Educause Security Discussion mailing list archives
Re: Web Browsing Security
From: Tim Doty <tdoty () MST EDU>
Date: Thu, 26 Sep 2013 16:41:14 -0500
We haven't "implemented" NoScript and I don't really recommend it to folks, but FireFox with NoScript is widely used within IT and it may have spread outside of it (as I no longer do support I don't see that many folk's desktops anymore to get a feel for how widely it is installed).
However, many of the people I know who have installed NoScript routinely allow all scripts referenced by a site. In fact, some have complained about having to do so multiple times (which happens when one javascript wants to load code from another domain not already referenced).
I am always careful to not actually recommend NoScript because of this, though it does come up as a defense strategy. I love it myself, but few people are happy with a broken Internet and I have noticed most do not understand that there's no meaningful difference between "I got infected when I visited the page" and "I got infected after permitting all scripts -- which is what I always do". In fact, when this point came up earlier this week I was told, in close paraphrase, "its too much bother trying to figure out which domains to allow to get a page to work, so I just allow them all."
My point is that people want things to "just work" and NoScript, when used effectively, does the exact opposite of that. When I talk about NoScript with people I emphasize how to use it effectively and how much that will break the Internet as I do not want to foster the false sense of security I see people have because "they use NoScript".
FWIW, the feature I would love to see in NoScript is to "allow only for this page/site" so when you allow google.com (required for google apps) you can restrict the permission to only google's sites, not everyone else's. And, if I used FaceBook, it would be useful in that situation as well.
Tim Doty On 09/26/2013 01:17 PM, Bohlk, Christopher J. wrote:
Hi All, I was interested to know if any of you have implemented either the "No Script" or Web of Trust (WOT) add-ons in Firefox (or similar solutions for other browsers) for staff workstations as a way to help mitigate risk of getting infected with malware through web browsing? If so, can you please share your experiences? If not, what free or commercial solutions have you deployed to help reduce the risk that you found both effective and accepted in higher education? Thanks, Chris The EDUCAUSE Security Constituent Group Listserv Chris Bohlk, CISSP, C|EH Pace University Information Security Officer Information Technology Services (ITS) 235 Elm Road, West Hall 212A Briarcliff Manor, NY 10510 (914)923-2649 Office
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Web Browsing Security Bohlk, Christopher J. (Sep 26)
- Re: Web Browsing Security David Gillett (Sep 26)
- Re: Web Browsing Security Tim Doty (Sep 26)
- Re: Web Browsing Security Jeff Kell (Sep 26)
- Re: Web Browsing Security Tim Doty (Sep 26)
- Re: Web Browsing Security Omen Wild (Sep 26)
- Re: Web Browsing Security Jeff Kell (Sep 26)
- Re: Web Browsing Security Isabelle Graham (Sep 27)
- Re: Web Browsing Security Jeff Kell (Sep 26)