Educause Security Discussion mailing list archives
Re: Web Browsing Security
From: Tim Doty <tdoty () MST EDU>
Date: Thu, 26 Sep 2013 17:04:27 -0500
On 09/26/2013 04:50 PM, Jeff Kell wrote:
On 9/26/2013 5:41 PM, Tim Doty wrote:We haven't "implemented" NoScript and I don't really recommend it to folks, but FireFox with NoScript is widely used within IT and it may have spread outside of it (as I no longer do support I don't see that many folk's desktops anymore to get a feel for how widely it is installed).Likewise. I use it, as do many others in IT, but experience with typical user (if my family is "typical") is they just permit it if the site doesn't work, just as they click on any AUP, or any SSL certificate error, or anything else that gets between them and their destination. I would more heartily recommend AdBlock Plus or similar, as much "malicious javascript" comes from "banner ads" appearing on "otherwise legitimate sites". We also push TippingPoint's reputation filters, which help to block "known malicious sites".
Yes, I should've mentioned AdBlock. After some initial resistance, I was able to get that part of our install. Malvertising is hurting advertising.
FWIW, the feature I would love to see in NoScript is to "allow only for this page/site" so when you allow google.com (required for google apps) you can restrict the permission to only google's sites, not everyone else's. And, if I used FaceBook, it would be useful in that situation as well.AFAIK, you can configure NoScript to allow the TLD or subset thereof related to the current page, but I don't think this is the default behavior.
You can, but that isn't the same thing as what I'm talking about. I don't recall all that is required for google apps for edu, so to give a made up example: to use a site company.com also requires allowing scripts from othersite.net. Allowing by same domain is useless here, because the required script is in a different domain (even a different TLD).
You can temporarily allow othersite.net when you use company.com, but during that time any site that wants to run a script hosted on othersite.net will be able to do so, and you have to remember to flush the temporary grants when you're done.
What I would like is to be able to specify a rule such that "allow othersite.net when referenced from company.com", any other references would be denied.
Tim Doty
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Web Browsing Security Bohlk, Christopher J. (Sep 26)
- Re: Web Browsing Security David Gillett (Sep 26)
- Re: Web Browsing Security Tim Doty (Sep 26)
- Re: Web Browsing Security Jeff Kell (Sep 26)
- Re: Web Browsing Security Tim Doty (Sep 26)
- Re: Web Browsing Security Omen Wild (Sep 26)
- Re: Web Browsing Security Jeff Kell (Sep 26)
- Re: Web Browsing Security Isabelle Graham (Sep 27)
- Re: Web Browsing Security Jeff Kell (Sep 26)