Networking

ScriptNo: A preemptive strike against script attacks for Chrome

Google's Chrome browser has a powerful ally in ScriptNo. Michael Kassner talks to the developer about his efforts to curtail scripting attacks.

Not long after Chrome was officially released to the public, I put it through my very-unofficial testing, eventually writing an article about it. Readers did not mince words in their comments. Firefox was more secure -- due in large part to NoScript, Giorgio Maone's anti-scripting app.

I still use Chrome. You could say I like living on the digital-edge.

Not NoScript, but ScriptNo

There were several high-profile digital crimes involving script attacks in first quarter 2012, and that was chipping at my precarious position on the edge. Around that same time, I ran across a blog post by a young Canadian named Andrew Young. He purportedly had a solution for me, boldly calling it ScriptNo:

"ScriptNo essentially gives you more control over what is loaded by pages you browse. This means less ads, less tracking, less annoyances, more security, more privacy, and more comfort.

ScriptNo can block web bugs, block pages from detecting where you came from, as well as content that you don't want. You are given granular control in the form of a whitelist and blacklist."

Sounds perfect. Fast forward several months of once again very-unofficial testing, and it's time to meet Andrew, and pepper him with questions.

Kassner: Andrew, thank you for taking time to talk to me about ScriptNo. First, a bit about yourself -- what is your background? What motivated you to develop ScriptNo? Young: I am a 24-year-old computer enthusiast who loves developing new and exciting things.

I was motivated to develop ScriptNo due in large part to NotScripts, the first extension to bring over parts of NoScript -- Giorgio Maone's Firefox extension -- to Chrome. I wanted to develop something that would harness the capabilities of the Chrome-extension API and JavaScript, providing users the option to control their Internet experience.

Kassner: ScriptNo is a Chrome extension -- a small software program that can modify and enhance the functionality of the Chrome web browser. How does ScriptNo modify and/or enhance the functionality of Chrome? Young: ScriptNo enhances the Chrome experience by allowing users to control what loads and what doesn't load on pages. The more you use it, the smarter and less intrusive it gets. It honors your privacy and seeks (by default) to foil web bugs and tracking code. Also, pages load faster with ScriptNo as unwanted resources are prevented from loading. Kassner: When first installing security apps like ScriptNo, it's important to know what's blocked and what's not. What can a user expect from ScriptNo right out of the box? Young: ScriptNo starts working immediately after it's installed, blocking resources by default, and showing the user what has been blocked or allowed. ScriptNo gives the user several options, such as temporarily allowing it or allowing it permanently. Simply click on the toolbar icon to get a list of resources and their current condition. Kassner: After installing ScriptNo, I went to my favorite website, clicked on the ScriptNo icon and the following window opened.

What are we looking at?

Young: Above is a list of allowed resources (files that were allowed to load), a list of blocked resources (by default files hosted by a third party are blocked), and several options for each.

To the right side are options for the current page. You can choose to allow/trust/deny/distrust the domain:

  • Allow would add the current subdomain to the whitelist.
  • Trust would whitelist the entire domain; all pages on that domain would be allowed by default.
  • Deny would add the current subdomain to the blacklist.
  • Distrust would blacklist the entire domain to the blacklist.
Kassner: As I moved the pointer over one of the resources, the following window opened.

What do the web addresses refer to?

Young: This is a feature I built into ScriptNo to be more intuitive to the user. The web addresses listed in the hover-over title are the full addresses of the resources that were blocked/allowed. This provides information on what each domain is attempting to load, and helps the user decide whether to allow or block the resource. Kassner: I just noticed the "Rating" button. What is that for? Young: The rating button loads Web of Trust page for that particular domain, advising the user about the reputation of the domain. This should help users determine whether or a domain is safe or questionable. Kassner: I was checking out the ScriptNo Options and came across the following configuration choices.

What are the above selections referring to?

Young: Antisocial Mode blocks social widgets (e.g. Facebook "Like" buttons, Twitter feeds, and a number of other social "widgets"). The purpose of this feature is to prevent such sites from tracking your activity across the Internet.

Remove Web bugs will remove tiny 1 by 1 pixel -- images/iframes meant to track user movements on the Internet. For example, Tracking.com -- a third-party tracking site -- has placed a web bug on the website ABC.com.

Block Click-Through Referrer will automatically detect third-party links on a page and add rel="noreferrer" to its attributes. This is a new capability introduced by HTML5 that will erase the referrer header when the link is clicked. I've made use of this capability to bring seamless and non-intrusive referrer privacy into ScriptNo. Kassner: Last year, Giorgio Maone mentioned on a forum:

"Chrome/Chromium misses many key hooks and infrastructures which are indispensable to deliver the security features provided by NoScript with an acceptable degree of completeness and reliability. If/when they're there, I'm gonna port NoScript to Chrome."

To the best of my knowledge, NoScript is still not available as a Chrome Extension. Can you explain what he was referring to and how ScriptNo avoids the problem?

Young: I respect and greatly admire Giorgio Maone. One of my personal hopes is for Maone to port NoScript to Chrome. I also hope ScriptNo shows it is possible and inspires further work on this initiative.

It's important to understand that ScriptNo does not bring over all of NoScript's security to Chrome due to limitations in the Chrome API. I've tried my best to make do with the limitations. And, I've built in several workarounds in ScriptNo that help address some of the shortcomings in the API.

Kassner: People are going to compare ScriptNo to NoScript. You even somewhat forced the issue with the name. What are the similarities? Differences? Young: I don't mind if people compare the two. I just want to make it clear that ScriptNo does not have all of NoScript's capabilities.

Similarities: Both NoScript by Maone and ScriptNo give users control over their Internet experience.

Differences: The interface for one. In ScriptNo you are able to hover over items and see the exact URLs and a basic interface, while NoScript has a very comprehensive interface. The big difference would be the code itself and the fact that NoScript and Firefox have been around longer, whereas Chrome and ScriptNo are relatively new.

Kassner: As passionate as you are about ScriptNo, I'm betting ScriptNo is still evolving. Could you give us a few hints as to what you are working on? Young: ScriptNo is definitely still a work in progress. I've received support, both technical and financial, from the Internet community and I'd like to take this time to thank each and every one of them.

A few things I'd like to bring to ScriptNo are:

  • Support for languages.
  • Fix some bugs users have reported to me.
  • Fully utilize the Chrome API to bring more reliable and comprehensive blocking to ScriptNo.
  • Improve the interface to enhance the ScriptNo experience.
Kassner: Andrew asked me if he could add the following. Young: I genuinely hope users have found ScriptNo useful and that it has helped improve their browsing experience and privacy on the Internet, which has unfortunately become a dangerous place. Final thoughts

One of the hardest things writing this article was keeping NoScript and ScriptNo straight. From what readers have mentioned earlier, if ScriptNo is able to protect in a similar manner, Chrome users now have a powerful option.

Thank you Andrew for taking the time to explain ScriptNo.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

7 comments
bboyd
bboyd

Glad to see an wholehearted attempt to port No-Script

Michael Kassner
Michael Kassner

New post. ScriptNo is similar to NoScript, but ported to Chrome -- providing you all sorts of options when it comes to scripts.

Michael Kassner
Michael Kassner

NoScript or ScriptNo? I've been talking to Giorgio (NoScript developer) and he is checking constantly to see if Google has made the changes he feels are important so that the future NoScript for Chrome will be as secure and work as well as NoScript for Firefox.

Solenoid
Solenoid

Thanks for the interview. I had stopped using chrome at work, favoring FF due primarily to NoScript. Now I'm going to have to try this out; I'm excited to do so. Either way, I still won't be imposing a script blocker upon my users. It takes some knowledge and savvy to make it work right, and is easily met with confused resistance, regardless of the simplicity. I find that users who don't care how things work (and only that it does work) really don't care to have fine control over their experience. Whereas geeks like me consider 'configurable' or 'customizable' a hot feature, most users accept defaults and get flustered when presented with options they don't understand.

bboyd
bboyd

Since US banking institutions still won't enforce authenticity verification I like the isolation chrome uses, but i find the combination of Fire Fox, No-Script, Perspectives, SSL everywhere and Avast works to get a reasonable benefit. Habits are still the big security breaker.

Michael Kassner
Michael Kassner

And I agree with your viewpoint. I have been slowly introducing both NoScript and ScriptNo. I wanted to point out that NoScript has some security capabilities that are in place even if all the other features are turned off. I'm hoping Andrew can incorporate the same to ScriptNo. I've been working with Giorgio Maone for years. This is what he had to say: So, since security experts themselves sometimes seem confused about NoScript???s real ???convenience vs security??? tradeoffs, taking for granted that all the security it offers depends on and requires script blocking, recapping here a (non exhaustive) list of attacks blocked by NoScript even in ???Allow Scripts Globally??? mode may be useful: ...XSS, thanks to its ???Injection Checker???, the first anti-XSS filter ever released in a web browser. ...Clickjacking ??? NoScript???s ClearClick feature is still the only effective protection entirely implemented inside the browser and requiring no server-side cooperation. ...CSRF (and especially, by default, cross-zone attacks against intranet resources) via the ABE module. ...MITM, courtesy of HSTS and other HTTPS-enhancing features These are just some of the many additional protections provided by NoScript which do not depend on scripting being disabled. So next time you hear people saying ???yes, browsing with NoScript is safer but having to pick trusted sites to run JavaScript is a pain???, point them to these good reasons for running NoScript, even if they give up the extra security provided by plain old script blocking.

Ocie3
Ocie3

offers the option of two-factor authentication (but it cost me $20!). You get what looks like a credit-card with a "button" and a rectangular "data-display window" it. Press the button and the card displays a random string of 6 digits. Enter those into the "Secure Pass" field on the page on which you also enter your "site key" and "passphrase" (password). Only once have I had a problem and it wasn't with the digit-string generator.

Editor's Picks