Buying a stale entry on the NoScript whitelist for $10 is a cute trick, but the important point this post makes is that you basically can't trust NoScript to protect you from browser vulnerabilities. Many of the zillion scripts it effectively whitelists will themselves have DOM corruption flaws. Compared to the effort it takes to build a reliable drive-by browser exploit, evading NoScript is not a meaningful challenge.
> "you basically can't trust NoScript to protect you from browser vulnerabilities"
You make it sound like NoScript should not be trusted. In reality, nothing is secure but NoScript is one of the better security options (perhaps best?) for helping to prevent a specific set of attacks that use js to enable.
A flaw was found - and promptly fixed. You are (inadvertently I believe) leading people to drop NoScript and possibly go with something else. Another less mature security tool will have its own share of flaws - likely months or years until they will reach relatively similar ground as NoScript.
No, you've misread the story. They fixed the stale entry that allowed this guy to pay $10 to whitelist all his Javascript. But any flaw in any of the thousands of Javascript files on all the other default-whitelisted CDNs will also allow attackers to evade NoScript. The CDNs won't be evil. The authors of those Javascript files won't be evil. But attackers will mine them for flaws they can use to evade NoScript, and those flaws will be easy to find (especially compared to reliable browser vulnerabilities).
No, NoScript does not protect against JS browser vulnerabilities.
It's all relative. ~3/4 of the default whitelist is google, yahoo, mozilla, microsoft, cloudflare. While technically, your "thousands of javascript files" is true, in reality, it's making the problem sound bigger than it is.
Those 5 organizations have easier ways to attack you than rely a relatively little used extension to a relatively little used web browser. And attacking any of those 5 organizations is no easy feat.
Firefox + NoScript is still one of the best bang for the buck security improvements any ordinary user can make. Is it foolproof? heck no. Will it stop even a brainless script kiddie intent on hacking you? Not necessarily. But it will eliminate a number of drive by attacks.
Readers should keep converting their moms and dads and grandmas to Firefox + NoScript. Simple and great bang for the buck security.
You are still missing my point, which is frustrating, because I tried to make it clearer last comment. I am not saying Google will try to screw you. I am not even saying the author of the specific Javascript that provides an easy NoScript evasion will be trying to screw you. I am saying that it is not uncommon to find DOM corruption flaws in clientside JS libraries, and if those libraries are hosted on whitelisted CDNs, those flaws are all NoScript evasions.
Two things that may not be intuitively clear to every reader:
1. No way do all of those sites actually do full security audits for every .js file on their domain. (Google comes close.)
2. The specific kind of security flaw we're talking about is not necessarily "interesting" outside the context of NoScript. There are plenty of clientside DOM corruption bugs that don't even get documented, let alone fixed, because they can't easily be used to compromise a user session. But they will work fine for getting the right chunk of malicious JS delivered to end-users.
I'm not anti-NoScript. But don't kid yourself about its utility against browser JS vulns. Before you get your dad to install NoScript, make sure he's patched. Try to get him to switch to Chrome while you're at it.
No, it really does not. It prohibits an exploit hosted on an unknown site from running.
That is quite different from protecting against JS browser vulnerabilities.
Now, if NoScript added JS sandboxing of some advanced variety employing heuristics such that it detected attempts to exploit vulnerabilities and blocked that code (whilst avoiding solving the halting problem!), then I'd consider a weaker form of the statement, such as "NoScript protects against many JS browser vulnerabilities", as true. But AFAIK, it doesn't do anything like that.
It doesn't even employ signature based techniques that could also protect against some vulnerabilities.
Actually I just remove all of the default whitelist stuff when I first install it. Problem solved.
The whitelist did surprise me last time, though. I was baffled why gmail was working without me having to permanently allow it. Then I discovered the whitelist. Woah. What a dumb idea.
