Someone shared this link on Telegram.
I am merely forwarding it
Someone shared this link on Telegram.
I am merely forwarding it
I think it should be shared with non-tech people as it explains in simple terms.
Many websites look so ugly when JS is disabled. Is there a better way to block only dangerous scripts?
That’s similar to asking people to use minimal or no software on their desktops. I think that’s the wrong approach to the problem. We don’t ask Windows users to use less Windows apps. We ask them to use a free OS instead. In the same way we should ask web developers to care about their users’ freedom, not to stop developing web apps.
Maybe we could design a system that allows us to do something similar. Something like a web of trust or just independent (centralised but with multiple centers) trusted parties who check websites. Modern browsers already come with technologies like SRI that can make such things easier to implement.
The LibreJS project needs a lot of work. I don’t think it is very active. I too got fed up of it, and uninstalled it, preferring NoScript instead.
This is exactly where LibreJS fails. There’s nothing stopping a malicious website from putting up a free license notice and getting around LibreJS. You could say there is a similar problem with all free software. But, distros and the developer community curate free software packages. And, the release cycle is slower and more noticeable. So, I see that as much less of a threat.
SRI cannot protect against malicious developers.
Agreed. That’s why I suggested the next step would be a trust system, perhaps similar to the ones GNU/Linux distros use.
Yes. What I meant to say was SRI makes the implementation of a trust/verification system easy. For example, we could use a browser add-on that has two functions -
<script>tags which do not have a whitelisted hash
This would be almost trivial to implement.
The larger problem of course is actually getting people to use such a system.
We do seem to have that disagreement, but let me explain why I consider the web a platform worth keeping -
There definitely are exceptions and counter points to what I said, but at its core the system is designed to be open. I can’t think of any other platform like this.
I think this can be said of any computer programming. The widespread prevalence of “web development” skills and tools is probably more due to the economic incentive and market demand there is for these things.
I am not trying to work out which fight it is possible to win. I am trying to work out the ethical thing to do that protects our liberty. It is ok to have an ideal goal, and then make compromises on the way to get to that ideal. But, starting out with a compromised goal to begin with is no way to proceed.
Technology is not an end in itself. If it comes in the way of one’s fundamental rights, no matter how seductive we as programmers and hackers find that technology, I’d rather that technology did not exist, I believe FSMK needs to break free of this hacker-friendliness mindset if we are to genuinely be a free software movement. Else, we’re more like an open source programmer’s club.
Yes, this is part of the “exceptions and counterpoints” I mentioned. But there really is some basic level of openness guaranteed. All web apps must use the same DOM, for instance, and it is very easy to manipulate the DOM.
For example, no other platform has ad blockers (AdBlock, uBlock, etc.) that are so effective. GTK/Qt/Swing/Android apps are all practically immune to such manipulation by the user.
What software is not tied to business interests?
I definitely disagree with is. A novice can get a basic web page up in a matter of minutes or hours. It’s not the same for most other platforms.
I’ll use this logic on pre-F-Droid Android to illustrate why I don’t think this is how we should act. Stuff in parentheses is the web equivalent of the Android analogy.
Android (the web) at its core is, at least roughly speaking, free (AOSP, Firefox, open standards, etc.). But most software (web apps) available for Android (the web) are closed. There is no easy way to get trustworthy, free software.
Now we have two options to proceed -
I see no sense in trying to kill a platform simply because nobody made something like F-Droid for it.
The technology in question is actually the exact opposite of coming in the way of users’ rights. It’s just that the way we use it is flawed. If there is a way to fix it, I see no reason to abandon something that is robust, widely used, has a large community and is free at its core - such a thing is rare in the technology world.
How is a web with tooling and support infra that lets us use only free apps a compromised goal?
In summary, the web is arguably the most open platform in many ways. It provides a way for software (as opposed to static documents) to be run. People have embraced this technology and there’s no way they’re going back to just text and images. Right now, most of the software on the web is non-free. But there is nothing inherent about the web that forces it to be non-free. LibreJS, for instance, is/was an effort to help free software enthusiasts only run free software. Such efforts can be continued and extended to form a system that works for us. This is similar to how F-Droid, while being fairly simple in terms of the idea and implementation, made Android so much better for us. Given this, I say we should embrace JS and fight for free JS, not try to take away a well-designed piece of technology that has become a basic requirement for billions of users.
I disagree with many things you have said. But, let’s not dwell on these side-conversations.
The video looks interesting. I haven’t watched it yet. Hopefully there’s nothing in it that contradicts the rest of my reply.
One of the ideas I proposed in a previous reply seems like a feasible solution, although I haven’t given it too much thought yet. Let me try to describe the idea in detail.
That’s just one seemingly feasible idea. I can already think of multiple others. I don’t think finding a technical solution is difficult. The web is just a platform, just like GNU/Linux or x86 or Java. There is nothing inherent that makes it impossible to run only trusted code. The P2P nature of the web (no middle man who packages and provides software) makes it a little weird, but I don’t think it’s that much of a concern.
But I don’t think many people would use this system right now. Perhaps we first need to get people to appreciate the need for freedom on the web, slowly get them to at least use something simple like LibreJS and then move to a much more robust system like the one I described.
maybe a layer below browser where the users get nofification on what info is acessed
as in example in android lolipop or marshmallow we have acess restricion
similarly when js scripts in websites try to acess to gps location, cookies, user info etc can only be aceesed if given permission
That is already implemented for many resources (GPS/location, camera, mic, etc.). Generally speaking, browsers do a reasonable job of sandboxing JS apps, although if you’re a really malicious developer and willing to steep low, you can still do a lot of damaging stuff, especially with respect to privacy and tracking.
The discussion we’re having here is that of the vast majority of JS on the web not being free (as in freedom) and if/how we could fix that. While sandboxing gives you a huge increase in security, it doesn’t give you the full freedom that free software represents. We routinely download and execute code that is written by strangers and cannot be controlled reasonably by us; and this is done (semi-)automatically, which is extra scary.