Jump to content

Search the Community

Showing results for tags 'noscript'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 2 results

  1. A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable. Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions. NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users. Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability. According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected. The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API. The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series. In an interview with ZDNet, Giorgio Maone, the author of the NoScript extension, said the zero-day was caused by a workaround for NoScript blocking the Tor Browser's in-browser JSON viewer. Maone was not aware of the vulnerability before ZDNet contacted him earlier today. After successfully reproducing the issue, Maone promised an update to the NoScript add-on for later today, to mitigate the zero-day's effects. "I'm gonna release the update within 24 hours or less, like I always did in the past," Maone told ZDNet. The Tor Project replied to ZDNet's request for comment but was not prepared to issue an official statement before this article's publication. In an email exchange with ZDNet, Zerodium CEO Chaouki Bekrar provided more details about today's zero-day. "We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet. "This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users. "The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component. "If a user sets his Tor browser security level to "Safest" aiming to block all JavaScript from all websites e.g. to prevent exploits, the disclosed bug would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code, making the 'Safest' security level useless against browser exploits," Bekrar added. ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript 5.1.8.6. UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version 5.1.8.7, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017. Source
  2. A complete NoScript Security suite extension guide for the Firefox web browser version 57 and newer. The developer of the popular Firefox security add-on NoScript launched a Firefox 57 compatible version of the extension shortly after the release of the Firefox 57 browser. He worked with Mozilla to create the new version of NoScript and implemented options to migrate settings from classic versions of NoScript to the new version. The initial version received mixed reviews. Some users heralded the effort and were happy that NoScript was available for Firefox 57 and newer, others did not like the new user interface or criticized missing functionality. Now that the dust has settled, it is time to publish an updated guide for NoScript for Firefox 57 or newer. The NoScript for Firefox guide NoScript Security Suite is a browser extension for the Firefox web browser designed to give users control over the content that sites may run. The extension blocks JavaScript execution by default which improves security and privacy significantly. NoScript supports other features, XSS and clickjacking attack protections and other security enhancing features. The NoScript interface The main interface of the extension changed completely in the new version. The classic version of NoScript listed connections in list view on activation, the new version of NoScript uses a matrix instead similarly to how uMatrix handles connections. The interface displays a button toolbar at the top and below it the list of domains. NoScript lists the current domain at the top all the time and below it the third-party connections of the page. The padlock symbol displayed next to domains indicates that the connection to it uses HTTPS. Note that the padlock symbol is not displayed for some trust levels. Setting trust levels for domains Each domain listed by NoScript in its interface has a trust level associated with it. Default -- JavaScript execution is blocked as are objects, media, fonts, and WebGL. Trusted -- Allow JavaScript execution and other elements. Trusted Temporarily -- Allow JavaScript execution and the loading of other elements for the session or until revoked whichever is first. Untrusted -- Everything is blocked. Custom -- Gives you options to allow or disallow elements individually. You may make these temporary by clicking on the "nearly invisible" temp button next to custom. Each domain listed by NoScript has one trust level associated with it. A click on another trust level in a row switches it to the new one automatically. The NoScript options reveal the preset permissions for "default", "trusted", and "untrusted". There you may also change the default presets by adding or removing checkmarks. The elements that NoScript distinguishes between are: Script -- Any type of script the site attempts to execute. Object -- The HTML object tag. Media -- Media elements. Frame -- Frames that the site attempts to load. Font -- Font elements. WebGL -- WebGL elements. Fetch -- requests that use fetch APIs. Other -- unknown. The button toolbar Seven buttons are displayed on the button toolbar in the latest version of NoScript for Firefox. They are, from left to right: Close the interface. Reload the page. Open the Options. Disable restrictions globally. Disable restrictions for this tab. Set all on the page to temporarily trusted. Revoke temporary permissions. NoScript adds a context menu item to the right-click menu automatically. It has limited use though; a click on it displays the main NoScript interface at the top of the browser UI. You can disable the context menu entry in the options. Using NoScript Understanding how NoScript trust levels work is essential to using the extension to its fullest potential. NoScript indicates blocked items in its icon when you load sites in the Firefox browser. A click on the icon displays the connections the extension recognized and trust levels for each site. Note that these may not be all connections a site makes. Since you don't allow the execution of scripts by default, sites may not be able to initiate all third-party connections right away. If you allow scripts to run on the main domain, you may notice that it attempts to make additional connections when those get loaded. Tip: Hover over any domain listed by NoScript and click on it to open a page that is full of links to privacy and security services only to display information about the domain. It may not be necessary to make any changes to trust levels if the site functions properly. You may notice however that some features may not work properly on first connect. Since scripts and other elements are blocked by default, you may notice all sorts of issues related to that. Sites use scripts and other elements for a variety of things, from verifying form submissions and playing videos to often unwanted things such as advertisement or tracking. Changing a domain's trust level to "trusted" or "temporarily trusted" allows it to load additional elements whereas a trust level of "untrusted" prevents even more elements. Note that trusted and untrusted are permanent changes that remain available. Troubleshooting a site comes into play when you notice that site functionality is not available and suspect it is because of the protections that NoScript provides. You have a couple of options to deal with the issue. You could temporarily allow a domain or use the custom trust level to set permissions individually for elements. I'm not a fan of using the "allow all globally" or "allow all for the tab" options as they are often too broad. While they are comfortable, as you only need to press some buttons to get sites to work, using them eliminates most of the protective functionality of NoScript. NoScript comes with a whitelist that includes sites by default. You may want to check it in the options under "per-site permissions" to make sure that you trust them all. There is unfortunately no option to remove sites that are on the list by default but you can change the level from trusted to default or even untrusted. If you migrated from a previous version of NoScript, you should see all custom sites there. Check out our guide on using NoScript efficiently for tips on getting the most out of the extension. It offers ten tips, for instance what you may want to do if a site does not load properly with NoScript enabled. The options The options are somewhat limited at this point in time especially when you compare them to the options of the classic version of NoScript. The NoScript settings are divided into four tabs right now that offer the following functionality: General -- Configure preset permissions for the states Default, Trusted, and Untrusted. Also, enable "disable restrictions globally" and "temporarily set top-level sites to Trusted". Per-site Permissions -- displays all custom (non-default) permissions. Search included. Appearance -- hide the context menu item, disable the count badge of the icon, and enable the listing of full addresses in the permissions popup. Advanced -- manage XSS protection and enable debugging. Options can be reset, imported, or exported. Resources Official NoScript website: https://noscript.net/ NoScript on Mozilla AMO: https://addons.mozilla.org/firefox/addon/noscript/ NoScript GitHub: https://github.com/hackademix/noscript Source
×
×
  • Create New...