Re: Web Browsing Security

[Tim Doty <tdoty () MST EDU>]

We haven't "implemented" NoScript and I don't really recommend it to 
folks, but FireFox with NoScript is widely used within IT and it may 
have spread outside of it (as I no longer do support I don't see that 
many folk's desktops anymore to get a feel for how widely it is installed).

However, many of the people I know who have installed NoScript routinely 
allow all scripts referenced by a site. In fact, some have complained 
about having to do so multiple times (which happens when one javascript 
wants to load code from another domain not already referenced).

I am always careful to not actually recommend NoScript because of this, 
though it does come up as a defense strategy. I love it myself, but few 
people are happy with a broken Internet and I have noticed most do not 
understand that there's no meaningful difference between "I got infected 
when I visited the page" and "I got infected after permitting all 
scripts -- which is what I always do". In fact, when this point came up 
earlier this week I was told, in close paraphrase, "its too much bother 
trying to figure out which domains to allow to get a page to work, so I 
just allow them all."

My point is that people want things to "just work" and NoScript, when 
used effectively, does the exact opposite of that. When I talk about 
NoScript with people I emphasize how to use it effectively and how much 
that will break the Internet as I do not want to foster the false sense 
of security I see people have because "they use NoScript".

FWIW, the feature I would love to see in NoScript is to "allow only for 
this page/site" so when you allow google.com (required for google apps) 
you can restrict the permission to only google's sites, not everyone 
else's. And, if I used FaceBook, it would be useful in that situation as 
well.

Tim Doty

On 09/26/2013 01:17 PM, Bohlk, Christopher J. wrote:
> Hi All,
>
> I was interested to know if any of you have implemented either the
> "No Script" or Web of Trust (WOT) add-ons in Firefox (or similar
> solutions for other browsers) for staff workstations as a way to help
> mitigate risk of getting infected with malware through web browsing?
> If so, can you please share your experiences?  If not, what free or
> commercial solutions have you deployed to help reduce the risk that
> you found both effective and accepted in higher education?
>
>
> Thanks, Chris
>
>
>
>
> The EDUCAUSE Security Constituent Group Listserv Chris Bohlk, CISSP,
> C|EH Pace University Information Security Officer Information
> Technology Services (ITS) 235 Elm Road, West Hall 212A Briarcliff
> Manor, NY 10510 (914)923-2649  Office

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature