Firefox is already one of the most secure and respected web browsers available, but nothing can protect a person 100% of the time from the thousands of exploits that lurk on the web, waiting for someone to accidentally click a link to some malicious programming code. Special programming languages like java and javascript are used in almost every modern web 2.0 page, providing special features like drop down menus, multimedia content, and other bells and whistles that make web pages look great and become more interactive.
The problem is that hackers can also use these languages to craft exploits that look legitimate but in reality can be used to compromise the security of your computer. No-Script is a special add-on for the Firefox web browser that allows a user to lock down the execution of these kinds of code, protecting you from attacks. This added security comes at a price though, not in money but in usability.
What does No-Script do?
The No-Script add-on for Firefox selectively turns off all scripting functions for web sites that you are unfamiliar with or that do not trust. The two most common exploits that No-Script helps to protect against are known as cross-site scripting and clickjacking attempts.
Cross-Site Scripting
In a cross-site scripting attack a web page is comprimised through a vulerability that allows a hacker to insert his own malicious code into what is normally a completely legitimate web page. Often the web site owner is not even aware of the exploit, but once it has occured that same exploit can then be passed on to other web sites through the same vulnerability. This kind of scripting attack is most often used in phishing attacks where users think they are logging into their bank or other reputable web site when they are instead logging into an exact copy that is under the hacker's control.
Clickjacking
Clickjacking exploits occur when a web page loads a script that places a set of invisible buttons over the top of buttons that are legitimately part of the web site. After you log in to a site the script takes over so that when you think you are clicking a button to save some information or to perform a certain task you are actually clicking a hidden, transparent button that performs a malicious task. That task could potentially send your password information or other data back to the hacker.
By using NoScript both of these kinds of attacks can be disabled, preventing such exploits from occuring but at the same time it also will disable the special features of many web sites. Pull down menus and other interactive features of a web site will not work if NoScript is activated. Luckily the NoScript add-on can be configured to allow some sites to work while disabling other unknown or less trusted sites. When a new site is visited a small drop down shows up at the top of the Firefox window asking if you want to allow Javascript applications to run for that site. It is very easy to go back and change your decisions later, but blocking scripts until you have a chance to decide for yourself is a very useful and secure ability to have when surfing the web.
