11

I just came to know about NoScript, but after installing it opened the author's homepage with an advert for 'SpeedUpMyPC' that pointed to a UniBlue website, which I found fishy. Googling turned up this, but it's been many years now since that time. So how do I know whether NoScript itself is not some kind of malware downloader? I don't have the time to read the whole source code, and there are parts that are obfuscated. I couldn't find any evidence that the current version of the addon had been reviewed carefully, so how can I trust it? If not for the Mozilla addons site reporting that NoScript has 2 million users, I would have immediately classified NoScript as highly probable malware.

This issue was brought up in this forum post (archived here), but all questions went unanswered.

Let me specify my questions clearly:

  1. Is NoScript malware?

    • If it is, why is it on the Mozilla addons website?

    • If it isn't, why does everyone say that UniBlue is malware? How can a program be considered clean if it opens a webpage with a link to malware?

  2. Even if NoScript is not malware, does it surreptitiously contact the author's server for any purpose whatsoever, including updates? I want it to do absolutely nothing else other than block scripts.

The link on the NoScript website is https://noscript.net/jo/zp/piexgrhdc48ZOORjo. I purposely broke the hyperlink because I don't know whether it is malicious.

Notes

The above link is in fact a 302 redirect to http://uniblue.com/cm/c/?aff=3257&x-at=noscriptb1&r=http%3A%2F%2Fwww.uniblue.com%2Fcm%2Fflashgt%2Fspeedupmypc%2Fnoscriptb1%2Fdownload%2F%3Faff%3D3257%26x-at%3Dnoscriptb1, which incidentally has a robots.txt that Archive.Org respects and hence doesn't save it. Either way, the UniBlue page states everywhere on its website that it is a Microsoft Partner, and I seriously doubt Microsoft has anything to do with them.

I also found this MyWOT forum thread denouncing UniBlue.

Anders
  • 64,406
  • 24
  • 178
  • 215
user21820
  • 623
  • 1
  • 6
  • 13
  • 2
    The NoScript website is not really well maintained, but the plug-in is effectively open source as you can inspect the JS source files by unzipping the xpi file. – billc.cn May 17 '16 at 10:43
  • Don't use the website, search for the plugin from within your browser. – k1308517 May 17 '16 at 11:41
  • @billc.cn: Did you read what I said about the source code? I obviously did unzip and look inside but it's not short and obfuscated in some parts. Did anyone do it? What if everyone thinks that someone else will check every bit of it and no one does? – user21820 May 17 '16 at 11:51
  • 1
    @k1308517: You **clearly** didn't read the **first line** of my question; it opens the website **of its own accord**. – user21820 May 17 '16 at 11:53
  • You could ask the tor browser guys why they are including NoScript in their product. Also consider that this is just a damn ad on the website which contains the change log. Most of the NoScript users will not even think about clicking on it. – Noir May 17 '16 at 13:23
  • @Noir: Whether it's the author's website is irrelevant. How on earth can anyone trust NoScript not to do other funny things while running? – user21820 May 17 '16 at 13:30
  • I believe they can be considered a "Partner" if they achieve the required certifications within their organization. Gold means they met some number of MCSE etc. on staff. Also even google constantly tries to change browser settings for users (set google as default? download our app?)... so there are different tiers of invasiveness of ads/change prompts. – Dave May 17 '16 at 13:42
  • @Dave: Well I don't know about Google but would you consider this case acceptable? I don't. And that's the best scenario, even if NoScript itself is 100% clean, which is a major part of my question and is quite objectively answerable. If no one here can verify that, then I can't trust it either. – user21820 May 17 '16 at 14:20
  • It may be helpful for those who have this same question as I had to know about https://www.theregister.co.uk/2015/07/01/noscript_bypass and https://answers.microsoft.com/en-us/windows/forum/windows_vista-security/uniblue-scam-and-very-harmful-virusesmalware/ecf044e8-9c5e-e011-8dfc-68b599b31bf5. In the absence of expert advice, my advice to users concerned with security is to stay away from anything related to NoScript and UniBlue. – user21820 Feb 18 '17 at 08:48

1 Answers1

-1

Honestly do not know if it is malicious or not, but it is used in TOR browser to prevent scripts, and I've seen it work within the TOR browser when booted into Tails OS and it doesn't appear to do anything but prevent scripts from running. I would definitely watch what you click though, as I did notice an advertisement/link for the "speed up my pc" junk there (I don't trust those things...).

Some websites require scripts to be allowed though, for certain content, so if you do use it, or another script blocker, you can adjust the settings to allow scripts for that site, other sites, or block all scripts globally.

Just make sure the site is a site you can trust before allowing the script.

Joseph Jacobsen
  • 11
  • 2
  • 2
    You should move your response into comments, because you're not answering my question. What an addon **appears** to do is irrelevant to what it **actually** does. Moreover, the fact that you too don't trust those advertized things means that you ought not to fully trust NoScript, since you don't know what else it might do **behind your back**, not to say it probably has remote self-updating capability which is the biggest problem with an untrustworthy author. – user21820 May 22 '16 at 09:56
  • 2
    I think the fact that NoScript is used in Tor and Tails provides value. – Neil Smithline May 22 '16 at 15:34