grreyeyezz
join:2002-01-05
Cleveland, OH | Disabling java and jscript
Does this make you invulnerable as far as basic web nasties while surfing using alternate browsers like FF or Opera? Thanks. |
|
Tuulilapsi
Kenosis
join:2002-07-29
Finland | Invulnerable, no. Fairly safe, yes, although it also causes the inconvenience of breaking tons of legit sites that require javascript, java, flash, or whatever plugin of the day happens to be used on the site. |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA | reply to grreyeyezz
Its the BEST way to go.......
I have scripts DISABLED as much as i possibly can!! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to grreyeyezz
IMO, there isn't much value to disabling java. The main risks are javascript, not java. If using firefox, I suggest the "noscript" extension which disables javascript except on sites that you whitelist. It can also block java and other plugins.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15 |
|
OZO
Premium
join:2003-01-17 | reply to grreyeyezz
You may want to read this recent discussion about JavaScript as well.
--
Keep it simple, it'll become complex by itself... |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs:
| reply to grreyeyezz
If you disable Java, you're just going to be posting another question as to why the web pages you're visiting are not loading properly or why online games won't play, etc. You have to balance what you want to do on the internet with to what degree you want to be protected. The safest practice being not using the internet at all. You know best what you surf for, and what sites you visit and you should determine your degree of lockdown accordingly, but don't get carried away to the point where your computer becomes unusable.
--
Patriotism is not waving a flag, it is living the ideals
I want to retire to the Isle of Sodor and ride the trains. |
|
ninn
join:2008-01-26
| Java
JavaScript
Flash
all in just one click when ever needed |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
1 edit | reply to nwrickert
said by nwrickert  :IMO, there isn't much value to disabling java. The main risks are javascript, not java. If using firefox, I suggest the "noscript" extension which disables javascript except on sites that you whitelist. It can also block java and other plugins. I think a problem with Sun Java is that it has a rather lengthy history of security holes (leading in some cases to Vundo infections, IIRC), and one has to be very careful to keep it current in version - as well as making sure any older, vulnerable versions have been removed (which was not a default situation for a long time). As a good fail-safe, I find keeping Java disabled is a safer way to travel the Internet highway... particularly as so few sites actually make much use of it. With Opera, I can enable it on a specific site basis for those sites needing it (mainly US weather site radar animations).
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
VikingBob
join:2004-06-05
Ste Anne, MB
·MTS
| reply to grreyeyezz
It'll help, but there are more vulnerable things besides JavaScript and Java. There are all the other 3rd party plugins - RealPlayer, QuickTime, Flash, Acrobat Reader, etc. If you have these, and need them, keep them patched. If you don't, uninstall them. And diligently keep up-to-date with the patches for Firefox and Opera, and your OS, too.
For "dodgy" surfing, I prefer Opera - with JavaScript and ALL plugins disabled. But nothing is perfectly immune - there's usually an Achilles' Heel somewhere. |
|
IGGY
No Guru Just Here To Help
Premium,MVM
join:2001-03-30
Chatham, IL
4 edits | reply to grreyeyezz
"I suggest the "noscript" extension which disables javascript except on sites that you whitelist. It can also block java and other plugins."
Which is exactly what makes that plugin the most useless piece of security out there. I'm honestly not sure why supposed knowledgeable people keep telling people to install it. There has been no such thing as a secure trusted site for years. The minute you whitelist anything you have opened yourself up to the chance of problems.
I have many reasons for not even considering using Noscript. A major one being the attitude it's author takes in regards to uninstall. Last time I looked in the FAQ it was stated that why would you want to uninstall such a useful tool. If you want the plugin to no longer function just disable it. To me this is malware mentality. There should never be a plugin or piece of software that I can't fully uninstall off my machine.
I'm aware that Noscript is widely used and loved. But that doesn't always make it something that should be used. Of course it is trying to do a helpful service. However I won't be using it for the reasons above. I think it does a disservice to others to continue to hype it.
It's interesting how the supposed experts never point out that much of what Noscript does can be accomplished manually in any browser by end users. The "experts" also forget about how end users interact with software. No average person is going to want to hassle or even remember in many cases to enable or disable for certain sites etc. Security is pointless if not used properly. End users don't want to be hassled.
--
Test PC Security
Cable Diagnostics
Blog
ZoneAlarm Help Windows 7 Comcast Phone Power |
|
HA Nut
Premium
join:2004-05-13
USA
| When I read things like NoScript is "useless", I really do not understand that comment. If used as advertised, it makes a browser extremely safe. Bullet proof? No, nothing does that. But it does make things dramatically better.
In the hands of someone who is willing to work with NoScript (and one MUST interact with it to use it properly), it absolutely improves the odds you can avoid problems from the plugins it can block. |
|
Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
 ·Time Warner VOIP
| reply to grreyeyezz
said by IGGY :
A major one being the attitude it's author takes in regards to uninstall. Last time I looked in the FAQ it was stated that why would you want to uninstall such a useful tool. If you want the plugin to no longer function just disable it. To me this is malware mentality. There should never be a plugin or piece of software that I can't fully uninstall off my machine.
You have a VERY GOOD POINT Iggy!
Its like M$ trying to force thier crap on FF and not letting you easily uninstall it! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to IGGY
said by IGGY :"I suggest the "noscript" extension which disables javascript except on sites that you whitelist. It can also block java and other plugins." You were quoting my post there.
Which is exactly what makes that plugin the most useless piece of security out there. You only demonstrate that you know how to use noscript.
I'm honestly not sure why supposed knowledgeable people keep telling people to install it. And that, already, should tell you that you might be missing something.
There has been no such thing as a secure trusted site for years. That's hardly news. It has been that way for a long time.
The minute you whitelist anything you have opened yourself up to the chance of problems. Sure. But not to nearly the same extent as if you just allow all scripts. The site very likely has advertisements that are sourced from other sites. And whitelisting the one site still blocks the scripts from those sourced advertising sites. So the whitelisting has not dropped all security.
I permanently whitelist only a very few sites. Mostly, I will temporarily whitelist a site, but only if that is needed to access the information I am looking for.
I have many reasons for not even considering using Noscript. A major one being the attitude it's author takes in regards to uninstall. I am not understanding this. I never had a problem uninstalling noscript.
I think it does a disservice to others to continue to hype it. And you don't think that panning it, based mainly on your own ignorance, is not a disservice to others?
It's interesting how the supposed experts never point out that much of what Noscript does can be accomplished manually in any browser by end users. Having done that "manual" thing, I can tell you that noscript is far easier to use. Just disabling scripts worked reasonably well when scripting was only lightly used on the net. But on today's web the use of scripting is so pervasive that you need something better than just disabling scripts in the browser.
The "experts" also forget about how end users interact with software. No average person is going to want to hassle or even remember in many cases to enable or disable for certain sites etc. I recommend noscript here, because I assume that this forum is frequented by relatively experienced users. I don't recommend noscript for inexperienced users. For the inexperienced user, the best move is to login as a limited user, and rely on the operating system's protection.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 11.0; firefox 3.0.15 |
|
angussf
Premium
join:2002-01-11
Tucson, AZ
| reply to grreyeyezz
I've heard Good Things about Sandboxie, as a prophylactic around your browser if you're sticking it into dangerous places. If you're really paranoid, set up a Linux Virtual Machine and browse from there using either Galleon or Konqueror ... the attacks against IE and Firefox won't succeed against you, and your VM will isolate your underlying OS. I use VirtualBox as my VM of preference right now -- trivial to set a new machine up when you need one.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf |
|
lordpuffer
I Was Very Drunk At The Time
Premium
join:2004-09-19
West Hollywood, CA
 ·T-Mobile US
·Vonage
 ·RoadRunner Cable
·AT&T Yahoo
| reply to grreyeyezz
I also use FF with NoScript, and although I have caught a few things in the past, it was MY decision to allow something on a page. It gives you almost complete control of which script you allow (I say "almost" for I don't think anything is perfect)
--
UCLA Only On A Clear Day-Class of '81 |
|
quatrix
Premium
join:2005-02-11
Davie, FL
1 edit | reply to grreyeyezz
Disabling Java or JavaScript (or using NoScript) to "protect" yourself is like avoiding plane crashes by not flying. The inconvenience far outweighs the incredibly small risk of having a problem. Any security "expert" who recommends NoScript should find a hobby that better suits him. |
|
quatrix
Premium
join:2005-02-11
Davie, FL
| reply to HA Nut
said by HA Nut :When I read things like NoScript is "useless", I really do not understand that comment. If used as advertised, it makes a browser extremely safe. Bullet proof? No, nothing does that. But it does make things dramatically better. By "dramatically", do you mean it lowers the risk from 0.0003% to 0.0002%? Hey, that's a 50% improvement! Here's another thought. For those who are computer-illiterate and can't resist clicking everything, don't use a web browser at all. Now you're really safe. I'm a security guru now. |
|
SLD
Premium
join:2002-04-17 | reply to Dude111
Forget enjoying any XHR enabled "Web 2.0" sites, then. |
|
amungus
Premium
join:2004-11-26
America
clubs:
| reply to quatrix
NoScript has its place. Granted, IGGY has hit on its main fault. Permanently whitelist a site, they get infected, and the second you go back there, you could be infected.
If, however, you also had some kind of realtime anti-malware in place that caught something, it'd certainly help!
Its main purpose is to disallow unknown sites, however, so that when you're googling something, and come across some site which might have something nasty tied to it, you don't get hit.
If you absolutely need to allow some site(s), and get hit, tough luck. You can't fault NoScript since you allowed something.
If your "security" software doesn't know about a new exploit, or, if it can't detect heuristically, and you allow scripts/plugins to do something to your system, tough luck.
This is where NoScript has its place, unless you allow a site...
Invulnerable? No. There's probably no such thing.
Having (malicious) scripts/plugins disabled by default on an unknown site can, however, quite obviously protect you since they do not run.
It is less a "security" tool than it is a simple add-on to control the functionality of your browser.
Yes, you can go the "manual" route, but that is much more of a pain since it's an all or none approach. This add-on simplifies per-site preferences...
I don't evangelize it, nor do I recommend it for the novice. If you want to try it, and stick with it for a week or two while you browse, go for it. It's an add-on. It doesn't "know" anything really until you tell it. It isn't perfect, nor does it make you coffee  Personally, I use it because I like how it operates. Again, I do not suggest anyone use it "just because somebody told me to" since that is pretty lame.
Comparing it to avoiding driving/flying isn't quite fair.
A better analogy might be to say that it's like having a sun visor in your car while driving into the sun. You can allow the sun through and you're blinded, or you can block it out and see just enough of the road to drive on... I know, not perfect, but slightly more fair. |
|
HA Nut
Premium
join:2004-05-13
USA
| reply to quatrix
said by quatrix :By "dramatically", do you mean it lowers the risk from 0.0003% to 0.0002%? Hey, that's a 50% improvement! Here's another thought. For those who are computer-illiterate and can't resist clicking everything, don't use a web browser at all. Now you're really safe. I'm a security guru now. In sheer numbers, I don't know the stats. I do know it's potential sure strikes me as a good deal higher than what you note.
Just within the last 2 weeks, I've cleaned 2 PCs from the same family from malware. I'm reasonably sure the infections were set in motion by script on web pages they visited.
As I alluded, NoScript is not a free lunch. It takes an active participant to make it work. But if it keeps me clean at just one site that without it it I would have become infected, it's a winner in my mind. |
|
