have clicked that fucking link. I'm using a VPN, but I still feel disgusted visiting your shit blog.

Do you have uBlock? uBlock appears to block the ad. If you disable uBlock it appears. The ad doesn't use JS, it's just an image hosted on noscript.net and a link.


No, the issue is still ongoing. See pic related.

See . The incident with actually messing with ABP was from 2009, the incident with the ad that links to malware is ongoing.

I have adblock plus.

That might block it too. However there is still the problem that this malicious ad exists and that given how it's hosted it was specifically approved by the people maintainers of NoScript (as they have the banner saved on their servers and aren't loading it from a 3rd party).

So what's the verdict,
no noscript and umatrix or is NS fine to use?

Both are fine to use but uMatrix is a lot better from a practical perspective. NoScript had some shady things in the past but it should be ok now.

would switching to umatrix from noscript bad for the anonymity of a Tor user? i try to install as few addons to the TBB as possible and that includes switching addons out.

Yeah, but shitlibs and jews are going to bring them all here.

Can I have a config file for umatrix or something? I don't feel like having to do it manually and most of the offending resources will be common to us.

Anyone have a working umatrix filter for facebook?
No matter what I unblock it doesn't work...

You can write up a text file with all the hosts you want blocked and link to it in the dashboard.

Apart from that, it's not difficult to set up your other rules manually. You click the top left corner and select *, then you click the bottom half of the box that says All. Then you click that top left corner again and select the other option. Then you go to all the sites you trust and you click the top half of either First-Party or All depending on how much you trust it, and hit the lock button. You shouldn't have to do anything with it ever again unless you come to trust a new site or stop trusting a site you were using.

So what's the performance impact of running ublock and umatrix?

Op here, my solution is now to simply disable javascript.
My life is such easier now. For any video related content, I use an external player. I don't need javascript anymore.
I would say that I'm javasFREEpt.

For any buy online or any force use of javascript, a simple debian VM snapshot would do the job.

It'll be faster than not using them.

Did I fall for the meme?

I just come to the conclusion that every add on are fucked up. Some are maybe less susceptible to be compromised, like request policy, cookie monster, http referer, but ublock, umatrix, noscript, APB... In fact, if an add on is very important and susceptible to be installed by a lot of people, that means that it's just compromised.
You don't want adds? Just replace your hosts file.
You don't want javascript? Just disable it and have a side browser in a VM to do all your buying.
You want to watch youtube videos? Please use youtube-dl, livestreamer or mpsyt.
You can easely live without javascript. Thanks to this clickbait link to just highlight that I don't need javascript anymore.

Do you have any reason at all to suspect uBlock Origin or uMatrix besides "they're relatively popular"?

>>>/r9k/

Thanks, Holla Forums.

Positive. It will save you more CPU cycles and memory on (not) rendering useless crap than it uses itself.

Of all the traffic filtering addons available, these are the leanest and fastest.

It's a good question. I guess it would depend on how you configure it.

Basically, by blocking JS, you block most conventional ways to profile you and your extensions. However, if you are too aggressive with the blocks, you could end up blocking stuff that NoScript shouldn't block (say, third party CSS and images), which could allow the first party server to contrast information with the other domain, which would reveal that, despite having loaded the main website, you blocked the third (or "second") party domain, which would reveal you have some resource blocking extension.

tl;dr it's all about the way you configure it. Configure it to work like NS and you are fine.