The Best Free Software

if u concern abt cookies, i finally stay wit opera after trying and trying.
‘delete new cookies when exiting opera’ makes my life easy (and i do test, it really does wat it claim, not like MS suker). and its fast like lightning.

in case u r not opera follower, try sandboxie. after everi section, 1 click delete content, everithing gone (but b cafeful if u saved something)

Yes it’s Opera what I’m using and it does have those options including the clear when closing feature. I don’t enable this because if a cookie can be accepted in the first place it’s okay for it to stay between sessions I guess (?).

It’s pretty easy with Opera, if you want to block all by default and you’re in a site that needs cookies, you just right click and select “Edit site preferences…”, there you can configure pretty much everything incluindg Cookies, you can allow all or only first-party cookies, clear when closing, etc forbid script or customize any rule etc all for that particular site. I think Firefox can do at least the part about cookies, at least if you go to the Tools menu.

For nearly all sites that need cookies it’s enough to set the browser to accept cookies for that site, however I found it wasn’t enough for Yahoo webmail and Hotmail in particular. I had to temporarily allow all, note down which domains they came from (a dozen of them :o) and then in order to block all by default again but still not cause these two particular sites to stop working, manually allow cookies for each of these domains.

Opera can also ban all content from any third-party sites. For example once I started seeing popups from malware Errorsafe in Photobucket (hm fishy but at least when I wrote to them they answered and acted promptly). They were embeded in Photobucket’s benign script so that they weren’t unsolicited and thus blocked, they started only once I actually used one of PB’s script buttons. If I blocked script PB would stop working but if I banned and other associated domains the nuissance was gone.

With regard to cookies and fx, unfortunately, the developers really stuffed up with release 2 of fx, by removing the ability to block third party cookies in the UI. They claimed it wasn’t possible to block all third party cookies!!!

Anyway, it’s still possible to block these, mainly user tracking cookies, in fx by editing about:config from the address bar. Search for network.cookie.cookieBehavior and take a look at the value.

0 you accept all cookies
1 means you only accept cookies from the same server
2 means you disable all cookies.

Setting it to 1 has the same effect that the option in the old firefox browsers had:it disables third party cookies.

This works, but it’s a bit of a cludge! A better option is to install an add-on called CookieSafe It gives you complete control over all aspects of cookie handling :slight_smile:

(:SAD) I’ve heard a couple of complaints here and there about release 2. Actually I’ve got Firefox installed and the latest update is v1.5.0.11. That is there’s v2 available but if I want to “upgrade” I must go to the web site and download it myselft, FF won’t update itself to v2 even if I ask it myself to look for updates. That sounds like they’re not confident about their release 2. :-\

They claim it’s not possible to block cookies? :o That makes no sense to me. A cookie is a file that a site asks the browser to write on disc, but it’s the browser the one actually writing it, right? And this comes from the ones who convinced me to switch from MS IE because FF was safer. Maybe they didn’t mean that it’s not possible, but that it’s not convenient (for beginner users)? Anyway one thing is not setting the browser to block cookies by default, but other different things is not giving the option to change that; of course Opera is set by default to allow all cookies, but you can change that. Maybe they rely on plugins, I guess that approach is okay as long as the plugins come from Mozilla itself because I’m not installing something from who knows who especially in a security sensitive field like browsing.

Dude they’re so resting on their laurels.

CookieSafe: (block all cookies except for the sites you want, temporarily or whitelisting as you go; like NoScript does for scripts)

NoScript apparently is the only tool that can counter XSS attacks. All of the sudden, i’m only using FF for this level of control.

Pedro, you seem to know stuff about Firefox. What can you tell us about v1 vs. v2? (:NRD)

To be fair to the fx devs, what they actually said was, the reason that feature (third party cookies) was removed is because it was not reliable and did not work in all configurations.

There will be an upgrade path from fx 1.5 to 2

To some extent I can agree with your sentiments regarding third party add-ons, however, a great many people use these, and if an add-on phones home or behaves badly, it soon becomes widely known in the community. It’s up to you then, if you wish to continue using it.

Lets face it people use the google toolbar :o :-X

I don’t know that much about it. In fact, i prefer/ed Opera. Now i’m lost in between, but compeled to FF because of NoScript. And all of the sudden, i remember the appeal in FF: i want a function, i look for extensions. Presto. Still Opera has built in some functions that FF should have also built in, but i digress.

1.5whatever - 2.whatever, from what i could tell, are minor GUI changes, security upgrades, web standards (i’m really guessing, because i didn’t see anything special).

Most of the updates are behind the scenes. The ‘big’ changes will come in fx3 which is currently just about to go alpha5 :slight_smile:

Well let’s talk about freeware browsers then, still within topic (?). I’ve got Opera configured to block all javascript except from the sites I’ve expressely allowed. Does NoScript have further features, if so what purpose do they serve?

From the noscript FAQ:

4 - XSS
Q: What is XSS and why should I care?
A: XSS stands for Cross site scripting, a web application vulnerability which allows the attacker to inject malicious code from a certain site into a different site, and can be used by an attacker to “impersonate” a different user or to steal valuable information. This kind of vulnerability has clear implications for NoScript users, because if a whitelisted site is vulnerable to a XSS attack, the attacker can actually run JavaScript code injecting it into the vulnerable site and thus bypassing the whitelist. That’s why NoScript features unique and very effective Anti-XSS protection functionality, which prevents untrusted sites from injecting JavaScript code into a trusted web page via reflective XSS and makes NoScript’s whitelist bullet-proof.
Q: Looks like the Anti-XSS feature causes problems with URLs containing diacritics or other non-ASCII characters, e.g. with queries to search engines (other than Google and Yahoo) containing Japanese or Chinese terms.
A: If you’re following a link contained in an not trusted page and leading to a trusted page, this behaviour is expected by design. The reason is that characters out of the ASCII range, even if innocuous when decoded according a certain character set, can be easily transformed in attack vectors by forcing a different character set in the target site. This is not that difficult to achieve, and a browser bug is not required, since many sites accepting user input (e.g. search engines) provide a request parameter to specify the expected character set on the fly!
Therefore, when you follow a link from an untrusted site leading to a trusted site, most “special” characters are discarded by the anti-XSS filters, in order to avoid malicious code injections.
Possible work-arounds are:

  1. Removing the target site from your whitelist. This is usually the best and safest option, unless the target site absolutely mandates JavaScript, and is also the wisest choice especially for sites containing user-generated content, e.g. message boards or Wikipedia, because it prevents persistent XSS (also known as “Type 2”).
  2. Clicking the “Options” button and choosing the XSS|Unsafe Reload command from the contextual menu, in order to replay the suspicious request skipping sanitization.
  3. (Temporarily) adding the source site to your whitelist. Of course, you should do this only if you (temporarily) trust it, and is considerably less safe than #1 and #2*
  4. For geeks only, selectively turning off the Anti-XSS protection for the target page, if you’re confident it’s immune from XSS attacks.
  • if you prefer "Temporarily allow"ed sites to be still considered untrusted origins from the XSS point of view, you can keep the Anti-XSS filter on for requests from these sites to permanently trusted by setting about:config noscript.xss.trustTemp preference to false.
    Q: Can I turn off Anti-XSS activity notifications?
    A: Yes, you can, just toogle the Noscript Options|Notifications|XSS preference. Of course you will still able to monitor NoScript Anti-XSS activity log in the Error Console, and you will get an extra “XSS” menu inside the NoScript contextual menu whenever an XSS attempt is detected, featuring all the actions usually accessed from the notification bar.
    Q: Can I bypass Anti-XSS filters for certain web pages?
    A: If you’re a bit of the “geek” type, you know regular expressions and you’re very confident the target web page is immune to XSS vulnerabilities, you can tweak the NoScript Options|Advanced|XSS|Anti-XSS Protection Exceptions rules, i.e. a list of regular expressions (one on each line) used to identify web addresses which you deem do not need to be protected against XSS.
    Q: Can I turn off the Anti-XSS protection?
    A: Even if it’s not recommended for daily usage, temporarily disabling the Anti-XSS protection may be useful, e.g. for testing purposes if you’re a security researcher hunting for XSS vulnerabilities. To do so, you just need to open NoScript Options|Advanced and toggle the cross-site restirctions preferences.

An Interesting post at Wilders:

Okay, good to know, thanks. :■■■■

I’ll stick with Opera though. It’s too fast and neat and has too many features I use, besides I’m pretty sure it will address this issue in future versions, based on its concern about security and a quick search I’ve just done.

Still never ever had a problem with malicious script outside of old crummy MS IExplorer, even visiting sites I should have never trusted with permission to run script… I’ve just started to block script and cookies but I think I was happier in my previous state of blissful ignorance.
(:AGL) (:LGH)

EDIT: What security risks does Java entail? Now I’m talking about Java, not Javascript. I’ve got it blocked and no site needs it so far, not even the ones needing Javascript. Heck I don’t even know what the thing is. ???

There are many Java exploits, best just to google.

I don’t have Java installed. I removed the MS JVM and I have no need for Suns version.

Heck I don’t even know what the thing is not have a use for it, but not only it was preinstalled in my machine, it runs resident apps to keep itself updated. I feel that either I uninstall the whole thing or I let it do that, and I guess I won’t be doing the former until I have a reason --maybe there are plenty but I’m too ignorant. As long as it’s blocked while browsing I guess it’s safe (?).

What about a “The Worst Free Software” topic? LMAO :smiley:

If you don’t have a need for it, either application wise or browser wise, you can delete it. It’s free and your can always download it again from Sun.

What about a "The Worst Free Software" topic? LMAO

Go ahead, I’m sure you will get a LOT of replies :slight_smile:

Read rants :slight_smile:

Looks like the 1.5 → 2.0 upgrade will be released in the “next few weeks”.

THE MOZILLA ORG said that the latest update to Firefox 1.5 is the last. The version won't receive any more updates.

Instead, the org said, people using Firefox 1.5 will be prompted to download which includes software to allow an upgrade to Firefox 2.0.

The Firefox 2.0 upgrade for users of 1.5 will be released in the next few weeks. Mozilla director Basil Hashem said that the org’s highest priority was security. Users of 1.5 might be vulnerable in the future


Most users on the forum are probably aware of and although this is not actualy freeware it’s fully functioning software for you to evaluate and give an opinnion on and you get to keep it with little or few updates…i have downloaded two programmes in three months as im choosey, some download them every day…strange bunch…anyway for those that don’t know give it a shot…


good post Toggie; I’ve always used the NoScript extension and its latest anti-xss feature makes it the must-have component for Firefox Security (I actually already considered it as a top extension before the anti-xss came around).

Just a suggestion: may be you should rename the topic’s name (best free software) to something more relevant, like NoScript or anti-xss something…