Bad things lurk on the interwebs. Viruses are marginalized by Antivirus software, but most Antivirus software doesn’t protect against malicious websites. Websites can phish and clickjack. They can display an invisible button that infects your computer on top of another button that says “download this antivirus software”. There are actions that can be triggered simply by your mouse moving over an element on a page.
Firefox is a web browser that is constantly gaining market share against Microsoft‘s Internet Explorer. While it’s true that Firefox is a secure browser, as is a fully-patched copy of IE, any browser that properly executes JavaScript and other web standards is vulnerable to scripts that are written to do malicious things. The only way to ensure safety on the modern web is by only allowing scripts that you authorize. Later we’ll examine how this safe practice works with Opera, my new favorite web browser, by today we’re going to look at NoScript.
NoScript is a browser addon for Firefox. I first tried it over a year ago and gave up after a matter of minutes. The default settings for NoScript call for it to present a security warning whenever a website attempts to execute JavaScript, Java, Flash and other scripting technologies on sites you haven’t authorized. Because pretty much every website uses one of these scripting languages for something, and because when you first install NoScript none of the websites are listed as trusted, every single page will present the user with a security warning. The sheer annoyance caused by this behavior resulted in a quick removal from my browsing environment.
I was recently listening to Security Now, my favorite Internet security podcast. NoScript was mentioned as a must for Internet security, along with the secret to maintaining sanity while using it. The secret is to turn off notifications. With notifications turned off, the popups are gone but the security remains. Only if you realize that a site isn’t functioning properly do you need to specifically grant that site permissions to run the scripts. It’s as easy as right-clicking on the website and telling NoScript to allow the site to run scripts. To the right you can see how NoScript shows the scripts that AuctioneerTech attempted to run that were blocked successfully with NoScript.
True, AuctioneerTech doesn’t look as cool without scripts. The pull-quotes – sections of text that are larger and served like pictures showing important passages – don’t work, and neither do the CrunchBase widgets. You won’t see the Google Adsense links to the right or the Google Shared Stuff list at the bottom right, nor will my Google Analytics function. For this reason, I encourage you to select the “Allow all on this page” option if you’re viewing AuctioneerTech with NoScript. However, if this were a malicious website, you would already be infected. This is the reason you should install NoScript on Firefox. You’ll still be able to get at the content you want, without having content you don’t want forced upon you and your computer.
Here’s how to do it. Assuming that you already have Firefox installed, launch it.
- Click the Tools menu at the top of the browser and select Add-ons
- Click the Get Add-ons button at the top left of the box that appears
- In the search box, type noscript and hit enter
- Click on the first return that has the icon that looks like the picture at the top right of this article
- Click the button that reads Add to Firefox…
- You’ll be prompted to confirm your decision. Click Install now on the pop-up.
- Restart Firefox
That’s it. NoScript is installed and you’re safer now than ever before. Here’s how to disable the notifications so you can browse in peace.
- There is now a small NoScript icon at the bottom right of your browser. Click it and select Options.
- Select the Notifications tab at the top
- Un-check the option listed as Show message about blocked scripts
Now you won’t get any popups telling you scripts were disabled. Browse the web with peace and security. If something doesn’t look right, simply enable the scripting on the page.
By Capital One's accessibility fail | AuctioneerTech 27 November 2011 - 9:44 am
[…] for layout purposes), by far the most annoying problem is that the site requires users to enable JavaScript to login to view their accounts. It’s as if accessing your Capital One account gave you a […]