Rated 3 out of 5 stars

by JMcAfreak on Nov. 15, 2013 · permalink

tl;dr: While the add-on itself doesn't have any inherent flaws (aside from a couple features that are on peoples' wish-lists), there are some inherent flaws in Firefox that cause me to keep using NoScript. There is only one real issue with the add-on, and that's just a simple oversight in the concept.

First off, I recommend this add-on if you want some much-needed security without having a complete lock-down like NoScript does. (although I personally prefer NoScript). I just feel the need to point out a couple flaws that make this add-on less effective. Sadly, most of these flaws are inherent to the browser itself, rather than the add-on. Also, please donate to the developer, Jason Barnabie. He did his work, and he deserves the support.

As a staunch advocate of Firefox, even I'll admit that it's fallen way behind other browsers in security (even IE in at least one case). For example, Firefox doesn't use the modern Windows feature called "low integrity mode" or "protected mode" to run the browser process(es) with as few user permissions as possible. Basically, what the Protected Mode does is that it makes anyone who finds a vulnerability in Chrome or IE also have to find a way to get out of the security sandbox and gain access to the rest of the system (as a lazy coder, that would deter me automatically). The feature has been around since Windows Vista. Mozilla's still working on "low-rights Firefox" mode, and there's no indication of whether anyone is working on implementing sandboxing for the desktop version of Firefox.

In short, if a site happens to be missed by the blacklist used by this add-on, Firefox is somewhat more vulnerable than the other popular browsers. Someone who finds a vulnerability in Firefox doesn't need to find an additional vulnerability in Windows, as they would with Chrome and IE.

There's also the issue of someone hijacking a trusted site and injecting malicious code into specific pages (such as a log-in or signup form, the landing page, or other forms). While whitelisting also has this vulnerability for any whitelisted site, blacklisting has it by default for any non-blacklisted site. In addition, blacklisting might not always keep up with the current malicious sites, while whitelisting will at least offer a first layer of protection against new threats. NoScript also supports temporarily whitelisting a site, which is what I primarily use unless it's a site I use all the time (and even then, only if they use https). This is really the only major flaw in the add-on (and it's really only just an oversight that's easy to make).

From a basic user standpoint, this is a really good add-on if you're careful on the web. However, as a software security guy who occasionally has to venture into the unknown, I will continue to use NoScript.