jd1008 wrote:> On 06/12/2015 12:27 PM, Valeri Galtsev wrote: >> On Sat, June 13, 2015 1:22 pm, jd1008 wrote: >>> >>> On 06/12/2015 12:18 PM, Jonathan Billings wrote: >>>> On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote: >>>>> Mark, please be aware that noscript has also a whitelist >>>>> that is not viewable by the user. >>>>> The whitelist tab does NOT list the hidden white listed >>>>> entries. >>>> You mean the noscript.mandatory about:config entry? I looked at it on >>>> my computer and it wasn't really web sites, just internal chrome URLs >>>> like "about:config". >>>> >>> No Jonathan. >>> I mean websites whitelisted and not exposed in the >>> whitelist tab. >> Let me guess: google, mozilla, ...<snip> This is not completely correct. I just went to my tab on google news, noscript, options, and removed google.content (or whatever it was). mark
On Sat, Jun 13, 2015 at 12:38:35PM -0600, jd1008 wrote:> I was just using that as an example of damaging javascripts. > The current version of noscript no longer tells the number of > javascrits that are blocked out of the total (per web site). > In the older versions, I would dlete all entries in the visible > whitelist, and would visit new websites. It would list some > n javascripts blocked out of m scripts. > Clicking on 'options' tab on bottom, I would not see the > 'allowed' scripts listed.So, you're scaring people away from a privacy-enhancing tool with unprovable claims of a hidden whitelist? Which I can't find in the javascript source of the XPI? Also, based on your conversations with someone who worked at a company that hasn't existed since 2009? I get it, you've got some concerns about the security of the web model. But adjust your tin foil hat, you're picking up Fox News on that thing. For the record, I use NoScript, Ghostery and uBlock, and am happy with the experience (for the most part). I also heavily use Firefox profiles, and only use a completely separate profile for certain operations, such as online banking. I've been playing with using the SELinux sandbox program too, but its just too convenient to be able to copy-paste into firefox, which sandbox blocks. I don't use the same profile for Facebook (*sigh*, yeah) and just random browsing. I'm certain that a certain amount of private information leaks out when I'm browsing forums or catching up with the news, but unfortunately, that's the tax you pay when you use the web. I'm fairly certain that io9.com isn't reading /etc/shadow on my computer. -- Jonathan Billings <billings at negate.org>
On Fri, June 12, 2015 2:03 pm, Jonathan Billings wrote:> On Sat, Jun 13, 2015 at 12:38:35PM -0600, jd1008 wrote: >> I was just using that as an example of damaging javascripts. >> The current version of noscript no longer tells the number of >> javascrits that are blocked out of the total (per web site). >> In the older versions, I would dlete all entries in the visible >> whitelist, and would visit new websites. It would list some >> n javascripts blocked out of m scripts. >> Clicking on 'options' tab on bottom, I would not see the >> 'allowed' scripts listed. > > So, you're scaring people away from a privacy-enhancing tool with > unprovable claims of a hidden whitelist? Which I can't find in the > javascript source of the XPI? Also, based on your conversations with > someone who worked at a company that hasn't existed since 2009? > > I get it, you've got some concerns about the security of the web > model. But adjust your tin foil hat, you're picking up Fox News on > that thing. > > For the record, I use NoScript, Ghostery and uBlock, and am happy with > the experience (for the most part). > > I also heavily use Firefox profiles, and only use a completely > separate profile for certain operations, such as online banking. I've > been playing with using the SELinux sandbox program too, but its just > too convenient to be able to copy-paste into firefox, which sandbox > blocks. I don't use the same profile for Facebook (*sigh*, yeah) and > just random browsing. I'm certain that a certain amount of private > information leaks out when I'm browsing forums or catching up with the > news, but unfortunately, that's the tax you pay when you use the web.Speaking of privacy... I would recommend people to check out tor project: https://www.torproject.org/ they have nice browser (codebase of which is Mozila Firefox, - they didn't find better workhorse yet...). One privacy aspect that wasn't mentioned here is you internet provider being able to see your traffic (destination at least) and analyze that. This is what tor project helps with. But other aspects are also well lit on their website, including what information you disclose yourself (often even not realizing that). I hope, this helps someone. Valeri> > I'm fairly certain that io9.com isn't reading /etc/shadow on my > computer. > > -- > Jonathan Billings <billings at negate.org> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 06/12/2015 12:27 PM, Valeri Galtsev wrote:> On Sat, June 13, 2015 1:22 pm, jd1008 wrote: >> >> On 06/12/2015 12:18 PM, Jonathan Billings wrote: >>> On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote: >>>> Mark, please be aware that noscript has also a whitelist >>>> that is not viewable by the user. >>>> The whitelist tab does NOT list the hidden white listed >>>> entries. >>> You mean the noscript.mandatory about:config entry? I looked at it on >>> my computer and it wasn't really web sites, just internal chrome URLs >>> like "about:config". >>> >> No Jonathan. >> I mean websites whitelisted and not exposed in the >> whitelist tab. > Let me guess: google, mozilla, ... > > Please, tell me how wrong I am (who are actually whitelisted would be > really good to know). > >I was just using that as an example of damaging javascripts. The current version of noscript no longer tells the number of javascrits that are blocked out of the total (per web site). In the older versions, I would dlete all entries in the visible whitelist, and would visit new websites. It would list some n javascripts blocked out of m scripts. Clicking on 'options' tab on bottom, I would not see the 'allowed' scripts listed.
On 06/12/2015 12:46 PM, m.roth at 5-cent.us wrote:> jd1008 wrote: >> On 06/12/2015 12:27 PM, Valeri Galtsev wrote: >>> On Sat, June 13, 2015 1:22 pm, jd1008 wrote: >>>> On 06/12/2015 12:18 PM, Jonathan Billings wrote: >>>>> On Sat, Jun 13, 2015 at 12:05:16PM -0600, jd1008 wrote: >>>>>> Mark, please be aware that noscript has also a whitelist >>>>>> that is not viewable by the user. >>>>>> The whitelist tab does NOT list the hidden white listed >>>>>> entries. >>>>> You mean the noscript.mandatory about:config entry? I looked at it on >>>>> my computer and it wasn't really web sites, just internal chrome URLs >>>>> like "about:config". >>>>> >>>> No Jonathan. >>>> I mean websites whitelisted and not exposed in the >>>> whitelist tab. >>> Let me guess: google, mozilla, ... > <snip> > This is not completely correct. I just went to my tab on google news, > noscript, options, and removed google.content (or whatever it was). > >You did not read my full message. You are using a recent incarnation of noscript which does not enumerate in a temprary line near the status bar about how many scripts are block out of a total. If you want to continue thinking all is well in noscript land, fine with me.
On 06/12/2015 01:03 PM, Jonathan Billings wrote:> On Sat, Jun 13, 2015 at 12:38:35PM -0600, jd1008 wrote: >> I was just using that as an example of damaging javascripts. >> The current version of noscript no longer tells the number of >> javascrits that are blocked out of the total (per web site). >> In the older versions, I would dlete all entries in the visible >> whitelist, and would visit new websites. It would list some >> n javascripts blocked out of m scripts. >> Clicking on 'options' tab on bottom, I would not see the >> 'allowed' scripts listed. > So, you're scaring people away from a privacy-enhancing tool with > unprovable claims of a hidden whitelist? Which I can't find in the > javascript source of the XPI? Also, based on your conversations with > someone who worked at a company that hasn't existed since 2009? > > I get it, you've got some concerns about the security of the web > model. But adjust your tin foil hat, you're picking up Fox News on > that thing. > > For the record, I use NoScript, Ghostery and uBlock, and am happy with > the experience (for the most part). > > I also heavily use Firefox profiles, and only use a completely > separate profile for certain operations, such as online banking. I've > been playing with using the SELinux sandbox program too, but its just > too convenient to be able to copy-paste into firefox, which sandbox > blocks. I don't use the same profile fo Facebook (*sigh*, yeah) and > just random browsing. I'm certain that a certain amount of private > information leaks out when I'm browsing forums or catching up with the > news, but unfortunately, that's the tax you pay when you use the web. > > I'm fairly certain that io9.com isn't reading /etc/shadow on my > computer. >:) LOL Enjoy your perception of security and privacy :)