Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web Browsing Security

From: Tim Doty <tdoty () MST EDU>
Date: Thu, 26 Sep 2013 17:04:27 -0500
On 09/26/2013 04:50 PM, Jeff Kell wrote:

On 9/26/2013 5:41 PM, Tim Doty wrote:

We haven't "implemented" NoScript and I don't really recommend it to
folks, but FireFox with NoScript is widely used within IT and it may
have spread outside of it (as I no longer do support I don't see that
many folk's desktops anymore to get a feel for how widely it is
installed).


Likewise.  I use it, as do many others in IT, but experience with
typical user (if my family is "typical") is they just permit it if the
site doesn't work, just as they click on any AUP, or any SSL certificate
error, or anything else that gets between them and their destination.

I would more heartily recommend AdBlock Plus or similar, as much
"malicious javascript" comes from "banner ads" appearing on "otherwise
legitimate sites".  We also push TippingPoint's reputation filters,
which help to block "known malicious sites".
Yes, I should've mentioned AdBlock. After some initial resistance, I was able to get that part of our install. Malvertising is hurting advertising. 



FWIW, the feature I would love to see in NoScript is to "allow only
for this page/site" so when you allow google.com (required for google
apps) you can restrict the permission to only google's sites, not
everyone else's. And, if I used FaceBook, it would be useful in that
situation as well.


AFAIK, you can configure NoScript to allow the TLD or subset thereof
related to the current page, but I don't think this is the default behavior.
You can, but that isn't the same thing as what I'm talking about. I don't recall all that is required for google apps for edu, so to give a made up example: to use a site company.com also requires allowing scripts from othersite.net. Allowing by same domain is useless here, because the required script is in a different domain (even a different TLD).
You can temporarily allow othersite.net when you use company.com, but during that time any site that wants to run a script hosted on othersite.net will be able to do so, and you have to remember to flush the temporary grants when you're done.
What I would like is to be able to specify a rule such that "allow othersite.net when referenced from company.com", any other references would be denied. 

Tim Doty

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: