What your browser knows about you!


#1

Someone shared this link on Telegram.

I am merely forwarding it


#2

I think it should be shared with non-tech people as it explains in simple terms.


#3

Disable javascript and many of those problems will vanish. I have said this many times before. I say it again – Most javascript is proprietary software and malware. Very rarely is there a genuine need for javascript on a web page. Use minimal or no javascript in your web design. Make it easy for people to browse without javascript.


#4

Many websites look so ugly when JS is disabled. Is there a better way to block only dangerous scripts?


#5

Many sites don’t work at all without javascript. Ugly sites are alright in comparison.

Perhaps we should start writing alternative free software locally installable javascript (using say, Greasemonkey) for popular sites. I have a basic working prototype for YouTube and Github, but I haven’t published them anywhere. I’ll let you know once I do.

Simultaneously, we should also spread awareness among web developers to avoid unnecessary and inconsiderate use of javascript in their designs.


#6

While you never really absolutely need JavaScript, it often adds a lot of desirable features. Using only HTML with forms and links just doesn’t cut it any more by modern standards.

That’s similar to asking people to use minimal or no software on their desktops. I think that’s the wrong approach to the problem. We don’t ask Windows users to use less Windows apps. We ask them to use a free OS instead. In the same way we should ask web developers to care about their users’ freedom, not to stop developing web apps.

I don’t have a simple solution to this, but LibreJS is a pretty decent start. The idea of requiring all non-trivial JavaScript to come with free licenses makes sense. I don’t see LibreJS used much at all and personally had to remove it since there is very, very little JS that is free and comes with LibreJS license indicators, but if it were used widely, it would solve one part of the problem.

The next problem is that of trust and verification. There’s no way to automatically check if the supposedly free code is in a human readable format and even if it was, there’s no way to know that the free JavaScript is not malicious. In most GNU/Linux distros for instance, we have package maintainers and other volunteers who try to check packages and make sure there are no such issues. It’s harder to do for the web since it’s P2P in a sense.

Maybe we could design a system that allows us to do something similar. Something like a web of trust or just independent (centralised but with multiple centers) trusted parties who check websites. Modern browsers already come with technologies like SRI that can make such things easier to implement.

Clearly there’s no easy solution here, certainly none that’s usable in the short term, but I really don’t think we can win the fight by asking people not to use JavaScript. JavaScript is widely used, very powerful and growing fast. WebAssembly/asm.js, for instance, pose a risk to free software and there is no way people are not going to use such tech in the future. We need to push for a system that gives people the power and sophistication they desire with the freedom they deserve.


#7

The LibreJS project needs a lot of work. I don’t think it is very active. I too got fed up of it, and uninstalled it, preferring NoScript instead.

This is exactly where LibreJS fails. There’s nothing stopping a malicious website from putting up a free license notice and getting around LibreJS. You could say there is a similar problem with all free software. But, distros and the developer community curate free software packages. And, the release cycle is slower and more noticeable. So, I see that as much less of a threat.

SRI cannot protect against malicious developers.

I’ll admit that there is some merit to this statement. But, I suppose we disagree on a more fundamental level. You see the web browser as an application platform – something like an operating system. I see the web browser as a mere document reader that is supposed to render some text and images. Just as I wouldn’t tolerate arbitrary code executing in my PDF reader, I don’t tolerate arbitrary code executing in my web browser. In my opinion, javascript really is an arbitrary code execution backdoor. At best, it should be used with much caution.


#8

Agreed. That’s why I suggested the next step would be a trust system, perhaps similar to the ones GNU/Linux distros use.

Yes. What I meant to say was SRI makes the implementation of a trust/verification system easy. For example, we could use a browser add-on that has two functions -

  1. Download and cache trusted SRI hashes
  2. Remove all <script> tags which do not have a whitelisted hash

This would be almost trivial to implement.

The larger problem of course is actually getting people to use such a system.

We do seem to have that disagreement, but let me explain why I consider the web a platform worth keeping -

  • The web is by far the most open/free platform we have.
  • Everything runs on a standard set of open protocols/languages/tools, most designed in the open too.
  • It is the only truly cross-platform platform - nothing else can run this reliably on basically any device which has the required processing power.
  • It has a certain level of openness guaranteed - you can always use the developer tools in your browser to tinker with the internals of the app you’re using.
  • No other platform makes it so easy for users to become creators/contributors. Scripting isn’t strictly necessary for this, but it allows tools and applications (as opposed to “dumb” documents) to be built in the same fashion.

There definitely are exceptions and counter points to what I said, but at its core the system is designed to be open. I can’t think of any other platform like this.

I definitely disagree with this, unless you mean JavaScript as it is used right now. The language or the platform isn’t the problem, the way we use it is. All of us routinely use software written in much lower level languages running without a security sandbox and having basically unlimited privileges. The only difference is how we obtain the code and how we trust it. We could design and use a similar system for JavaScript too. There’s nothing inherent about the web that makes that impossible.

In fact, imagine JavaScript didn’t exist. We would have a million completely closed apps for all sorts of big and small tasks, all built in different ways with no common standards. Of course, popular platforms like Windows will receive first priority and very few developers will care about GNU/Linux, etc. The web, and by extension JavaScript, is helping us keep the software world (relatively) open. I personally wouldn’t support any effort to weaken it.

Anyway, I really don’t think there is any way you can win this fight by asking people to stop using JavaScript. People have lots of reasons to continue using it and none to stop. Developers who care about code being free, etc. will make their code free. Nobody else can do much. The only fight you might have a chance of winning is free vs non-free JS.


#9

I am not that optimistic about the web, particularly javascript. Any tool, however “open”, can be corrupted.

Javascript, in the current state of browser implementation, is a great way to deploy proprietary software. The rapid development of javascript and “web apps” is closely tied to business interests with scant regard for user freedom.

Not really. Techniques such as minification obfuscate the code (effectively compiling it) and make this impractical. And even when not minified or obfuscated in some other way, javascript presents no meaningful way to exercise all the four software freedoms.

I think this can be said of any computer programming. The widespread prevalence of “web development” skills and tools is probably more due to the economic incentive and market demand there is for these things.

Yes, I agree. I am only talking about javascript as it is deployed today.

I am not trying to work out which fight it is possible to win. I am trying to work out the ethical thing to do that protects our liberty. It is ok to have an ideal goal, and then make compromises on the way to get to that ideal. But, starting out with a compromised goal to begin with is no way to proceed.

Technology is not an end in itself. If it comes in the way of one’s fundamental rights, no matter how seductive we as programmers and hackers find that technology, I’d rather that technology did not exist, I believe FSMK needs to break free of this hacker-friendliness mindset if we are to genuinely be a free software movement. Else, we’re more like an open source programmer’s club.


#10

I’m still not convinced rejecting the whole concept of JavaScript on the web makes sense. I’ll try to explain my views more clearly.

Yes, this is part of the “exceptions and counterpoints” I mentioned. But there really is some basic level of openness guaranteed. All web apps must use the same DOM, for instance, and it is very easy to manipulate the DOM.

For example, no other platform has ad blockers (AdBlock, uBlock, etc.) that are so effective. GTK/Qt/Swing/Android apps are all practically immune to such manipulation by the user.

What software is not tied to business interests?

I want to go back to my point about JS helping us keep software open. A lot of services now primarily work via proprietary mobile apps and many provide a web interface for those who prefer to use the service via their desktop computers. Without the web, we would either have completely closed source, non-sandboxed, non-standards-compliant desktop apps or just be forced to use those mobile apps. JavaScript is the cleanest platform here.

I don’t see anything inherent about JavaScript that stops us from doing that. It’s just another platform. It can be used in a way that respects all those freedoms. What about GNU/Linux, for instance, lets you exercise those freedoms? Is it the software distribution system? Is there anything about the web that makes such a system impossible to implement?

I definitely disagree with is. A novice can get a basic web page up in a matter of minutes or hours. It’s not the same for most other platforms.

I’ll use this logic on pre-F-Droid Android to illustrate why I don’t think this is how we should act. Stuff in parentheses is the web equivalent of the Android analogy.

Android (the web) at its core is, at least roughly speaking, free (AOSP, Firefox, open standards, etc.). But most software (web apps) available for Android (the web) are closed. There is no easy way to get trustworthy, free software.

Now we have two options to proceed -

  1. Abandon Android (the web), start asking people not to use it.
    • This will make people move to iOS and the proprietary, wall-gardened apps there (proprietary desktop versions of web apps)
  2. Form a community and find a way to have a suitable way for users to use only free apps
    • This means the creation of something like F-Droid. The free community gets to use a free platform while only running software that is free.

I see no sense in trying to kill a platform simply because nobody made something like F-Droid for it.

The technology in question is actually the exact opposite of coming in the way of users’ rights. It’s just that the way we use it is flawed. If there is a way to fix it, I see no reason to abandon something that is robust, widely used, has a large community and is free at its core - such a thing is rare in the technology world.

I want to repeat my argument about what a world without the web would be like. If there was no JavaScript, people would not stop developing proprietary apps, they would just use a different (most likely, even worse) way to do it. A world without the web is a world where I would be forced to use basically any service I wanted to use via a proprietary Windows application.

How is a web with tooling and support infra that lets us use only free apps a compromised goal?


In summary, the web is arguably the most open platform in many ways. It provides a way for software (as opposed to static documents) to be run. People have embraced this technology and there’s no way they’re going back to just text and images. Right now, most of the software on the web is non-free. But there is nothing inherent about the web that forces it to be non-free. LibreJS, for instance, is/was an effort to help free software enthusiasts only run free software. Such efforts can be continued and extended to form a system that works for us. This is similar to how F-Droid, while being fairly simple in terms of the idea and implementation, made Android so much better for us. Given this, I say we should embrace JS and fight for free JS, not try to take away a well-designed piece of technology that has become a basic requirement for billions of users.


#11

I disagree with many things you have said. But, let’s not dwell on these side-conversations.

Our many technical differences aside, if you can conceive of, or even better, implement a way in which javascript can be run consistent with the four software freedoms, then I have no issues. For a good analysis of how the four freedoms apply to javascript, watch Mike Gerwitz’s talk at LibrePlanet 2016.

For now, the only way I can think of is to use NoScript to block all javascript, and then replace them with free javascript installed in the browser (userscripts) with greasemonkey.


#12

The video looks interesting. I haven’t watched it yet. Hopefully there’s nothing in it that contradicts the rest of my reply.

One of the ideas I proposed in a previous reply seems like a feasible solution, although I haven’t given it too much thought yet. Let me try to describe the idea in detail.

  1. There’s a standard way to annotate JS files with license information, original human-readable source, minification/compilation procedure, etc.
  2. There are trusted experts who volunteer to review code and mark it as free/non-free (we could potentially have a more complex rating system)
  3. There is a way for reviewers to see a database of new (unreviewed) JS code. This could be a change in a website’s code or a new website. The entries could be submitted by authors who want their code checked or populated by the community or by automated tools.
  4. Reviewers check new code, determine whether they are free, non-malicious, etc. and tag each script as such. All “safe” scripts are identified by their hashes and saved in a list.
  5. Users have a browser add-on that downloads these trusted JS hash lists from reviewers that they trust.
  6. Any JS that isn’t whitelisted by the user’s trusted reviewers is not run by the browser. If combined with SRI, this check can be done even without downloading the script in question.

That’s just one seemingly feasible idea. I can already think of multiple others. I don’t think finding a technical solution is difficult. The web is just a platform, just like GNU/Linux or x86 or Java. There is nothing inherent that makes it impossible to run only trusted code. The P2P nature of the web (no middle man who packages and provides software) makes it a little weird, but I don’t think it’s that much of a concern.

But I don’t think many people would use this system right now. Perhaps we first need to get people to appreciate the need for freedom on the web, slowly get them to at least use something simple like LibreJS and then move to a much more robust system like the one I described.


#13

maybe a layer below browser where the users get nofification on what info is acessed
as in example in android lolipop or marshmallow we have acess restricion

similarly when js scripts in websites try to acess to gps location, cookies, user info etc can only be aceesed if given permission


#14

That is already implemented for many resources (GPS/location, camera, mic, etc.). Generally speaking, browsers do a reasonable job of sandboxing JS apps, although if you’re a really malicious developer and willing to steep low, you can still do a lot of damaging stuff, especially with respect to privacy and tracking.

The discussion we’re having here is that of the vast majority of JS on the web not being free (as in freedom) and if/how we could fix that. While sandboxing gives you a huge increase in security, it doesn’t give you the full freedom that free software represents. We routinely download and execute code that is written by strangers and cannot be controlled reasonably by us; and this is done (semi-)automatically, which is extra scary.