Whitelister in Training
I'm not going to summarize NoScript's features or describe how to use it. Visit the NoScript Basics page for this, but it is honestly a very intuitive and simple interface. Instead, I'll tackle the common, biggest obstacle for all whitelisting measures: the training period. In a word, it is continuous. How you decide what sites to trust and how much work you want to put into this decision process is up to you. I use several methods to decide what domains to trust. If I'm familiar with the site and have had a positive experience, I'll trust the scripts associated with the site domain (e.g., typepad.com or its content delivery network). If I'm uncertain, I'll check the scorecard for the domain at MyWot and consider the reputation reported there. If I'm suspicious I submit the domain to VirusTotal and scan to see if the page contains malware. I may Google the domain: if it is a tracking company, I permanently forbid execution (yes, NoScript also has a blacklisting feature).
Over time, you'll teach NoScript which scripts to trust when you visit your most frequently visited sites. Note that you won't have to trust every script associated with a page you visit (although this can affect how or whether certain content is displayed, but this is actually quite useful because many sites execute scripts from other domains, and while many of these scripts are beneficial, some are intrusive and others might be malicious. In the absence of a perfect web, NoScript let's me decide what is beneficial and what is not.
Training NoScript may seem inconvenient for a while, but let's consider the rewards you reap from whitelisting scripts:
- You automatically block ad services tracking and analytics scripts
- You defend against click-jacking, cross-site script attacks, Flash, and plugin attacks
- You gain a really powerful insight into what is really happening when you visit a web page
So the reward for taking the time to train NoScript is that (1) you protect against information leakage to evil marketing types, (2) protect against unwitting (drive-by) execution, redirection, or insertion attacks, and (3) learn what's going on behind your browser and who's responsible for the going's on. If this sounds like a bargain, grab the addon. If it sounds like too much trouble and you trust your own good judgment, good luck and take note of where your OEM/OS recovery disks are.