Yesterday I was reviewing the stats for this site and was pleasantly surprised to see that 70%+ of all visitors are using the Firefox browser. In a previous post I discussed What Makes A System Vulnerable and defined it as being when we permit remote users to interact with code running on the local system. Firefox has an excellent security extension called NoScript which can dramatically reduce this vector of exposure.
The premise of NoScript is so rudimentary, you have to wonder why every browser vendor does not make this functionality a built in option. NoScript gives you control of which sites can execute code on your system. Its that simple. So merely browsing to a Web site no longer immediately implies that you trust them enough to execute programs (Java, Flash, etc.) on your desktop. NoScript is flexible, relatively unobtrusive, and a “must have” extension for staying safe on the Internet.
Getting NoScript
The easiest way to retrieve and install NoScript is right through the Firefox Add-ons window. Simply click “Tools” from the main menu bar and select “Add-ons” from the drop down menu. When the Add-ons window appears, click the “Get Add-ons” button at the top left side of the Window. If you do not see NoScript mentioned on the “Recommended” list, click the “Browse All Add-ons” link on the top right of the screen.
Clicking the link will spawn a new Firefox tab directing you to the Firefox add-ons site. In the search bar type in “noscript”. When NoScript appears in the results, click the “Add to Firefox” button. When the installation is complete simply restart your Firefox browser. You are now ready for safer Web browsing. When new updates become available you will be automatically notified.
Using NoScript
When you first start using NoScript it may appear that many of your favorite Web sites are broken. Flash video will no longer auto-load, drop down menus may fail, etc. Take a look at the bottom of your Firefox window. You will see output similar to Figure #1. NoScript is telling us that all script execution is currently disabled for this site. The site tried to run 12 scripts and there were 0 embedded objects (like frames displaying text or video from other sites). To change this behavior simply click the “Options…” button.
Clicking “Options…” will produce a menu similar to Figure #2. The information pertaining to this specific site is at the bottom of the menu. NoScript is telling us that the site tried to execute scripts from four different domains; mmismm.com, revsci.net, com.com and cnet.com. We are given two options for each domain, let the scripts from that domain run just for this session (Temporarily), or permit the domain to execute scripts for this and future sessions as well (Allow).
Mmismm.com and revsci.net are advertising companies. They also have a poor trust rating through the Web Of Trust (WOT is another cool Firefox plug-in by the way) so we may want to leave scripts from these domains disabled. The remaining two domains are part of CNET. So if we like to view news and articles from this company we may wish to grant access. Note this should not be automatic however. For example this menu was generated while I was visiting the CNET News site. I was still able to view all the content I was interested in just fine, so really there is no reason to permit any of these domains to execute scripts and expose myself to potential attack.
If you do permit script execution from certain domains, Firefox will automatically reload the page and execute the permitted scripts. You’ll now notice that the NoScript status bar will now look more like Figure #3. NoScript is telling us that the site we visited tried to execute scripts from six different domains, but only four of them were permitted. The domains allowed to run scripts are then listed out for us to review. There were 69 scripts total and zero embedded object.
If we later decide a site is not so trustworthy, its easy to revoke permissions. If we are at the site in question, simply click “Options…” and select the “Forbid” menu item for that domain. If we are not currently browsing the site, go to the top of the menu and select “Options…” (second appearance of this title). Click the “Whitelist” tab, scroll through the list to find the site in question, and click the Remove Selected Sites” button. Problem solved.
Once you have used NoScript for a while and wish to get into some of the more advanced options, the NoScript site has some excellent information. Start with the FAQ and then move on to the user forums. If you find NoScript saves you even once from an attack, it may be worth clicking the “Donate” button at the top of the main page. 
