Developer

An interview with Giorgio Maone, creator of NoScript

We know all about NoScript, but not much about its developer. Michael Kassner thought it was time to change that.

NoScript has won awards every year since its official release in 2005. Several colleagues of mine, who happen to be Google fan boys, flatly refuse to switch from Firefox to Chrome, simply because of NoScript. I wrote about Chrome when it first came out, and many of the TechRepublic members who commented were not about to give up NoScript, regardless of Chrome's built-in security features.

Why the accolades and overwhelming loyalty? It's simple, NoScript does what it advertises and does it well.

Who is Giorgio Maone?

To be honest, I've known Giorgio, the creator of NoScript for several years, having discussed particulars about his app on several occasions. I just haven't taken the time to get to know him personally. I decided it was time to change that.

Kassner: Hello, Giorgio. Thanks for agreeing to this interview. NoScript is a highly-regarded security addon for Firefox. Why was it important for you to develop NoScript? Maone: The first zero-day Firefox vulnerability surfaced in 2005. The vulnerability allowed attackers to install malware on a computer just from visiting the attack website. The suggested remedy was disabling JavaScript. But that's impractical, because many websites break if JavaScript is disabled.

I wondered if a way to keep both usability and security existed, and decided to do something about it. I grabbed my coffee, sat down at the computer, and in three days created NoScript. Back then, I had no idea how much that 72-hour coding marathon was going to change my life.

Kassner: I for one am glad you did. Next question — how does NoScript work? Maone: The functionality behind NoScript's name is the ability to disable JavaScript, Flash, Java, and other active content — plug-ins mostly — that allow webpages to run as programs inside the web browser.

NoScript by default blocks all the active content on any web page, which may break some website functionality. To prevent that, the user must tell NoScript what script sources are to be trusted by choosing them from a menu. NoScript then remembers the choices in a permanent whitelist. This reduces the opportunities an attacker has to run malicious code, while preserving full functionality where needed.

Over time NoScript has grown; offering security features independent of script and content blocking. Among the web-based attacks NoScript prevents — even with scripting enabled — are:

  • XSS: "Injection Checker" prevents malicious web pages from injecting their scripts inside other sites.
  • Clickjacking: The ClearClick feature is the only effective client-side protection against this attack so far.
  • CSRF: The ABE module intercepts by default any cross-zone HTTP payload.
  • MITM: NoScript can make sure HTTPS is used if it is available, preventing this type of attack.
Kassner: What insight can you offer people who are trying to decide what to do with a specific script or plug-in source? Maone: People need to base their decisions on social and economic reasons, not technical ones. For example:
  • Do I really need to interact with this website?
  • What kind of relationship am I entering into with the website's owner?
  • Can I obtain compensation if my computer is compromised?

NoScript further helps by showing the script sources a web page attempts to load, letting you control them individually — even trusted websites may link third-party scripts which may not deserve the same level of trust. Also, if you don't know who a certain script belongs to or if you can't figure out the script's role, middle click or shift click the NoScript menu entry to obtain information about it.

Kassner: I read somewhere users who "allow all scripts" still have some benefit. Is that correct? Maone: That's right. The additional features listed above work independently of script and plug-in permissions. So, rather than uninstall NoScript, it is better to use the Allow scripts globally command. Another advantage that remains is the ability to blacklist individual sites. Kassner: Now for the tough question, fast-forward 20 years — will NoScript still be around? Maone: I firmly believe NoScript will be needed for the foreseeable future. As long as software programs are used as mediators between us and the outside world ("User Agents", like Firefox to access the Internet), there will be those who figure out ways to exploit users (Social engineering), the user agent (browser design flaws) and the world (web-application security issues).

Over time, I have observed three kinds of human reactions:

  • The ones yelling, "the sky is falling," "the Internet is broken," and "we're all doomed."
  • Those that feel the Internet is broken, "we can't fix it," so we're safe enough by definition.
  • Individuals — mainly security researchers and developers — who contend both web browsers and the Internet need help and are trying to fix both.

I've always tried to be one of the "fixers," making NoScript available as an experimental "repair shop" for the Internet.

When I first developed a client-side anti-XSS protection, no one thought it would work. And now, every modern browser has a filter or is about to implement one. Stuff like XSS filters, HTTPS enforcing, Do-Not-Track, or click-to-play — either pioneered or field-experimented using NoScript — are slowly finding their way in mainstream browsers and web standards.

ClearClick is likely going to be standardized. I'm the editor of an anti-clickjacking proposal submitted to the W3C's Web Application Security Working Group, where I sit as an invited expert. So, as long as the Internet needs fixers and a repair shop, there will be place for NoScript.

Kassner: You have to be inundated with requests to port NoScript to the Chrome web browser. During one of our conversations, you mentioned that it would require Google to make some changes. What would it take for you to create NoScript for Chrome? Maone: Chromium developers — who want to see this happen — have removed some technical obstacles. But, other issues still remain; such as the strictly asynchronous inter-process communication design which prevents security policies from being reliably enforced.

Nevertheless, I'm going to develop NoScript for Chrome, eventually. I'm just afraid it will not be on par with NoScript for Firefox. The flexibility of the Mozilla extension platform is unbeatable, allowing speedy design and prototyping of experimental countermeasures for emerging threats — the mission and trademark of NoScript.

Kassner: Are you working on any new projects currently — any truth to the rumor you are thinking about mobile app development? Maone: Actually, I released NoScript for Firefox Mobile in 2011, offering Android users a safer browsing experience. I'm currently working to support next generation Firefox for Android — in beta, and radically revamped for speed and responsiveness. I'm also trying to consolidate mobile and desktop versions of NoScript into a single package. Kassner: As someone well acquainted with the workings of the Internet, are you optimistic about its future, or is it going to implode from all of the problems? Maone: Despite my famous paranoia, I'm hopeful. The "Internet" is a huge messy pile of heterogeneous and underspecified technologies glued together by some spell. But so far, it has survived by being resilient and adaptive, two key properties if it's to have a future. Yes, there are problems, but we can fix them (hopefully not creating new ones).

Rather than technical, my worries are political: people viewing cyberspace as a chance for information freedom and democratic choice, whereas corporations possibly colluding with governments to turn the Internet into the ultimate wiretapping and control device.

Kassner: On the Firefox "Meet the Add-on Developer" page, I found this:

Dad first, then software developer, that impressed me. So, I'm offering a proud father the chance to tell us about the family behind the cool shades.

Maone: Thank you. The picture was taken at the beach of Palermo. Our sunny Sicily is extremely beautiful and a land of heroes. The little lady in pink is Irene Ipazia. My daughter's middle name pays homage to Hypatia, a great woman, scientist, and martyr of free thought.

The young dandy on the left is Francesco Libero. Francesco was named after my late dad, an engineer and inventor. Libero is Italian for "free" as in "freedom." Both have lived up to their names so far, and they're terrific hackers. I do hope they keep their interest as they get older. I could use some help.

Final thoughts

It's clear, there are two important pieces to Giorgio's life, his family and NoScript. I'd like to thank Giorgio for his continuing effort with NoScript and sharing his valuable time for this interview.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks