They could still just display an advertisement, but have the page it loads have scripts as well.
You can always iframe to a page that just displays an image and has a script in the header that runs on load. A user would never know.
Instead, iFrames need to be changed so that you can't iframe in a source that not from the same root address. And if you try, the browser should give an allow/deny warning.
Discussion on:
View:
Show:
I wouldn't go by the title as much as what I had in the main body.
I've been using it along with an ad blocker and and anti tracker, for a while now. Everytime I hop on a new computer, or one with out these tools, I see just what I'm "missing." Mostly garbage.
Not to get too melancholy about things, but I remember when the Internet was accessed mostly by modem. It's a real shame that such a wonderful source of a nearly infinite wealth information has been turned into such a cesspool.
Not to get too melancholy about things, but I remember when the Internet was accessed mostly by modem. It's a real shame that such a wonderful source of a nearly infinite wealth information has been turned into such a cesspool.
Many security pundits also informed me that NoScript is fairly knowledge intensive. I'm betting you know all sorts of people that would not have the patience for NoScript.
This is why I tell folks when I introduce them to No Script to just keep it simple. I suggest that they simply let No Script block all - and if they suspect there is content they need, at least make a guess which page control they should allow before giving the "allow all". I counsel them that they will eventually get the ability to recognize trusted scripts by name, or at least recognize that unfamiliar ones should not be trusted.
I seem to remember an Internet Explorer setting that blocks iFrames? I've become lazy about them, because of Avast. It always seems be able to manage blocking bad scripts in the first place. My foggy memory recalls tests I used to do, where I went to test sites to see how iFrames react to IE settings, and script blockers - I don't remember the URLs, but my defenses passed the tests every time. This was before stealth malware become ubiquitous, of course. There can be no guaranty now, that any malicious script will be recognized - not even by good heuristics. So far the operating system security seems to be winning that part of the battle - CCleaner closes the victory.
I seem to remember an Internet Explorer setting that blocks iFrames? I've become lazy about them, because of Avast. It always seems be able to manage blocking bad scripts in the first place. My foggy memory recalls tests I used to do, where I went to test sites to see how iFrames react to IE settings, and script blockers - I don't remember the URLs, but my defenses passed the tests every time. This was before stealth malware become ubiquitous, of course. There can be no guaranty now, that any malicious script will be recognized - not even by good heuristics. So far the operating system security seems to be winning that part of the battle - CCleaner closes the victory.
You help the people you can, and fix the computers of those you can't.
Printed on my business card is: "My job is to put myself out of a job. I want to teach you how to help yourself."
Printed on my business card is: "My job is to put myself out of a job. I want to teach you how to help yourself."
My goal was always to write SW so good people wouldn't bother me about it later. I've been fairly successful at that to the point I had the comment sent to me "why did you do such a good job, now they want the newer version to do that!" It helped to be "in their shoes" when I wrote it in the first place. Be the user before you design what's not there!
It's too confusing to them, they don't know the check which scripts are blocked, or how to tell if a page is loading correctly. Or those times you fill out a form and hit submit and nothing happens, so you allow the scripts, the page reloads and your form data is gone.
Instead, I use adblock, and WOT on Avant(firefox engine). So far they have never had a virus. I'll update Avant every year or so.
Windows 7 makes it better, I put UAC to max and explained to them how it works, and that they should only ever say yes to one when its triggered by something they are doing, otherwise choose no. UAC is a fairly weak security measure, but it does stop a good chuck of XP and earlier viruses.
Instead, I use adblock, and WOT on Avant(firefox engine). So far they have never had a virus. I'll update Avant every year or so.
Windows 7 makes it better, I put UAC to max and explained to them how it works, and that they should only ever say yes to one when its triggered by something they are doing, otherwise choose no. UAC is a fairly weak security measure, but it does stop a good chuck of XP and earlier viruses.
Unfortunately, it is also, as mentioned by another commentator, rather knowledge intensive (or at least, decision intensive), which is why I don't dare suggest installing it to (the vast majority of) the retirees whom I help with their computer problems. It must be said, however, that most of them - with a few notable exceptions ! - are very circumspect in their surfing habits, which means that it's not quite as incumbent upon them to have NoScript installed as would otherwise be the case. Still, I'd very much like to be able to introduce it to my friends and would be grateful for any feasible suggestions as to how to descend from the horns of this dilemma....
Henri
Henri
I always install Firefox+NoScript+AdBlock and make it the default browser for all friends and family.
I explain that they should only accept domains they expect to see .e.g. if they go to fredbloggs.co.uk then accepting fredbloggs.com and fredbloggsstatic.co.uk is probably ok, but accepting joepublic.com is probably not ok, unless they already know some affliation between fredbloggs and joepublic.
I do also go through their favourites and explain why they should accept or deny each domain, point out that most are not required from their perspective but allow ads tracking etc.
At that point I offer to remove it all; no one has ever taken me up on this, and all have managed to update the permissions as they needed to.
I maybe get 1 call per year per person asking if a certain domain is acceptable.
For some, I also install the WOT plugin, and again educate 'dont touch the red circle'.
BTW, this is what I use for my own surfing, and most of the domains for this TechRepublic page are not allowed, without any loss of functionality that I care about.
I explain that they should only accept domains they expect to see .e.g. if they go to fredbloggs.co.uk then accepting fredbloggs.com and fredbloggsstatic.co.uk is probably ok, but accepting joepublic.com is probably not ok, unless they already know some affliation between fredbloggs and joepublic.
I do also go through their favourites and explain why they should accept or deny each domain, point out that most are not required from their perspective but allow ads tracking etc.
At that point I offer to remove it all; no one has ever taken me up on this, and all have managed to update the permissions as they needed to.
I maybe get 1 call per year per person asking if a certain domain is acceptable.
For some, I also install the WOT plugin, and again educate 'dont touch the red circle'.
BTW, this is what I use for my own surfing, and most of the domains for this TechRepublic page are not allowed, without any loss of functionality that I care about.
I betting you are a great teacher. I try my best, but my dad, for instance, disables it right away. Then I learned from Giorgio that even in " Allow all" mode there is some benefit. He talked about it in this article:
http://www.techrepublic.com/blog/security/an-interview-with-giorgio-maone-creator-of-noscript/8025
http://www.techrepublic.com/blog/security/an-interview-with-giorgio-maone-creator-of-noscript/8025
You may want to read my interview with Giorgio, he talks about where just using NoScript in wide open mode has several advantages.
http://www.techrepublic.com/blog/security/an-interview-with-giorgio-maone-creator-of-noscript/8025
http://www.techrepublic.com/blog/security/an-interview-with-giorgio-maone-creator-of-noscript/8025
I use several solutions that are not only free, but do an excellent job as a substitute for No Script. They use no system resources - or at least I use all of them on old equipment with no problems.
Avast
SpywareBlaster
Comodo w/Defense+ (free personal firewall)
Winpatrol - in case a sneaky one gets through ( Thanks to Michael for reminding me of this old work horse!)
It seems like Spybot Search and Destroy used to have an effective setting for iFrames, but it is a very weak rivet in the armor now days - IMO.
AdAware was one of the most wondrous solutions to many malware, I'd ever used; but they can't be trusted anymore - since January - I'm afraid. I was never sure how it worked, but suspected it had the ability to disrupt communications of the malware, both internally and out to their web minions on web servers. This left them basically de-horned until CCleaner could dump them in the trash. I used to notice a quite large performance enhancement back then; no longer the case now.
Avast
SpywareBlaster
Comodo w/Defense+ (free personal firewall)
Winpatrol - in case a sneaky one gets through ( Thanks to Michael for reminding me of this old work horse!)
It seems like Spybot Search and Destroy used to have an effective setting for iFrames, but it is a very weak rivet in the armor now days - IMO.
AdAware was one of the most wondrous solutions to many malware, I'd ever used; but they can't be trusted anymore - since January - I'm afraid. I was never sure how it worked, but suspected it had the ability to disrupt communications of the malware, both internally and out to their web minions on web servers. This left them basically de-horned until CCleaner could dump them in the trash. I used to notice a quite large performance enhancement back then; no longer the case now.
Yep, WinPatrol is a great stand by and Bill is constantly working on it.
Which of your tools works against iFrames?
Which of your tools works against iFrames?
I used to block all using IE and set trusted sites later. I swore the old version of SaferNetworking's Spybot S&D had a setting for it, but not anymore, if at all. I was doing the testing in 2008, and I've had a lot of brain damage since then. So my memory is fuzzy about that. I don't do much to IE9 settings now, I just let SS&D control what cookies it does.
I've been nervous every since I had to dump Lavasoft, and I'm finding out malware can do a lot to a limited account to mess with the user. I have little hope of finding a replacement. Fortunately I no longer need AdAware for performance gain; modern browsers are quite capable of doing a good job by them selves. Some very disreputable concerns bought Lavasoft in January, and I just can't trust them anymore. I'll be playing with stuff I've never considered before - CNET user reviews will be my favorite reading for a while.
I've been nervous every since I had to dump Lavasoft, and I'm finding out malware can do a lot to a limited account to mess with the user. I have little hope of finding a replacement. Fortunately I no longer need AdAware for performance gain; modern browsers are quite capable of doing a good job by them selves. Some very disreputable concerns bought Lavasoft in January, and I just can't trust them anymore. I'll be playing with stuff I've never considered before - CNET user reviews will be my favorite reading for a while.
It is probably a dumb question but if the answer is no, perhaps browsers could be programmed so that invisible iFrames are not allowed.
I'm not sure myself. Ill as the experts and get back to you.
for invisible iframes. As with most functionality, there are good and bad uses.
This area of the page is often not visible and the scripts are no longer controllable and even the user won't even know that the script is generating some so called (Request/ Response) to remote machines. This may even account to as DDOS Attack.
We can have solid examples if Google enough.
Good Luck Chaps
Good Day
We can have solid examples if Google enough.
Good Luck Chaps
Good Day
It is an interesting approach this as you say hidden from the user's view.
I have started using a Netgear UTM5 (Unified Threat Management) firewall and was stunned at the number of web site links it blocked. This, or equivalents, are a good way for small businesses to protect against this type of threat.
How does the device work? It blocks egress activity? How do you know that you capture all of it?
As far as my UTM appliance; I know I can purchase VStream anti-virus/malware service from CheckPoint that blocks bad page controls, if they are infected and a definition exists. Because the scanner is embedded hardware, it takes a load off your internal server or workstations, and it is crazy fast! I've not experienced it on my box, but my sister has the Z100G variant of the same appliance, and it works very well.
I plan to migrate to the "N" version of the Netgear UTM5 as soon as my connection turns gigabyte speed. I think their service packs are a little more economical, if I remember correctly.
I plan to migrate to the "N" version of the Netgear UTM5 as soon as my connection turns gigabyte speed. I think their service packs are a little more economical, if I remember correctly.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
