Wednesday, July 20, 2011

Browser Add-ons Part 1: No Script

I plan to devote several posts to some really great browser add-ons, also known as extensions. Sadly, I can't claim that I wrote them, but I can share them so that is what I intend to do.

Before I dive into it, a brief explanation of what a browser add-on is and does, may be in order. A browser add-on gives your Internet browser functionality it doesn't have built into it, or natively as the techies say. There are a lot of add-ons available that can do great things, but be aware that there are plenty that could do more harm than good. I couldn't begin to tell you what ones aren't safe, so instead I will focus on some that I trust, and find valuable from a security standpoint.

How websites work are far more complicated than ever before. Many incorporate Java Script and Flash content, such as those with annoying moving ads. You know the ads, "Try this one weird tip..." Long gone are the days of text only websites. The danger with these more advanced sites is that they can become infected with malicious code known as Cross-Site Scripting (XSS). To protect yourself against these attacks you can use an extension called No Script.

No Script is a powerful Firefox add-on that, by default, stops all embedded scripts from running. Why is it a good idea to block all scripts by default? Well, we can't see the scripts being executed in the sites we visit so we are blind to what they are doing. In the early days of the web, malware was frequently in your face, and made a point of letting you know it was there. These days it tends to be far more stealth and more vicious. The benefit of the No Script add-on is that it let's you control what kinds of scripts run in a webpage. Having finite control over what content loads in a website lets you decide how much risk you want to take.

A good way to get familiar with No Script is to try it on a website you trust and see what it does. You'll notice, on a script heavy page, that much of the site won't load. When you left-click No Script, in the bottom corner of the status bar, a popup menu will appear allowing you to make decisions on what you want to allow, and wether or not those permissions will be permanently trusted. On sites I am not too familiar with I will enable a script to see if it makes the page more usable, if not, I disable it immediately. I do this with each script that No Script has disabled until I can use the features of the site I want.

Internet Explorer 8 and higher has a similar tool built in, however it lacks the finite control that No Script offers, its functionality is rather limited, and by Microsoft's own admission when they rolled it out with IE8 it "is not an XSS panacea".

For Safari there is an extension by a third party developer called JavaScript Blacklist that will block all Java Script from Blacklisted domains. By default it blocks certain sites, but you can add your own to the list. That is about as much control you'll have with this extension, but it is a good start if you are a Safari user.

Chrome has an extension based on the Safari add-on called, JavaScript Blacklist that does essentially the same thing as Safari and is also customizable. Again, better than nothing.

Firefox: No Script: http://noscript.net/
Safari: JavaScript Blacklist: https://extensions.apple.com/
Chrome: JavaScript Blacklist: chrome.google.com/webstore

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.