Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Allow only HTTPS active content (Score 1) 166

NoScript Options>Advanced>HTTPS> Forbid Active Content unless it comes from a secure (HTTPS) connection .

Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence).

Furthermore, NoScript introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.

Comment Re:why? (Score 4, Informative) 778

Are there still security issues with having JS enabled?

Fresh from the summary of the upcoming BlackHat talk by Jeremiah Grossman, A Million Browser Botnet:

With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. [...] no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way.

Comment Re:Agreed (Score 4, Informative) 778

There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.

In what ways is NoScript more advanced than ScriptSafe?

Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)

Comment Not that simple (Re:Online Advertising Response) (Score 5, Informative) 369

The patch is not exactly a one-liner, because the implemented behavior is not as straight-forward as just "block 3rd party cookies".

It's "block cross-site cookies from origins which I've not visited yet as a 1st party websites and have already 1st party cookies from".

This means, for instance, that Facebook, Google and Twitter gets likely a free-pass to track almost anybody.

And that once you (accidentally or not) click any ad box, you give a free-pass to its advertising agency too.


Submission + - Stallman on Unity: Canonical will have to hand over users' data to governments (benjaminkerensa.com)

Giorgio Maone writes: "Ubuntu developer and fellow mozillian Benjamin Kerensa chatted with various people about the new Amazon Product Results in the Ubuntu 12.10 Unity Dash. Among them, Richard Stallman told him that this feature is bad because: 1. "If Canonical gets this data, it will be forced to hand it over to various governments."; 2. Amazon is bad. Concerned people can disable remote data retrieval for any lens and scopes or, more surgically, use sudo apt-get remove unity-lens-shopping."

Comment Re:Inflated Chrome stats because of page prerender (Score 2) 212

I doubt they measure number of pages when measuring market share here.

Wrong, that's exactly what they do: Why do you base your stats on page views rather than unique visitors?

And yes, they're aware of the prerendering Chrome stats inflation problem, even though they believe it doesn't significantly skew their stats, for some reason they're unable to explain themselves (sounds like "faith" or "we're too lazy to adjust our data even though we could").

Comment Re:Only a partial list (Score 5, Informative) 131

Two tiny corrections:
  1. He will find all your installed extensions among the ones he's looking for, because every Chrome extension have a manifest.json file. This means that he just needs to crawl https://chrome.google.com/webstore/category/extensions for GUIDs of all the installable extensions, and he can detect your full extensions list.
  2. There's no such a generic detection method for Firefox extensions. You can detect some (e.g. adblockers) by testing for their specific behavior and effects on web pages (e.g. how some DOM elements have been removed/hidden/inserted), but you can't develop a catch-all detection script, because Firefox extensions are generally undetectable.

Slashdot Top Deals

They are called computers simply because computation is the only significant job that has so far been given to them.