Forgot your password?
typodupeerror

Comment: Allow only HTTPS active content (Score 1) 166

by Giorgio Maone (#47685609) Attached to: Watch a Cat Video, Get Hacked: the Death of Clear-Text

NoScript Options>Advanced>HTTPS> Forbid Active Content unless it comes from a secure (HTTPS) connection .

Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence).

Furthermore, NoScript 2.6.8.37rc2 introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.

Comment: Re:why? (Score 4, Informative) 778

by Giorgio Maone (#44158513) Attached to: Firefox 23 Makes JavaScript Obligatory

Are there still security issues with having JS enabled?

Fresh from the summary of the upcoming BlackHat talk by Jeremiah Grossman, A Million Browser Botnet:

With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. [...] no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way.

Comment: Re:Agreed (Score 4, Informative) 778

by Giorgio Maone (#44158383) Attached to: Firefox 23 Makes JavaScript Obligatory

There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.

In what ways is NoScript more advanced than ScriptSafe?

Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)

Comment: Not that simple (Re:Online Advertising Response) (Score 5, Informative) 369

by Giorgio Maone (#42991759) Attached to: Firefox Will Soon Block Third-Party Cookies

The patch is not exactly a one-liner, because the implemented behavior is not as straight-forward as just "block 3rd party cookies".

It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".

This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.

And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.

Privacy

+ - Stallman on Unity: Canonical will have to hand over users' data to governments->

Submitted by
Giorgio Maone
Giorgio Maone writes "Ubuntu developer and fellow mozillian Benjamin Kerensa chatted with various people about the new Amazon Product Results in the Ubuntu 12.10 Unity Dash. Among them, Richard Stallman told him that this feature is bad because: 1. "If Canonical gets this data, it will be forced to hand it over to various governments."; 2. Amazon is bad. Concerned people can disable remote data retrieval for any lens and scopes or, more surgically, use sudo apt-get remove unity-lens-shopping."
Link to Original Source

Comment: Re:Inflated Chrome stats because of page prerender (Score 2) 212

by Giorgio Maone (#39585041) Attached to: Chrome Beats Internet Explorer On Any Given Sunday

I doubt they measure number of pages when measuring market share here.

Wrong, that's exactly what they do: Why do you base your stats on page views rather than unique visitors?

And yes, they're aware of the prerendering Chrome stats inflation problem, even though they believe it doesn't significantly skew their stats, for some reason they're unable to explain themselves (sounds like "faith" or "we're too lazy to adjust our data even though we could").

Comment: Inflated Chrome stats because of page prerendering (Score 5, Insightful) 212

by Giorgio Maone (#39583813) Attached to: Chrome Beats Internet Explorer On Any Given Sunday

Does StatCounter take in account Chrome's page views inflation caused by its Instant Pages prerendering feature?

I'd be surprised, since even Google Analytics itself is affected...

Anyway, please be careful before announcing "Chrome usage surpassed this or that" :P

Comment: Re:Only a partial list (Score 5, Informative) 131

by Giorgio Maone (#39387581) Attached to: Websites Can Detect What Chrome Extensions You've Installed
Two tiny corrections:
  1. He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions for GUIDs of all the installable extensions, and he can detect your full extensions list.
  2. There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.

Biology is the only science in which multiplication means the same thing as division.

Working...