Google's Chrome browser has a powerful ally in ScriptNo. Michael Kassner talks to the developer about his efforts to curtail scripting attacks.
Not long after Chrome was officially released to the public, I put it through my very-unofficial testing, eventually writing an article about it. Readers did not mince words in their comments. Firefox was more secure — due in large part to NoScript, Giorgio Maone's anti-scripting app.
I still use Chrome. You could say I like living on the digital-edge.
Not NoScript, but ScriptNo
There were several high-profile digital crimes involving script attacks in first quarter 2012, and that was chipping at my precarious position on the edge. Around that same time, I ran across a blog post by a young Canadian named Andrew Young. He purportedly had a solution for me, boldly calling it ScriptNo:
"ScriptNo essentially gives you more control over what is loaded by pages you browse. This means less ads, less tracking, less annoyances, more security, more privacy, and more comfort.
ScriptNo can block web bugs, block pages from detecting where you came from, as well as content that you don't want. You are given granular control in the form of a whitelist and blacklist."
Sounds perfect. Fast forward several months of once again very-unofficial testing, and it's time to meet Andrew, and pepper him with questions.Kassner: Andrew, thank you for taking time to talk to me about ScriptNo. First, a bit about yourself — what is your background? What motivated you to develop ScriptNo? Young: I am a 24-year-old computer enthusiast who loves developing new and exciting things.
What are we looking at?Young: Above is a list of allowed resources (files that were allowed to load), a list of blocked resources (by default files hosted by a third party are blocked), and several options for each.
To the right side are options for the current page. You can choose to allow/trust/deny/distrust the domain:
- Allow would add the current subdomain to the whitelist.
- Trust would whitelist the entire domain; all pages on that domain would be allowed by default.
- Deny would add the current subdomain to the blacklist.
- Distrust would blacklist the entire domain to the blacklist.
What do the web addresses refer to?Young: This is a feature I built into ScriptNo to be more intuitive to the user. The web addresses listed in the hover-over title are the full addresses of the resources that were blocked/allowed. This provides information on what each domain is attempting to load, and helps the user decide whether to allow or block the resource. Kassner: I just noticed the "Rating" button. What is that for? Young: The rating button loads Web of Trust page for that particular domain, advising the user about the reputation of the domain. This should help users determine whether or a domain is safe or questionable. Kassner: I was checking out the ScriptNo Options and came across the following configuration choices.
What are the above selections referring to?Young: Antisocial Mode blocks social widgets (e.g. Facebook "Like" buttons, Twitter feeds, and a number of other social "widgets"). The purpose of this feature is to prevent such sites from tracking your activity across the Internet.
Remove Web bugs will remove tiny 1 by 1 pixel — images/iframes meant to track user movements on the Internet. For example, Tracking.com — a third-party tracking site — has placed a web bug on the website ABC.com.Block Click-Through Referrer will automatically detect third-party links on a page and add rel="noreferrer" to its attributes. This is a new capability introduced by HTML5 that will erase the referrer header when the link is clicked. I've made use of this capability to bring seamless and non-intrusive referrer privacy into ScriptNo. Kassner: Last year, Giorgio Maone mentioned on a forum:
"Chrome/Chromium misses many key hooks and infrastructures which are indispensable to deliver the security features provided by NoScript with an acceptable degree of completeness and reliability. If/when they're there, I'm gonna port NoScript to Chrome."
To the best of my knowledge, NoScript is still not available as a Chrome Extension. Can you explain what he was referring to and how ScriptNo avoids the problem?Young: I respect and greatly admire Giorgio Maone. One of my personal hopes is for Maone to port NoScript to Chrome. I also hope ScriptNo shows it is possible and inspires further work on this initiative.
It's important to understand that ScriptNo does not bring over all of NoScript's security to Chrome due to limitations in the Chrome API. I've tried my best to make do with the limitations. And, I've built in several workarounds in ScriptNo that help address some of the shortcomings in the API.Kassner: People are going to compare ScriptNo to NoScript. You even somewhat forced the issue with the name. What are the similarities? Differences? Young: I don't mind if people compare the two. I just want to make it clear that ScriptNo does not have all of NoScript's capabilities.
Similarities: Both NoScript by Maone and ScriptNo give users control over their Internet experience.
Differences: The interface for one. In ScriptNo you are able to hover over items and see the exact URLs and a basic interface, while NoScript has a very comprehensive interface. The big difference would be the code itself and the fact that NoScript and Firefox have been around longer, whereas Chrome and ScriptNo are relatively new.Kassner: As passionate as you are about ScriptNo, I'm betting ScriptNo is still evolving. Could you give us a few hints as to what you are working on? Young: ScriptNo is definitely still a work in progress. I've received support, both technical and financial, from the Internet community and I'd like to take this time to thank each and every one of them.
A few things I'd like to bring to ScriptNo are:
- Support for languages.
- Fix some bugs users have reported to me.
- Fully utilize the Chrome API to bring more reliable and comprehensive blocking to ScriptNo.
- Improve the interface to enhance the ScriptNo experience.
One of the hardest things writing this article was keeping NoScript and ScriptNo straight. From what readers have mentioned earlier, if ScriptNo is able to protect in a similar manner, Chrome users now have a powerful option.
Thank you Andrew for taking the time to explain ScriptNo.