Why I've started using NoScript

post by benwr · 2019-05-15T21:32:20.415Z · LW · GW · 19 comments

Contents

19 comments

Edit: I've updated somewhat based on Said's comment below, to think that NoScript is not a tool for everyone. I haven't decided to stop using it, but I have decided to stop strongly recommending that others use it. I especially urge you to read about the other extensions he lists at the end of his comment.

Edit 2: It's also been pointed out to me that uBlock Origin also has capabilities for blocking 3rd party JavaScript, and might be even better at it than NoScript; in line with the idea that this is not for everyone, this functionality requires the user to explicitly claim to be an "advanced user" and read various documentation first. You may also be interested in reading the discussion for this post on lobste.rs

NoScript is a browser extension[1] that prevents your browser from loading and running JavaScript without your permission. I recently started using it, and I highly recommend it.

I had first tried using NoScript around a decade ago. At the time it seemed like too much of a hassle. I ended up wanting to enable almost all the scripts that were included, and this was somewhat annoying to do. Things have changed a lot since then.

For one, NoScript's user interface has become much better: Now, if a page isn't working right, you simply click the NoScript icon and whitelist any domains you trust, or temporarily whitelist any domains you trust less. You can set it to automatically whitelist domains you directly visit (thereby only blocking third-party scripts).

A more pressing change is that I'm now much less comfortable letting arbitrary third parties run code on my computer. I used to believe that my browser was fundamentally capable of keeping me safe from the scripts that it ran. Sure, tracking cookies and other tricks allowed web sites to correlate data about me, but I thought that my browser could, at least in principle, prevent scripts from reading arbitrary data on my computer. With the advent of CPU-architecture-based side channel attacks (Meltdown and Spectre are the most publicized, but it seems like new ones come out every month or so), this belief now seems quite naïve.

Finally, in that decade, third-party scripts for tracking and ads have become almost literally ubiquitous on the web. Just about every web site I visit, I've discovered, has at least a couple of third-party dependencies, whose provenance I don't trust, and which I'd rather not spend (even a minuscule proportion of) my energy bill on. Even disregarding the new hardware vulnerabilities, I don't think arbitrary third party trackers ought to be trusted to run in your browser[2]; if even one of the hundreds of tracking scripts is compromised, this could easily leak your passwords or other data to attackers.

An added benefit has been that NoScript works better than my ad blocker. Around the time I started using NoScript, I was watching a show on a streaming site I don't normally visit, that shall remain nameless. This site is extremely annoying. It plays more ads per minute than content, somehow evading uBlock Origin, and often the ads seem to break the actual video player so that the show stops partway through. After installing NoScript, I spent about 3 minutes wading through the ~50 script sources, enabling not-ads until eventually the video played. I was thrilled to see that the video played perfectly, with no interruptions.

In summary, just go try it. You might not like it, but at least then you'll know.


  1. There is a version for Firefox and one for Chrome; it also has a Wikipedia page. ↩︎

  2. Some decent background on the problem can be read here ↩︎

19 comments

Comments sorted by top scores.

comment by Said Achmiz (SaidAchmiz) · 2019-05-15T22:46:51.958Z · LW(p) · GW(p)

Speaking as someone who both builds websites, and also has very strong objections to ads, tracking, website bloat, and all the other maladies and afflictions of the modern web, I have to say that… using NoScript is not a good suggestion.

There are several reasons; some are entirely selfish, and some have to do with how your actions affect wider trends. I’ll list what I think are the major reasons.

First, though, let me say that I entirely agree with you when you say “I don’t think arbitrary third party trackers ought to be trusted to run in your browser”. I’ll go further, and say that I have no obligation to view ads, to be tracked, to view messages about how ads are necessary for a website’s revenue and continued survival, to view messages about cookies or other GDPR-related nonsense, to click on popups about those messages, to view or click on popups asking me to register an account with a website, etc., etc., etc. It’s my computer, and I have the absolute right (assuming I am breaking no laws) to view content thereon in whatever way I wish.

And I still don’t think NoScript is a good call. Here’s why.

It breaks websites in ways that may not be obvious.

It is, in some sense, the less bad scenario if you visit a site and it’s just obviously horribly broken; you click that NoScript icon, whitelist the site, and voilà—you’re good to go. But what if a site seems to be fine? It might not occur to you to enable NoScript… but you’ll be missing potentially quite important site features. If you get used to browsing with NoScript, you might not even think to turn off the extension for a website… and be deprived of work the site designer has put in to make the website usable and useful.

The perverse irony of this is that it means that using NoScript will most reliably damage your user experience of precisely those websites that use JavaScript responsibly. For a simple example, take the website which I am, right now, using to type this comment: GreaterWrong. If you turn off JavaScript, you can still view posts and comments, and in fact the site will at first glance look just fine (this is by design; we want to support those users who, due to limitations of hardware and software, cannot run the JS we use). But you will not have any of the usability enhancements GreaterWrong offers—changing the text size, adjusting the appearance (themes & theme tweaker) and the content width, keyboard-based navigation features, etc.

This is, of course, directly a problem for you, as an individual, but it gets worse due to general user-population trends. Widespread use of NoScript among those who care about issues related to web bloat (and related issues) would (and, I strongly suspect, already is) weaken or even largely remove the pressure on web designers to minimize at least the most egregious of such anti-patterns. If I know that weighing down my site with a bunch of JavaScript means that many users will simply leave the site and never come back, I will put effort into optimization. But if I know that anyone who cares about performance will in any case have NoScript installed, then why not add framework after framework and tracker after tracker?

Note that I am not saying “and therefore you must suffer the burden of websites filled with malicious and bloated JavaScript… For The Common Good™”! Rather, I am saying that the right way to fight these undesirable trends is not NoScript, but rather something else (see below).

It is a blunt instrument, and that leads to security lapses.

If you find that a website doesn’t work with NoScript enabled, you can, indeed, laboriously whitelist one domain at a time, after manually checking the provenance of each one, until the site begins to work. But, for one thing, most people will not do this; they will be less careful, and will whitelist whatever it takes to make a site work. And even if you do carefully and manually whitelist every script domain one by one, you will inevitably let in some “naughty” scripts by mistake. Either way, security lapses will result.

There’s a better way.

You want to block ads. Good; block ads, not JavaScript.

You want to block trackers. Good; block trackers, not JavaScript.

You want to avoid third-party assets. Good; avoid third-party assets, not JavaScript.

In short, fix the specific problems you have, rather than simply disabling a big chunk of your browser.

Here’s how.

Advantages of this approach:

  1. Automatic instead of manual (no “spend 3 minutes manually whitelisting each of 50 domains, hoping you didn’t accidentally enable a bad one”)
  2. No breaking of website functionality
  3. Much more comprehensive protection than NoScript (together, these add-ons will also block tracking pixels, cookies, centrally distributed CSS or images or other assets that could track you, etc.)
Replies from: SaidAchmiz, Raemon, habryka4, breviwit, benwr, sdmin, robc
comment by Said Achmiz (SaidAchmiz) · 2019-05-15T22:56:04.651Z · LW(p) · GW(p)

To add to what I say in the parent comment, I want to comment a bit more about the security issue. From the OP:

… if a page isn’t working right, you simply click the NoScript icon and whitelist any domains you trust, or temporarily whitelist any domains you trust less.

But how the heck do I know what domains I trust? This security model requires me to know, and think, about what domains are “trustworthy” and what ones are not… in the face of constant, highly lucrative (and therefore highly incentivized) efforts at deception and treachery on the part of the ad-tech companies (and other bad actors)!

Which of the following is a better approach to security:

  1. Personally undertake to decide which external scripts and assets come from “trustworthy domains” (and are therefore safe… presumably?), for every website I visit which implements some potentially desirable JavaScript functionality which I would want to enable.

  2. Delegate that vigilance to the Electronic Frontier Foundation.

To me, this does not seem to be a difficult question.

comment by Raemon · 2019-05-15T23:20:56.219Z · LW(p) · GW(p)

Just wanted to say thanks, this is helpful.

comment by habryka (habryka4) · 2019-05-16T19:38:17.806Z · LW(p) · GW(p)

Small addition: uBlock origin also blocks most kinds of trackers, so depending on your block list choices you might not need an additional plugin.

comment by breviwit · 2019-05-16T18:20:21.178Z · LW(p) · GW(p)

I also suggest Firefox Reader View (or Just Read for Chrome). These will render only the main article on a page, stripping away all the extra junk. Many commercial sites have clickbait articles, autoplay videos, and other nonsense alongside the main article on a page. Ad Blockers and security add-ons will leave all this distracting noise alone. Reader View renders precisely what you want to see (usually).

But like NoScript, Reader View is a blunt instrument and will throw out useful site features. I only enable it in the rare case where there's a worthwhile article on a crappy site.

comment by benwr · 2019-05-15T23:38:12.990Z · LW(p) · GW(p)

This is a great response and I'm glad to have read it. However I think you miss one important disadvantage of your approach: These alternatives are mostly blacklists, and so they become less useful as you get further into the less-trafficked corners of the web, which is also where you're most likely to hit, e.g., invisible compromised resources.

I've also been surprised at how little "whitelist fatigue" I've gotten. I would have naively expected to get tired of whitelisting domains, but in practice it's continued to feel freeing rather than obnoxiously attention consuming, and site functionality is almost always easy / obvious to enable properly. It's possible that sometimes I miss intended functionality, but I doubt that this comes close to outweighing the benefits.

Edit: the following paragraph misunderstands Said's comment and doesn't address the point that it was meant to; apologies.

Finally, I don't buy the argument about incentivizing web authors. If trackers work less well, there is obviously less incentive to use them. If the only thing holding back authors from adding trackers willy-nilly is user annoyance at page bloat, then it's clearly not enough, and so telling people to just go on shouldering that annoyance to ensure that the annoyance is minimized seems like privileging second-order effects that I would expect to be small.

Replies from: SaidAchmiz
comment by Said Achmiz (SaidAchmiz) · 2019-05-15T23:46:59.083Z · LW(p) · GW(p)

telling people to just go on shouldering that annoyance to ensure that the annoyance is minimized

With respect, please re-read my comment, because not only did I not say anything like this, I specifically pointed out that I am not saying anything like it!

Furthermore, the argument from incentives was not specifically (or even mostly) about trackers; it was about bloat in website design / features. Frankly, it does not seem to me like you have given due consideration to what I wrote in that section of my comment…

However I think you miss one important disadvantage of your approach: These alternatives are mostly blacklists, and so they become less useful as you get further into the less-trafficked corners of the web, which is also where you’re most likely to hit, e.g., invisible compromised resources.

This is an interesting counterpoint, certainly. I am curious to what extent this is true in practice, and whether you make this claim on the basis of experience, or supposition; do you have examples?

Replies from: benwr
comment by benwr · 2019-05-15T23:56:06.089Z · LW(p) · GW(p)

You're right; I'm sorry that I didn't read your comment sufficiently carefully.

The reasoning there is purely my expectation and isn't based on data or particular experience.

comment by sdmin · 2020-03-31T04:28:54.472Z · LW(p) · GW(p)

Hello! I like both the above original post and your comment which both describe the general privacy/bloat issue and measures against.

But, aside from all the ads and tracking... what do you say about blocking JS to avoid shady malicous code running in your browser, delivered from a site you would normally trust, but was somehow manipulated and may someday find a way out of it's sandbox (browser bugs, PDF vulnerabilities ect.)? Ok, one could disable plugins but you never know what's next. How would you go about this issue with your approach? or did I miss something? I'm not an expert.

I hope my point and question is coming across, despite my English. ;)

Replies from: SaidAchmiz
comment by Said Achmiz (SaidAchmiz) · 2020-03-31T20:20:36.785Z · LW(p) · GW(p)

Well, for one thing, the problem of “code delivered from a site you would normally trust but that is now malicious” is the same as the problem of “being mistaken about what sites to trust (and so accidentally trusting a site that was malicious all along)”.

As I understand your question, and as I understand the web and its technologies, the problem basically is that “if you run code (JavaScript) in your browser—code that is provided by arbitrary people on the internet—this is fundamentally a vulnerability”. And that’s true. There’s no solution to that basic fact other than “don’t run JavaScript”.

The matter really depends on how much you trust your browser vendor (Google, Apple, or Mozilla) to secure the browser against exploits that could harm/steal/pwn your computer or your data. If you trust them to a reasonable degree, then precautions short of “disable JavaScript entirely” suffice. If you really don’t trust them very much at all, then disable JavaScript (and possibly take even stricter measures to limit your exposure, such as running your browser in a VM, or some such thing; Richard Stallman’s browse-by-email workflow would be an extreme example of this).

comment by robc · 2019-05-16T18:50:03.895Z · LW(p) · GW(p)

I disagree with your argument. NoScript is an excellent tool and I use it on my personal browsers in addition to uBlock Origin.

Yes, it disables JavaScript and sometimes can break webpages. In those cases I'll check my console and begin enabling JavaScript on the host page and any obvious CDNs it may be using. If after a couple of attempts the page still won't display content, I'll usually just leave the site as it's not worth it.

On pages that actually do require JavaScript for display (simulations, visualizations, etc), I'll let it run.

I'm curious as to why you think disabling JavaScript is something to avoid. It's executing code, consuming power and occupying my CPU and RAM, often for no other purpose other than reporting my behavior back to some third party host. Why would I want to allow that?

Replies from: SaidAchmiz, Raemon
comment by Said Achmiz (SaidAchmiz) · 2019-05-16T19:01:40.825Z · LW(p) · GW(p)

Yes, it disables JavaScript and sometimes can break webpages. In those cases I’ll check my console and begin enabling JavaScript on the host page and any obvious CDNs it may be using. If after a couple of attempts the page still won’t display content, I’ll usually just leave the site as it’s not worth it.

Over half of my comment, by word count, is dedicated to addressing, and deconstructing, specifically this argument, and explaining both of the problems with it. Meaning no offense, but I am having a hard time believing that you read what I wrote; it rather seems like you instead skimmed my comment, pattern-matched to simplistic arguments you’ve read elsewhere, and responded to that straw version. I can’t really say anything in response without rehashing exactly what I wrote, because what I wrote is already a rebuttal of your points!

May I respectfully ask that you re-read my comment? If you still do not think that your arguments are addressed, then I suppose I have nothing further to say.

I’m curious as to why you think disabling JavaScript is something to avoid.

I explained this in my comment. See above.

It’s executing code, consuming power and occupying my CPU and RAM, often for no other purpose other than reporting my behavior back to some third party host. Why would I want to allow that?

Once again, the specific JavaScript that is running “for no other purpose other than reporting my behavior back to some third party host” is, indeed, that which you absolutely should be blocking. I explained that in my comment, as well, and I gave a detailed explanation of how to do precisely that.

comment by Raemon · 2019-05-16T18:59:05.066Z · LW(p) · GW(p)

Said's comment specifically addresses this.

comment by Anish Tondwalkar (anish-tondwalkar) · 2019-05-16T05:42:16.522Z · LW(p) · GW(p)

Just about every web site I visit, I've discovered, has at least a couple of third-party dependencies, whose provenance I don't trust, and which I'd rather not spend (even a minuscule proportion of) my energy bill on.

A much bigger win the the same vein is your mobile data bill! I've been using Brave on Android with JS off by default and adblocking and my month-to-month data usage has fallen precipitously. (One can also use Firefox mobile with various add-ons to achieve the same effect, obviously)

comment by jmh · 2019-05-17T13:19:25.812Z · LW(p) · GW(p)

Tangent to the general discussion here I would be interested in hearing other's opinions on a view I hold regarding the entire state of affair with online marketing techniques around tracking (both in terms of URL and geolocation).

I try to think about what we would do if marketing followed the same approach in the real world as in the virtual world (assume the costs were near zero). I would think most people would consider the real world actions to be a form of stalking and considered illegal.

Why treat it differently in the virtual world?

Replies from: habryka4
comment by habryka (habryka4) · 2019-05-18T06:21:10.930Z · LW(p) · GW(p)

It feels like it depends a bit on how you frame it. A lot of session tracking is basically equivalent to a store-clerk paying attention to what you do in their store, which is pretty common practice. Can you say more about what specific kinds of tracking feel unethical to you? (I can see some other things that are more cross-site tracking that feel worse to me, but not necessarily that much worse than being watched by a security guard in a mall)

Replies from: Rana Dexsin, jmh
comment by Rana Dexsin · 2019-05-18T20:36:02.369Z · LW(p) · GW(p)

I think it depends a lot on how you frame it, and analogies work much less well than people expect because of ways the Internet is very different from previous environments.

The intuitive social norms surrounding the store clerk involve the clerk having socially normal memory performance and a social conscience surrounding how they use that memory. What if the store clerk were writing down everything you did in the store, including every time you picked your nose, your exact walking path, every single item you looked at and put back, and what you were muttering to your shopping companion? What if that list were quickly sent off to an office across the country, where they would try to figure out any number of things like “which people look suspicious” and “where to display which items”? What if the clerk followed you around the entire store with their notepad when it's a giant box store with many departments? For the cross-site case, imagine that the office also receives detailed notes about you from the clerks at just about every other place you go, because those ones wound up with more profitable store layouts and lower theft rates and the other shops gradually went out of business.

There are other analogy framings still; consider one with security cameras instead, and whether it feels different, and what different assumptions might be in play. But in all of those cases, relying on misplaced assumptions about humanlike capability, motivation, and agency is to be wary of. (Fortunately, I think a lot of people here should be familiar with that one!)

Replies from: habryka4
comment by habryka (habryka4) · 2019-05-18T23:47:16.407Z · LW(p) · GW(p)

Yeah, I share the sense that simply reasoning from analogy is not super useful here, which is why I disagreed a bit with the top-level argument which said that by analogy to existing marketing practices, we should consider tracking obviously equivalent to stalking, which felt relatively weak to me (though I do actually think there are a bunch of quite serious problems with trackers of various forms).

comment by jmh · 2019-05-20T12:22:20.743Z · LW(p) · GW(p)

[Rana hits on most of what I say here, but more clearly I think.]

I agree, there is a lot that happens in real interactions that is similar but seems much different.

First, the store clerk is limited largely to that store. The virtual world and big data is about taking all my other activities and then using that to guide how the clerk engages me in that one store. The parallel there would be having that clerk follow me around all day documenting everything I do, buy, look at....

I have more control over what information I provide the clerk. Clearly that person will know my sex/gender, approximate age and other physical traits. If they are really attentive, and able to see, they might know what type of car I drive and would be able to guess at socioeconomic status based on dress, speech and manner/demeanor. They will generally not know my name, address or approximate location, my travel habits, where I might work or my larger social circle.

Much of the information now collected is something I have no control over. For the clerk I can do any number of things to control what information I share. This is not the case in the virtual world. So, that gets me back to the "If someone did this in the real world...."

It's not that I'm saying everything should be taken as stalking but rather it should be considered more carefully. I've just never really seen the issue framed as how would this look if done in the "old fashioned" shopping/commercial interaction setting. Would that change anything?