I finally got around to installing and using NoScript recently. First let me say that I appreciate the functionality it provides, and the attacks that it prevents. Now that I got that out of the way, let me also say that it makes surfing the internet painful (if safer).
I would guess that in three weeks of use, 70-80% of the
sites I access are trying to send me Javascript, Flash, or the other things
that NoScript blocks. Virtually every major website, NoScript blocks something
or other. Every PDF download, for example. And I understand that you can tune the product site by site (or even page by page) to allow some scripts by default, so it gets less intrusive over time. The thing is, even for major websites, I basically have no clue as a user which scripts might be OK. Some sites have 5-10 scripts on a page, many of which come from ad serving sites, etc..
The average internet user can't possibly cope with this- I know that I should in theory tip my friends and relatives off to use something like this, but trust me, I can't devote the time that would be required to support them using it.
It’s another example I think of application development technology (all that AJAX stuff…) and deployment racing ahead of security, causing security vulnerabilities (browsers that allow this stuff in), and threats targeting the vulnerabilities. And then the inevitable security solution response causing things to not work too well, resulting in user backlash. This action/reaction scenario has been playing out for the 24 years I’ve been in the security industry anyways.
How do we flip this paradigm, cause this just isn’t working?
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
|
said this on 18 Dec 2008 8:44:31 PM EDT
Jim -
Unfortunately, the problem you describe prevents non-technical users (the ones who need noscript the most) from using it.
A similar rant: http://lastinfirstout.blogspot.com/2008/05/flash-javascript-and-clowns-that-design.html
"There simply is no way that I can advise a non-technical user to browse in a somewhat safe manner under with the current state of browser technology and web site design......I've got a solution though - Make all web site designers & testers use a 1Ghz Pentium with 256MB of RAM for their workstation. I'll bet that they'll design fast, lightweight web sites."
I doubt that'll ever happen though.
--Mike
|
Author)