You are not logged in.
Pages: 1
...would like to see more sites use PFS https connections the way epicsearch does
Agreed, just read up on elliptic curve, ephemeral Diffie-Hellman, signed by an RSA key
("Perfect Forward Secrecy can block the NSA from secure web pages" - Computerworld)
Turn off Javascript. In Epic's settings page, under privacy, you can turn off Javascript and add exceptions. Not quite NoScript...but you can turn off JS. Totally understand your decision to turn on/off scripts on a site-by-site basis - let us know if you'd like something more functional like NoScript integrated into Epic and we can consider it.
Most definitely!
I found Epic's controls for Javascript and plugins where you said, but deeply buried and all 8 turned ON by default. Not good for the default setting because it's assuming that all 8 are secure, which one has to assume there are new, unknown vulnerabilities and your having your users surfing the net with 8 extra potential avenues of attack instead of just one, the browser itself. (which can't be helped obviously, but the others can be)
Understandably the updating of Epic plugin should be on by default (so that leaves 7 to lock down+ Javascript) and it should check the status of the other plugins despite them being off and also update them or advise accordingly.
The default setting for the rest of the 7 plugins + Javascript should be "Click to Play", and Javascript has no option to be Click to Play currently. Sure there is a way to turn it off Javascript and add exceptions, but the fact is that method is a hassle heading deep into preferences to add the exceptions. Surfing is random, one needs to have their guard up all the time (no scripts) and then once they trust the site, only allow it to run scripts as needed (example: a Master Click to Play button on the toolbar) possibly a "add this site as a exception?" or another method to easily whitelist it. But of course sites can be compromised at any time.
With NoScript, all scripts are OFF as one surfs the web, and if the user has a need to enable scripts, then clicking the Temporary Allow All button allows the scripts that are enabled in the browser preferences to be allowed to run. Which if there is the Click to Play, only allows the plugins one wants to run on the page to run, not all the hidden stuff.
It's not perfect of course, if the user whitelists the site or gives consent, then all bets are off, but it's a lot better that surfing all sites with ones balls hanging out to be smacked.
Firefox of course has been updated with better Click to Play (Activate all plug-ins window) to mitigate Flash sites.
Now I understand that making Javascript and other plug-ins Click to Play by default is going to break a lot of websites, but the reason people use this browser is for privacy which also entails security, which some sacrifice over convenience is in order, however the hassle factor can be mitigated if done cleverly.
Perhaps a "Reload with Scripts on" button on the toolbar?
I've been running NoScript for years, I can count it protecting me on two instances that I know of where compromised plugins (Java and Flash) got nailed for others. Javascript being blocked by default also stops those tricky windows that look like one needs to do something and it's a trojan install.
SO YES, you can most certainly do users a great help and the web in general in this area, especially know it's known that Javascript can be used to get a users IP around the proxy and god knows what else.
Pages: 1