In my recent series of articles on Web browser security (see the special report), I indicated that browser add-ons (or plug-ins) could bring additional risk to a browser. One browser add-on provider, Giorgio Maone of Firefox's NoScript, wrote me to strongly disagree. Here's an edited excerpt of our e-mail discussion:
Giorgio: Hello Roger, I just read your "How secure is Firefox?" article, and I found it quite interesting and well written. Anyway you wrote, "Although add-ons such as NoScript, and plug-ins such as Adobe Flash, bring many useful capabilities to Firefox, at the same time they come with problems and security issues of their own."
Could you explain to me what security issues you've found in NoScript, requiring it to be disabled with per site granularity (which could be done, by the way)? Moreover, you're putting Adobe Flash (which is a commodity plug-in full of documented security holes) with NoScript, which is the very security tool providing that "per-site granularity" in disabling plug-ins like Flash that you're advocating (see http://noscript.net/features#contentblocking).
So, if you're kind enough to tell me about these NoScript security issues, I'll be happy to fix them in the next release (even today). However, I'd like you to rewrite that paragraph reflecting the distinction above, and if it's not possible since your article, as I can see, is syndicated on a plethora of IDG outlets, please write a new, more correct, article about NoScript. Thanks and best regards. Giorgio Maone.
[ See Roger's guide to browser security and security reviews of Chrome, Firefox, Opera, Internet Explorer, and Apple Safari. ]
Roger: Giorgio, I'm not aware of any particular issues, but no one has released bug-free code yet, and I'll bet my career that NoScript is no different. Every security protection product falls under the same security threats and problems as any other software, sometimes more so.
