Weekly Edition
Return to the Security page
| |||||||||||||
NoScript 1.8.1 and LWN loginsWe have received several reports of readers being unable to log in to LWN.net this morning. It appears to be related to upgrading the NoScript Firefox plugin to version 1.8.1. A new feature, called "Automatic Secure Cookie Management", appears to interact badly with LWN's login code. Some workarounds are described in the FAQ. We apologize for any inconvenience. Update: Peter Palfrader reports that whitelisting lwn.net for "unsafe" https cookies in NoScript Options -> Advanced - HTTPS -> Cookies -> Enable Automatic Secure Cookies Management fixes the issue. (Log in to post comments)
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 13:35 UTC (Wed) by MattPerry (guest, #46341) [Link]
It's a shame. NoScript used to be a useful tool but it's now too large and tries to do too much. Worst of all it breaks usage of sites as this article indicates. I wish he had stuck with just simple JavaScript blocking and put the other features into another addon for those that wanted that stuff. The almost daily updates a few months ago became too much to bear and I had to uninstall it.
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 14:09 UTC (Wed) by dgm (subscriber, #49227) [Link]
Does it only affect new logins? Because I'm using NoScript 1.8.1 and I didn't had any problems.
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 14:48 UTC (Wed) by hmh (subscriber, #3838) [Link]
Yes, it only affects new cookies (i.e. new logins).
oScript has issued an update (1.8.1.2, already available through addons.mozilla.org) to set the default of that thing to "disabled", so at least it won't get people by surprise anymore (after they update, anyway).
I personally like the feature, and I will keep it enabled.
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 14:49 UTC (Wed) by bcl (subscriber, #17631) [Link]
I gave up on noscript a long time ago. It just became too tedious to figure out what to whitelist. Most sites use some amount of javascript these days so if you want to spend your time using the web, instead of configuring your browser, you have to give up some things.
I've settled on adblock plus and flashblock as a good medium ground.
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 18:34 UTC (Wed) by man_ls (subscriber, #15091) [Link] For me it is not only a safety measure; it is also quite educational to see how many different sites want to run their thing on a single page. Especially when visiting random pages filled with ads.You can always enable JavaScript for everything on a page, or globally if you want to. I find the bother well justified.
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 18:45 UTC (Wed) by rahvin (subscriber, #16953) [Link]
Me as well. All it takes is a right click on the S icon in the browser tray and I can activate any site I want, either permanently or just for this session. I've never had trouble doing this. Sites I visit frequently get approved and those I don't visit frequently only get temp approval. I find that unless I plan to interact with the site, such as post comments, that I often don't need the scripts anyway.
NoScript 1.8.1 and LWN logins Posted Sep 18, 2008 12:17 UTC (Thu) by slef (subscriber, #14720) [Link]
> Most sites use some amount of javascript these days so if you want to spend your time using the web, instead of configuring your browser, you have to give up some things.
Only a few badly-written sites *require* Javascript. It's also far greener to run NoScript. Less CPU means less electricity use!
I think they should have defaulted the new feature to disabled, though.
NoScript 1.8.1 and LWN logins Posted Sep 18, 2008 12:31 UTC (Thu) by chsnyder (guest, #52714) [Link]
As a web developer, NoScript is a huge help in building pages and apps that use JavaScript for "progressive enhancement". It makes it super easy to check that security-conscious visitors, or those on phones or other non-js devices, will be able to at least see all of the content and use basic implementations of all features.
That said, I've been surprised by how many semi-technical friends and family have been able to quickly understand the NoScript model, and appreciate the many benefits that come from not having js enabled by default. I thought I would get a lot of complaints, but people (correctly I think) see "broken" sites that require js as being, for the most part, less desirable purveyors of content.
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 14:51 UTC (Wed) by jansson (subscriber, #2227) [Link]
I got FF 3.0.1 and NoScript 1.8.1
I added 'lwn.net' to the 'Ignore unsafe cookies set over HTTPS by the following sites:' box, and left 'Enable Automatic Secure Cookies Management' checked. After restarting FireFox log in at lwn.net worked as before.
I also succeeded by unchecking 'Enable Automatic Secure Cookies Management' and restarting FF.
The first thing I tried was to DEactivate NoScript, then log in also works.
Just allowing scripts globally while having NoScript Active did not help me log in.
Thank Jake for the help!
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 16:49 UTC (Wed) by ma1 (guest, #53955) [Link]
NoScript 1.8.1.3 -- http://noscript.net/getit#direct -- fixes this and other login issues (all the reported ones).
However the "Automatic Secure Cookie Management" feature still ships off by default as a prudential measure, but if you decide to re-enable and give it some testing I'll appreciate your feedback very much (actually I'm posting this comment logged in with it enabled and no exception).
My apologizes for all the inconveniences.
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 17:45 UTC (Wed) by hmh (subscriber, #3838) [Link]
1.8.1.3 is so new, that the changelog is missing from the site :-)
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 20:02 UTC (Wed) by xorbe (guest, #3165) [Link]
Perhaps that will be addressed in 1.8.1.3.1
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 20:16 UTC (Wed) by ma1 (guest, #53955) [Link]
v 1.8.1.3
===================================================================== x Fixed further "HTTPS|Automatic Secure Cookie Management" glitches affecting lwn.net and DNN (thanks Matthew Hile and LWN for reports) x Localization updates x Fixed http://*.sub.domain:1234 site matching working only with "0" (wildcard) port (thanks t3chnomanc3r for report). x Fixed Torbutton JS status reporting
NoScript 1.8.1 and LWN logins Posted Sep 18, 2008 11:56 UTC (Thu) by sitaram (subscriber, #5959) [Link]
Just a vote of confidence/thanks, seeing some of the comments up top. I couldn't do without this extension.
For those few people using Vimperator also, there's a very simple vimperator plugin that you can use, after which typing "\s" (a backslash, then an "s") toggles just enough JS temporarily for most sites to work fine. Using an uppercase "s" toggles it permanently.
And really, Adblock and Flashblock are more for usability than security. Friends don't let friends browse random sites without NoScript ;-)
No changelog Posted Sep 17, 2008 16:48 UTC (Wed) by endecotp (guest, #36428) [Link]
I got the "new version of NoScript available" dialog this morning, and what annoyed me about it was that there was no changelog or description of the update. (No doubt someone will now tell me that there's some little button with a picture of a cake or something that "obviously" means "click here for details", but I really don't see these things.)
I have now trained myself just to click "yes" to these things since there is no way to say "No and don't ask again" or "remove this extension" (that I can see, though there does seem to be a difference between "ignore" and "cancel", IIRC).
And what is NoScript doing messing with cookies anyway? I had no idea it was doing that.
Oh, don't I sound like a grumpy old man...
No changelog Posted Sep 17, 2008 18:47 UTC (Wed) by rahvin (subscriber, #16953) [Link]
I would suggest you post your suggestion about ignoring updates as a feature request with Mozilla. Your suggestion intrigued me as a missing feature.
No changelog Posted Sep 17, 2008 19:10 UTC (Wed) by matp75 (subscriber, #45699) [Link]
Hello,
it's seems normal to me that noscript is trying to improve to be able to respond to new attacks.
No changelog Posted Sep 17, 2008 21:33 UTC (Wed) by khc (subscriber, #45209) [Link]
it's called noscript, not securemozilla. I could use a extension that blocks scripts, but things like http://noscript.net/faq#qa4_2 makes it annoying to use for the rest of the non-ascii world. Yes I can disable it, but it has a big scary warning. Why must I be a geek to use non-English websites?
No changelog Posted Sep 17, 2008 22:58 UTC (Wed) by ma1 (guest, #53955) [Link] It's called NoScript, but it's spelled SecureMozilla ;) Regarding FAQ 4.2, that entry was very outdated. Currently NoScript's anti-XSS filters sanitize just an handful of characters (the less-than sign, quotes, backslashes), and for untrusted-to-trusted cross site requests only. Other cross-site requests (trusted-to-trusted) are sanitized exclusively if a relevant fragment of HTML and/or syntactically valid JavaScript is detected, and the false positive rate is very low.
No changelog Posted Sep 18, 2008 2:53 UTC (Thu) by khc (subscriber, #45209) [Link]
thanks, I see that the faq entry is updated now.
No changelog Posted Sep 18, 2008 12:01 UTC (Thu) by sitaram (subscriber, #5959) [Link]
yes, and this is LWN, but we do see articles about BSDs and such also.
:-)
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 19:30 UTC (Wed) by zeekec (subscriber, #2414) [Link]
I use https to browse the main page of LWN, but I just noticed that all the links on the page redirect to http.
Is there any particular reason for this? and could it be changed?
NoScript 1.8.1 and LWN logins Posted Sep 17, 2008 20:20 UTC (Wed) by ma1 (guest, #53955) [Link]
If you already upgraded to NoScript 1.8.1.3, you can force HTTPS on lwn.com by adding it to NoScript Options|Advanced|HTTPS|Behavior, see http://noscript.net/faq#https for details.
NoScript 1.8.1 and LWN logins Posted Sep 19, 2008 5:06 UTC (Fri) by amikins (guest, #451) [Link]
But it might be better for lwn.net. :)
|
|||||||||||||