Web Development

An interview with Giorgio Maone, creator of NoScript

We know all about NoScript, but not much about its developer. Michael Kassner thought it was time to change that.

NoScript has won awards every year since its official release in 2005. Several colleagues of mine, who happen to be Google fan boys, flatly refuse to switch from Firefox to Chrome, simply because of NoScript. I wrote about Chrome when it first came out, and many of the TechRepublic members who commented were not about to give up NoScript, regardless of Chrome's built-in security features.

Why the accolades and overwhelming loyalty? It's simple, NoScript does what it advertises and does it well.

Who is Giorgio Maone?

To be honest, I've known Giorgio, the creator of NoScript for several years, having discussed particulars about his app on several occasions. I just haven't taken the time to get to know him personally. I decided it was time to change that.

Kassner: Hello, Giorgio. Thanks for agreeing to this interview. NoScript is a highly-regarded security addon for Firefox. Why was it important for you to develop NoScript? Maone: The first zero-day Firefox vulnerability surfaced in 2005. The vulnerability allowed attackers to install malware on a computer just from visiting the attack website. The suggested remedy was disabling JavaScript. But that's impractical, because many websites break if JavaScript is disabled.

I wondered if a way to keep both usability and security existed, and decided to do something about it. I grabbed my coffee, sat down at the computer, and in three days created NoScript. Back then, I had no idea how much that 72-hour coding marathon was going to change my life.

Kassner: I for one am glad you did. Next question -- how does NoScript work? Maone: The functionality behind NoScript's name is the ability to disable JavaScript, Flash, Java, and other active content -- plug-ins mostly -- that allow webpages to run as programs inside the web browser.

NoScript by default blocks all the active content on any web page, which may break some website functionality. To prevent that, the user must tell NoScript what script sources are to be trusted by choosing them from a menu. NoScript then remembers the choices in a permanent whitelist. This reduces the opportunities an attacker has to run malicious code, while preserving full functionality where needed.

Over time NoScript has grown; offering security features independent of script and content blocking. Among the web-based attacks NoScript prevents -- even with scripting enabled -- are:

  • XSS: "Injection Checker" prevents malicious web pages from injecting their scripts inside other sites.
  • Clickjacking: The ClearClick feature is the only effective client-side protection against this attack so far.
  • CSRF: The ABE module intercepts by default any cross-zone HTTP payload.
  • MITM: NoScript can make sure HTTPS is used if it is available, preventing this type of attack.
Kassner: What insight can you offer people who are trying to decide what to do with a specific script or plug-in source? Maone: People need to base their decisions on social and economic reasons, not technical ones. For example:
  • Do I really need to interact with this website?
  • What kind of relationship am I entering into with the website's owner?
  • Can I obtain compensation if my computer is compromised?

NoScript further helps by showing the script sources a web page attempts to load, letting you control them individually -- even trusted websites may link third-party scripts which may not deserve the same level of trust. Also, if you don't know who a certain script belongs to or if you can't figure out the script's role, middle click or shift click the NoScript menu entry to obtain information about it.

Kassner: I read somewhere users who "allow all scripts" still have some benefit. Is that correct? Maone: That's right. The additional features listed above work independently of script and plug-in permissions. So, rather than uninstall NoScript, it is better to use the Allow scripts globally command. Another advantage that remains is the ability to blacklist individual sites. Kassner: Now for the tough question, fast-forward 20 years -- will NoScript still be around? Maone: I firmly believe NoScript will be needed for the foreseeable future. As long as software programs are used as mediators between us and the outside world ("User Agents", like Firefox to access the Internet), there will be those who figure out ways to exploit users (Social engineering), the user agent (browser design flaws) and the world (web-application security issues).

Over time, I have observed three kinds of human reactions:

  • The ones yelling, "the sky is falling," "the Internet is broken," and "we're all doomed."
  • Those that feel the Internet is broken, "we can't fix it," so we're safe enough by definition.
  • Individuals -- mainly security researchers and developers -- who contend both web browsers and the Internet need help and are trying to fix both.

I've always tried to be one of the "fixers," making NoScript available as an experimental "repair shop" for the Internet.

When I first developed a client-side anti-XSS protection, no one thought it would work. And now, every modern browser has a filter or is about to implement one. Stuff like XSS filters, HTTPS enforcing, Do-Not-Track, or click-to-play -- either pioneered or field-experimented using NoScript -- are slowly finding their way in mainstream browsers and web standards.

ClearClick is likely going to be standardized. I'm the editor of an anti-clickjacking proposal submitted to the W3C's Web Application Security Working Group, where I sit as an invited expert. So, as long as the Internet needs fixers and a repair shop, there will be place for NoScript.

Kassner: You have to be inundated with requests to port NoScript to the Chrome web browser. During one of our conversations, you mentioned that it would require Google to make some changes. What would it take for you to create NoScript for Chrome? Maone: Chromium developers -- who want to see this happen -- have removed some technical obstacles. But, other issues still remain; such as the strictly asynchronous inter-process communication design which prevents security policies from being reliably enforced.

Nevertheless, I'm going to develop NoScript for Chrome, eventually. I'm just afraid it will not be on par with NoScript for Firefox. The flexibility of the Mozilla extension platform is unbeatable, allowing speedy design and prototyping of experimental countermeasures for emerging threats -- the mission and trademark of NoScript.

Kassner: Are you working on any new projects currently -- any truth to the rumor you are thinking about mobile app development? Maone: Actually, I released NoScript for Firefox Mobile in 2011, offering Android users a safer browsing experience. I'm currently working to support next generation Firefox for Android -- in beta, and radically revamped for speed and responsiveness. I'm also trying to consolidate mobile and desktop versions of NoScript into a single package. Kassner: As someone well acquainted with the workings of the Internet, are you optimistic about its future, or is it going to implode from all of the problems? Maone: Despite my famous paranoia, I'm hopeful. The "Internet" is a huge messy pile of heterogeneous and underspecified technologies glued together by some spell. But so far, it has survived by being resilient and adaptive, two key properties if it's to have a future. Yes, there are problems, but we can fix them (hopefully not creating new ones).

Rather than technical, my worries are political: people viewing cyberspace as a chance for information freedom and democratic choice, whereas corporations possibly colluding with governments to turn the Internet into the ultimate wiretapping and control device.

Kassner: On the Firefox "Meet the Add-on Developer" page, I found this:

Dad first, then software developer, that impressed me. So, I'm offering a proud father the chance to tell us about the family behind the cool shades.

Maone: Thank you. The picture was taken at the beach of Palermo. Our sunny Sicily is extremely beautiful and a land of heroes. The little lady in pink is Irene Ipazia. My daughter's middle name pays homage to Hypatia, a great woman, scientist, and martyr of free thought.

The young dandy on the left is Francesco Libero. Francesco was named after my late dad, an engineer and inventor. Libero is Italian for "free" as in "freedom." Both have lived up to their names so far, and they're terrific hackers. I do hope they keep their interest as they get older. I could use some help.

Final thoughts

It's clear, there are two important pieces to Giorgio's life, his family and NoScript. I'd like to thank Giorgio for his continuing effort with NoScript and sharing his valuable time for this interview.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

25 comments
maj37
maj37

Actually Michael your takeaway is not true and is one of my pet peeves about advertising it bothers me when people speak in absolutes. I for one and I am sure I am not alone have never heard of NoScript, but then I use FireFox very little. On the other hand thanks for the loaded questions and those that solicited answers that assume your takeaway is in fact wrong, also thanks for the link. Is this one of those times when we should shoot the editor rather than the writer, who writes your takeaways?

seanferd
seanferd

I am also deeply grateful that NoScript is one of the few extensions which has always worked in SeaMonkey.

Ocie3
Ocie3

is about the only reason that I've continued to run Firefox. Today, I've read that the Firefox 13 "tab page" feature captures images of every page that Firefox fetches (unless "Private Browsing" is enabled), which introduces a security risk because that includes online banking websites, webmail pages, and other "sensitive" websites. It seems to me that every Firefox new release makes the browser and its interface worse instead of better, and now leaves one to wonder whether it is also less secure. These problems are, of course, the consequence of the "rapid development cycle" where bad ideas are introduced without proper consideration and the implementation of even the good ideas are flawed. Just what the inspiration has been for this rollercoaster folly ride is a mystery to me. That said, thank-you Giorgio Maone for all of the work you have done to increase Firefox security!! I hope that you can eventually develop a comparable extension for Chrome, too.

mhenriday
mhenriday

But unfortunately, I have always felt that I have to abstain from recommending it when I install FF on the computers of my retirees, as I imagined that requiring them to decide whether or not to permit any or all of several script sources when launching a webpage would simply be too much for them. After reading the interview, however, I'm wondering if installing NoScript and then clicking ??Allow scripts globally?? might not be an alternative, thus providing them with a modicum of security from XXS, Clickjacking, etc. But I hesitate, as in the event a user who happens to click on the NoScript button sees the warning which accompanies this setting, I'm the one who is going to be called upon to explain why I allowed so dangerous a setting ! What goes 'round comes 'round.... In any event, thanks for an instructive interview, Michael - and mille grazie to Giorgio for his great work !... Henri

hippiekarl
hippiekarl

Mr. Maone suggested that he wrestles with being paranoid about "... corporations *possibly* colluding with governments to turn the Internet into the ultimate wiretapping and control device." Does he not know Eric Schmidt's initial financing came from the NSA/CIA 'black budget'?!, or see where the business models of Google and the 'Security State' overlap?! Gee, if corporations WERE "colluding with governments to turn the Internet into the ultimate wiretapping and control device", what do you think it would look like? Something so blatant and obvious that everyone would react to their suspicions, or rather something that exudes a bit of end-user value or reward while collecting and aggregating your thoughts, dreams, and aspirations? I fear the frogs are being boiled here very slowly(!), and with meticulous precision.... Now that the GoogleEarth address-and-IP logger vans have come and gone, they're still telling Facebook things they wouldn't even tell their mom. EOR Thanks for posting this interview; NoScript and Ghostery are my friends, and Mr. Maone is one of my internet heroes.

Solenoid
Solenoid

I was impressed with your interview with Andrew Young (re: ScriptNo for Chrome), but you've clearly topped yourself here. Thank you again Michael. I agree strongly with other posts that NoScript makes web surfing tolerable and fearless. It is invaluable, indispensable, and nothing even comes close in comparison. NoScript does seem to be catching on, at least anecdotally. The last time I went looking for addons within Firefox, it was listed in the top 3 popular addons (or maybe it was just related to the search I was after).

Tony Hopkinson
Tony Hopkinson

And my Thanks to Mr Maone. Been using Noscript since the early days and as yet no one has come up with an even vaguely sensible reason to stop.

JCitizen
JCitizen

It isn't often we in the technical field get to see the human side of things! Needless to say No Script is literally a requirement when I use Fire Fox and I try to get my clients to use it exclusively, since they are not very good at updating their anti-malware very often. I have to admit, that I'm using Dragon(Chrome) now, because it opens so rapidly and downloads pages at lightning speeds. Avast has a "script shield" feature that seems to do a pretty good job of blocking any bad actors on all the web sites I go to. I must say it has become more boring at my honeypot lab, now that these kind of features are becoming prevalent. I'm excited to hear the news on his Chrome development plans! I would love to go back to Fire Fox eventually, and I still use it often; especially since it also supports Trusteer's Rapport. Mozilla has done a better job, lately, of updating without breaking plugins and other security features such as this. I imagine Mr. Maone goes fairly crazy keeping up with the mad update cycle browsers have now. On older XP machines, I've had to go back to Mozilla and IE8, because Chrome derivatives don't seem to work well on that platform anymore. The breakneck speed of browser modernization, has resulted in very impressive results, as far as I can tell. If I were to ask a question of Giorgio, it would be,"[i]how has the transition to the HTML-5 way of doing things effected your development cycle?"[/i] Thanks Michael for another fine article, and especially thanks to Mr. Maone!!!

pgit
pgit

Your creation is the most significant software ever created, IMHO. I have recommended noscript to literally everyone since it's inception. I have been quite militant in my insistence people use it and LIKE it. I've also been given a few opportunities to explain how things work, between the internet and one's personal computer, when clients have disabled noscript then gotten themselves infested with malware. It's such a pleasure to have such a solid security tool I can give people, having such a clear positive outcome, almost a guarantee of protection, is rarity in this business. A much appreciated rarity. Here's wishing all the best for you and your family...

bboyd
bboyd

I would make a suggestion to the paranoid like myself, purge your white list once in a while. I find that I accumulate a lot of unneeded permanent allows. By purging them you eliminate a risk that the site is compromised and becomes third party on ones that your currently using. My only real wish for no-script right now is a way to make people us it. So many issues go away with it used properly.

jonc2011
jonc2011

Hope many are donating to help you work and spend more time on the beach.

Michael Kassner
Michael Kassner

But you can blame me. I wrote it. And I appreciate your comment. I did go back and forth about that, but the edgier side of me won.

jeslurkin
jeslurkin

Ditto, ditto, ad infinitum. I am impressed with Chrome & Dragon, and I seldom use them because I cannot install NoScript on them. I was under the impression that I was a rare kook for using NS, and I'm happy to see that I'm not so rare, especially among knowledgeable people.

pgit
pgit

"NoScript is about the only reason that I've continued to run Firefox." Pretty much same here. I have to say FF is improving in the areas that would have me use something else, read "something faster." But for years NoScript has been the reason I've pushed firefox everywhere and used it myself.

bboyd
bboyd

For Internet Banking and Financial sites they are set up to only use the desktop link, using FF and NoScript, SSL Everywhere, Perspectives. Little bit of training that if the HTTPS: is not the right color something is wrong. That way even if they allow globally its less likely to get hijacked and when it does gets detected easier. My current bane is, strangely, lyrics and music download sites.

Michael Kassner
Michael Kassner

I can't speak for Giorgio. But in our correspondence, I sensed that he was acutely aware of NoScript being hands-on. I forgot to ask if he was working.....

Michael Kassner
Michael Kassner

Interviews are my favorite type of article. Getting to know the person is priceless.

Michael Kassner
Michael Kassner

Giorgio is dedicated to keeping NoScript as relevant and useful as possible. That was easy to see in our correspondence.

Who Am I Really
Who Am I Really

when I setup NS for people I tell them to use [b]"temporarily allow ...site..."[/b] instead of using (always) [b]"Allow ...site..."[/b] and, yes it is a good idea to check the whitelist occasionally I do that whenever a new NS version update is installed I am glad that NS is still supported on Firefox 3.6.x as some of the important features were removed from later versions of Firefox eg. the warning messages for: I am about to view a page that uses low-grade encryption. I leave an encrypted page for one that isn't encrypted I submit information that's not encrypted. I am about to view an encrypted page that contains some unencrypted information. I set up v.13 on a system for a friend and couldn't find these anywhere in the settings needless to say I wasn't all that impressed with that

Michael Kassner
Michael Kassner

I remember following a twitter conversation where the participants were discussing that very thing and why only power users are willing to invest the time and effort.