Interesting Web Social Engineering Security Hole page 2

30 posts

Flag Post

Running with JS turned off is pretty much turning the Internet off these days, with so much live content and AJAX (for example you can’t use this forum without it).

Turning off scripts in general and enabling them on a per-site basis is more hassle than just living with intrusive and malicious scripts (they’re easier to defend against by being aware of what you’re doing).

Actually, it’s not that bad.
I’ve been using NoScript for many years and at this point, it’s perfectly configured for all the sites I use regularly. For the rest, you don’t usually need JS enabled to be able to read articles and follow links, which is what I usually do in “unknown” sites; they’re mostly blogs or forums which don’t need the reader to enable JS.
Also, the speed gain is appreciated on the old computer.

But to each his own. I like to have control over things that want to run on my browser/computer or access my information in any way.

 
Flag Post

lol… I like how the younger people on this forum are all pushing for using stuff like noscript or never using ctrl+F and blaming “uneducated people” for falling for scams, while the more senior people are all accepting that this is a potentially harmful exploit compared with the other phishing scams out there, and are agreeing that blocking javascript or not using the find feature is just plain ridiculous.

/flameshield

I personally would never block javascript, or even rely on whitelists, since I use stumbleupon, and whitelisting every site I stumble on defeats the purpose of whitelisting in the first place. It is entirely possible to make a phishing site that still contains very interesting content and makes it to the top of reddit for example. Who immediately goes to check the source code of every page they visit before assuming it’s safe? Especially if it has over 1000 upvotes in reddit? Whitelisting things only go so far, is a general hassle, and the scammers are not going to be targeting anyone savvy enough to use a whitelist in the first place.

 
Flag Post
Originally posted by jonathanasdf:

I personally would never block javascript, or even rely on whitelists, since I use stumbleupon, and whitelisting every site I stumble on defeats the purpose of whitelisting in the first place.

So I went and looked up various pages on StumbleUpon just to see if you really have to whitelist them. Turns out, no you don’t, for the most part. You can see all sorts of images and videos without JavaScript.

Plus, you can whitelist temporarily, and you can also whitelist only the domain you’re trying to visit without whitelisting the five different ad servers/trackers that want to run JavaScript on that page.

 
Flag Post

I haven’t used that service, but to be fair, the ammount of sites which become completely useless without JS are only a few. Of course, you need to enable it to use them fully, so again, it’s a matter of personal choice.
Personally I don’t need that; I leave one or two comments for every hundred articles I read, and as Player_03 said, it’s only a matter of whitelisting it until you leave the site/exit your browser sesion. I’d say I have to enable JS in less than 15% of the sites I visit in order to access whatever content I’m interested in.

For the rest allowing the top site is enough in most cases, like in Kong; NS shows adroll, cloudfront, facebook and kongregate in the list of sites requesting to run JS from the forums. From those, all you need to have a fully functional experience is to enable Kongregate. Also, those are just the top sites; sometimes there are more which won’t show up until you allow one or more, like… that Facebook JS could try to grab some more JS from another site… let’s say their CDN, etc, etc. At the end, it’s not uncommon to see over ten different sites trying to run JS that is completely unnecessary and even unrelated to what you expect from the site you’re loading. That can translate into extra memory or bandwidth or loading time, which was my main reason to start using those addons, security was just an extra, since I like to think I have pretty safe browsing practices.

But again, it’s up to you. I’m used to it and pretty happy with the results, but I can see how it could be annoying to some and useless to others.
Also, just to be clear, I didn’t say to disable javascript to be safe from those scams, I said I would be safe since I already have JS blocked. “security is just an extra”.

 
Flag Post
Originally posted by player_03:

Plus, you can whitelist temporarily, and you can also whitelist only the domain you’re trying to visit without whitelisting the five different ad servers/trackers that want to run JavaScript on that page.

Of course, if the server was hacked and malicious code embedded directly into the page’s source, that doesn’t help you anyway.