Updated: October 14, 2009
A few days ago, I've received a lengthy email from a reader, explaining why using Noscript extension in Firefox is not only not recommended, but also unnecessary and even hazardous to the Internet experience.
While I personally disagree with the binary definition of Noscript usage, as I do think it has a strategic importance in the long run, some tactical adjustments are needed in the short run to make it a useful addition to one's arsenal. In other words, using the tool blindly reduces its effectiveness - that of the whitelisting approach.
The email was a good reminder of that - and an opportunity to elaborate on the subject and provide the right formula for proper Noscript usage. While it may sound trivial to many a geek among us, it is not so for the average computer user. Let's go through the mail, sans personal details, and discuss the points raised.
Here's the first point:
That's an interesting point. To answer it, let's first take a look at what Noscript does.
This means that Firefox breaks functionality. It is one of its intended goals - stop certain parts of the browser from doing what they are meant to do. To what end, you ask?
The first and foremost claim for Noscript usage is security. By blocking dynamic content on untrusted sites, Noscript prevents the running of all known and unknown and potentially malicious exploits targeted at browser vulnerabilities. This significantly reduces the exposure vector, as only static, text content is displayed.
Noscript is designed to block everything and only allow scripts and other plugins on trusted sites. The default-deny approach is also known as whitelisting and is more effective than the signature-based, blacklisting approach. This is because Noscript allows only a small number of trusted sites, a finite group, whereas the blacklisting tools allow everything and have to keep up with an ever-growing, infinite group of threats.
However, since Firefox has a built-in autoupdater and a very fast patch cycle, the chance of a user stumbling across a malicious script capable of exploiting the yet unpatched hole in the browser is quite low.
Let's take a look at the other claim.
Again, valid points all. Using Noscript when going to pages where you are expected to interact with the server and exchange information requires a careful approach.
When you go to a website where you expect to provide your information, make sure you enable all scripts. This means enabling them one by one until no more blocked scripts are left. This implies trust - but you are about to provide your information to the server, so yes, there's trust involved.
Remember to do this any time you are expected to fill out any sort of a form or buy online, including sites like Amazon, eBay, PayPal, forum registrations, etc.
You will have visual clues to help you determine whether you have enabled all scripts on the particular page.
When scripts are blocked, you will see the standard Noscript "no parking" icon in the status bar. For as long as there is even one script blocked, the icon will remain in that form.
Once you have enabled all scripts, the icon will turn into a white circle with blue S in it, without any red lines. This means that all scripts have been enabled and you can now continue with the registration, online payment, etc.
The simplest way to go through the process is to use the all sites feature. Either click on Allow all or Temporarily allow all. Repeat until all scripts are allowed.
True, this is true! The sad paradox of security. Those who need it can't use it and those who can don't need it. What more, ordinary users have no clue what they're doing most of the time.
While I'd like to see Noscript used more widely, I admit it's a geek tool. Noscript is not very useful for clueless people. So what to do then?
Ordinary users should not run their browsers with plugins and scripts blocked. But this exposes them to some risk, you might say. Well, this is why most people should not be running their operating system with the default administrator account enabled and should instead be running a limiter user account. In Windows XP, there's SuRun. In Windows 7, there's UAC. In Linux, things are simpler to begin with, as the operating system comes configured with higher default security settings, including the reduced user privileges. This way, while there might be security issues, their scope will be limited.
Same as above. Ordinary users will have trouble troubleshooting site-related issues when running with scripts and plugins blocked or partially blocked. Unfortunately, there's no easy solution that leaves them with full functionality and Noscript.
No beef here. Noscript breaks functionality. It's one of its mission statements. Users running Noscript need to be aware of this. The whole idea of the extension is to stop scripts from executing. This has a price.
When should you be using Noscript? Or why should you?
I'm going to give you my own perspective. It is not security related, although security comes as a bonus. Here is the one simple reason why I use Noscript on most of my Firefox installations:
Quite a few websites are too noisy in my opinion, with too many elements dancing, drawing your attention and distracting you. Call me old-fashioned, but I just need the raw, naked content and little else. Most of the time, I merely wish to sit down and read what's there.
Noscript makes this task easy as it filters away some of the potential garbage, making sites load faster and with much less background noise than they usually do.
Of course, there are sites where you require the functionality. This is exactly what the whitelisting means. Enable all and everything on sites you trust - but also on sites you want or need. Very simple.
It does require discipline and is definitely not meant for everyone.
That's about it, I think. It answers the questions in this mail.
You may also might be interested in a number of related articles:
There is also a number of other Firefox-related articles, covering Flash installation, how to open .mht files in Firefox, the review of Firefox 3.5 and its memory usage, how to get Flash installed in Firefox on Linux, Ubiquity, Perspective, and more. You can find all of these in the Other sub-section on the Software & security page.
Hopefully, this articles answers some of questions and doubts you may have about Noscript and its use. I do admin there's quite a lot of material to chew on. Noscript is not trivial, even for experienced users.
Using Noscript correctly will ensure much more than security. It will keep you happy and productive, without losing or wasting your time and effort on a misconfigured browser. It will save you the trouble of refilling online forms or dreading that double credit card charge.
With some luck, this article cleared out the fog. Now, you know what to do. Using a tool is only the beginning. Using it correctly is art. I hope you liked it. See you around.