JavaScript code must be eliminated, not just made free

43 replies [Last post]
onpon4
Offline
Joined: 05/30/2012

I want to bring this topic that I brought up on the bug-gnuzilla mailing list[0] here, to give it more exposure.

I appreciate the LibreJS project and what it's trying to do. But I think that LibreJS is fundamentally a wrong approach to solving what RMS calls the JavaScript Trap.

Right now, LibreJS is failing because it requires a format that isn't recognized anywhere, but theoretically, this could be solved in the future, so let's suppose that it does. Let's suppose even further that LibreJS succeeds so much that it causes a large portion of the Web to release scripts under libre licenses and document the licenses in a format LibreJS can understand.

So LibreJS is popular, and people are labeling their scripts and linking to source code. But people are still behaving the same as before, blindly trusting several JavaScript programs that are silently being installed into their browsers every day. The only difference is that LibreJS thinks the scripts are libre. These are still scripts that are updated automatically, basically completely unaudited, and never edited by anyone.

I get that LibreJS is supposed to be only a first step, but I think it's the *wrong* first step. I think we need an entire paradigm shift in how we deal with the problem of JavaScript code, one which involves not automatic script analysis, but direct user intervention.

At first, I suggested on bug-gnuzilla that Web browsers should be designed to install JavaScript software, permanently, only after prompting the user for permission. But an email from Ivan Zaigralin[1] suggests we should reject JavaScript entirely:

Ivan Zaigralin wrote:
> The said direct user intervention should consist in a flat
> refusal to run javascript. Free software comes from credible sources, and
> javascript is simply mis-designed. It is a platform and an ecosystem that makes
> the whole issue of user freedom moot. If users want interactive web, they need
> to install a free user agent that is smart enough to produce that experience
> from the markup, a la HTML5. Side-loading and running dozens of
> scripts, even in a virtual machine, is just stupid, no matter how you slice it.
> To put it very tersely, javascript must die. It is absolutely the wrong solution
> to every problem it purports to solve, from the users' point of view. If a web
> user interface cannot be implemented in markup, a user should insist on it
> being done server-side, it's that simple.

I honestly find the argument compelling. I think he's right. We shouldn't be trying to fix the way JavaScript requests from Web pages are handled, because the system as designed is fundamentally incompatible with freedom. We should reject this JavaScript code entirely; our goal should be to kill off all requests from servers for the client to run JavaScript code. JavaScript can remain solely in the form of user scripts.

Please discuss.

[0] https://lists.gnu.org/archive/html/bug-gnuzilla/2014-10/msg00019.html
[1] https://lists.gnu.org/archive/html/bug-gnuzilla/2014-11/msg00004.html

quantumgravity
Offline
Joined: 04/22/2013

Well, i agree with you in principle, but why setting up a goal that is obviously impossible to achieve?
I mean' telling the whole web to stop using javascript? Good luck campaining!

Besides, afaik javascript code is running in some kind of sandbox and is much more limited than a normwl program.
I guess the issue isn't that big.

We have much more fundamental problems like malicious circuits which maybe implemented in we don't know how many computers since we can't produce our own hardware based on free documentation.
This getting solved isn't more likely than the javascript problem, but at least it's more important from a privacy point of view.

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

The only way we're gonna get rid of javascript is to come up with something better. I don't mean better from a freedom standpoint - I mean functionally better. It needs to offer something compelling even to people who don't care about freedom. From our point of view, we need to make sure that it is also free. Most people will adopt it for the features, and we'll be happy because it's free.

LibreJS is a non-starter. Tagging JS and linking to licenses is just never going to take off in a big way. And anyway, I agree with onpon4 that even if it did take off, it wouldn't solve the problem. IMHO LibreJS is seriously hindering adoption of IceCat at the moment, which is a crying shame because everything else about that browser is just awesome.

onpon4
Offline
Joined: 05/30/2012

One mechanism I suggested on bug-gnuzilla to help is a user script or extension that tries to analyze the page for any elements that are hidden (meant to be revealed by JavaScript), and list them. Someone else then suggested some kind of "debugger/logger" could help. Both of these methods are to work around sites that require JavaScript code to work. At the very least, such a tool would help users navigate the current ecosystem of the Web.

davidnotcoulthard (not verified)
davidnotcoulthard

Well, we're not getting rid of it but, anyway, I think listing it as something we could and should do without is OK, just in case it ever becomes viable (though for that to happen I think hard work will be needed in other areas. i.e. coming up with a better alternative, a new world order that bans it, etc:)

t3g
t3g
Offline
Joined: 05/15/2011

So are proposing not using JavaScript, which would break every website out there. JavaScript is an open technology and many of the frameworks like jQuery and Mootools are free software. You are just pissed because the webmasters of every site don't let you get your sticky hands on all of their code so you can steal their hard work and claim it your own. JavaScript is here to stay and is open by default, so don't fret too much about the technology itself.

You evangelists in the past wouldn't condemn something like BitTorrent because it is a tool that can be used for good or bad and it is up to the user to not abuse it. Same could be said about a media container like MKV which is open in nature and can be used for legit purposes or illegal copyright infringing rips. Now you act hypocritical about it because you are mad over something so trivial at this point in time.

How about you try to fix the situation by writing better software or campaign to make changes? Oh wait... its too much effort and its easier to just point fingers and criticize people by telling them they are wrong with a negative group think ideology.

davidnotcoulthard (not verified)
davidnotcoulthard

"it is a tool that can be used for good or bad and it is up to the user to not abuse it."

Not how I'd describe most Javascript out there.

"You are just pissed because the webmasters of every site don't let you get your sticky hands on all of their code so you can steal their hard work and claim it your own."

What has that got to do with it? I'm not a programmer (too lazy to learn at the moment) and have never successfully compiled anything (apart from lxmedit) but I'd still be mad if something (malicious, or probably otherwise) is run without me being prompted.

Besides, the idea ended up being to 'kill off' "all requests from servers for the client to run JavaScript code. JavaScript can remain solely in the form of user scripts [which the user can decide whether to use, and for what purpose]."(An idea I can live with, and perhaps support a bit) Not to kill off Javascript itself (which I'd disagree with).

J.B. Nicholson-Owens
Offline
Joined: 06/09/2014

name at domain wrote:
> So are proposing not using JavaScript, which would break every website
> out there?

I browse sites with JS turned off by default, only turning it on when
needed and only for the scripts I want to run. I'm surprised how many
sites I can use without JS (including sites that handle lots of
traffic). As a result I'm not convinced that websites genuinely need as
much JS as they're using. I'm also ready to do without a number of
websites. Some of these sites are repeaters for articles I can find
elsewhere, some of them offer another means of getting to the same
articles, some of them I simply don't use.

> JavaScript is an open technology and many of the frameworks
> like jQuery and Mootools are free software. You are just pissed because
> the webmasters of every site don't let you get your sticky hands on all
> of their code so you can steal their hard work and claim it your own.

It's a shame you can't seem to participate in these discussion threads
without namecalling, belittlement, or campaigning (one might say
trolling) in the name of "open" something particularly where such
endorsement ends up denying users the freedoms of Free Software (such as
the recent thread about Microsoft's .NET announcement where you endorsed
nonfree derivatives of non-copylefted Free Software).

> How about you try to fix the situation by writing better software or
> campaign to make changes?

I think LibreJS does exactly both of these things.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

t3g's basically is happy that many websites provide proprietary Javascript (in his words: they "don't let you get your sticky hands on all of their code so you can steal their hard work") on top of permissively licensed "frameworks like jQuery and Mootools". So, that basically is the same post as the one about .NET. Closer to the unethical activities t3g does for a living though.

t3g
t3g
Offline
Joined: 05/15/2011

I'm unethical because I create websites for paying clients that is custom to them? I'm also unethical because I think that the BSD and MIT licenses are just as important as the GPL ones? I'm unethical because I use free software to develop and deploy on the web? I'm talking Aptana Studio to code PHP or Python utilizing MySQL or MongoDB with a hint of Redis served by nginx.

For my future sites, I have though about a free software license for my JavaScript. It's just that for sites that aren't my own that I have to be careful about their custom code they paid for.

You may not understand since you are simply an academic in a European country where you rely on the tax payers to make your existence relevant without any real life experience.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I'm unethical because I create websites for paying clients that is custom to them?

If the website uploads proprietary JavaScript to the visitor's browser (and it does because you have only "though about a free software license"), then yes.

Yes, I am an academic. No, I am not in a European country. But, most importantly: "so what?".

t3g
t3g
Offline
Joined: 05/15/2011

I'm making the point that open sourcing a client's site code isn't an option most of the time because they will not allow it.

dobie_gillis
Offline
Joined: 10/27/2014

What kinds of clients do you work with? I work for a university, and my clients are usually non-profit organizations or faculty members. They have no problem with releasing all the code I write for them under the GPL.

davidnotcoulthard (not verified)
davidnotcoulthard

"I'm unethical because I create websites for paying clients that is custom to them?"

Unethical? It might be, see OP
Because of that reason? As sure as eggs is eggs no

quantumgravity
Offline
Joined: 04/22/2013

Could you please cut out pointing with fingers on others because of how they make their living?
There are a lot of jobs with some ethical flaws - think of the clerk in a clothing shop, selling products made by exploited workers somewhere in the east, as one example,
and the economic situation doesn't allow anybody to chose freely whatever they like. Might be some big news, but for some people it is -hard- to get a job so you might take what you can get.
Everything else is a myth told by rms who never was in the situation of having a hard time finding a job, and i'd be surprised if he ever worked in a factory (a proposal he makes over and over again in his interviews). He was extraordinary skilled and that's why he was able to go for his philosophy and gain weight comfortably sitting behind the desk at the same time.
If your university told you to write a piece of proprietary software - it doesn't matter how theoretical or unlikely this case may be - would you quit your job and work in a steal factory instead, covered with oil, sweating for 10 hours everyday? Did you do this before?
And please don't say 'there would be better jobs' bedause here comes reallity: no, maybe there wouldn't.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I would not write proprietary software. And, yes, "there would be better jobs". Most IT jobs have nothing to do with writing proprietary software. I could write software for one single client, I could administrate the computers of a company, I could provide service (installation, configuration, formation, auditing, etc.), etc. And if you consider some totally unrealistic IT world where a living can only be made through writing proprietary software, then, yes, I would do something else. I used to work with kids (social worker). People who pretend you have to write proprietary software to "make a living" often are people who apparently cannot understand one can live with less than US$ 2000/month. I do not need that much money. Neither does rms who lives with close to nothing (only what people pay him to give talks).

t3g
t3g
Offline
Joined: 05/15/2011

I remember an interview with RMS where he said that you should be a factory worker and have a "real job" instead of writing software that may be proprietary. This includes ones that I mentioned above that may include some non-free custom code that is specific to a client.

If we were all to be factory workers to fit into RMS's unrealistic views, wouldn't we be unethical because we are working for close to minimum wage while our boss makes 3x the amount? What if it was sugary cereal for kids? Wouldn't you feel unethical because it contributes to diabetes and child obesity? How about creating guns? How about electronics that use precious minerals and release harmful gasses into the environment?

We all seem to pick our battles wisely to fit into our strong views. RMS does it. Most of the people on here do it because they come from an academic background (either as a student or teacher) which doesn't apply to real world responsibilities of making money and appeasing to clients or a boss.

Magic Banana

I am a member!

I am a translator!

Offline
Joined: 07/24/2010

I doubt you can find a quote of rms where he would tell that writing software is not a "real job". And "factory worker" is just an example. Nobody ever pretended that we *all* have to be factory workers.

I do not get how earning little money could be unethical. I certainly believe that inequalities are to be fought against. But inequalities do not exist because of the workers who accept low salaries. They exist because some people always want to earn more and vote in this way. They put that above any social/ethical principle and, if they are good at writing software, they may end up writing proprietary software, pretending they cannot make a living otherwise. I am not saying one cannot earn a lot with some other IT jobs that do not involve writing proprietary software. I do for instance. However, Bill Gates and Steve Jobs, that some take as examples to imitate, could only become billionaires through unethical activities. Making such absurd amounts of money through free software looks impossible.

As for the use of the technology/products, it is another debate. The tool is neutral. Even guns are useful to defend a country. Of course, there are bad usages too. Some technology/products have usage restrictions: you need a license to have a gun, you need to be an adult to buy alcohol, etc. Those restrictions were voted. Who am I to impose such restrictions? In the case of software they would be DRMs. Freedom 0 rightfully states that a software with usage restrictions is non-free.

The academic world is not (directly) "responsible of making money". It is responsible of making knowledge and teaching it. You are entitled to consider that "making money" is more important. I have nothing against people making money when they deserve it by positively contributing to the society. I consider that writing proprietary software is a negative contribution to society. It is denying the control the users deserves on their own work. Society could even decide to make proprietary software illegal in the same way that it made some polluting manufacturing processes illegal.

jxself
Offline
Joined: 09/13/2010

"LibreJS is failing because it requires a format that isn't recognized anywhere"

But you overlook that LibreJS is designed in such a way that it can be easily updated to support any number of arbitrary formats and/or methods that you can imagine. The idea was to get "something" going and to get people talking of this issue. I don't think that the FSF (or anyone) is saying "This is 'The One True Way' in which it must be done" but at least they're talking of the issue which is far more than others have been doing.

Also, you forget or are perhaps unaware that LibreJS has additional features planned to address the issues you discuss, one of which is the ability to replace the JavaScript delivered by the web server with your own version, possibly modified. It could also be enhanced with an option to not run even free JavaScript without some sort of indication from the person using the browser. Why not make that suggestion to the LibreJS developers?

"But people are still behaving the same as before, blindly trusting several JavaScript programs that are silently being installed into their browsers every day."
"basically completely unaudited"

How is this different from any situation outside of the web? I suspect that most people, even those that install Trisquel, do not audit the programs that they install before doing so and instead "blindly trust" as you put it. Did you go and audit all of the programs before installing them? If not then my point has been made. :)

quantumgravity
Offline
Joined: 04/22/2013

How is this different from any situation outside of the web? '
Outside of the web you're trusting your repo and that's it.
Also you actively decide to install a program or not, quite unlike browsing the web where dozens of scripts from completely unknown and untrusted sites are executed on your computer.

jxself
Offline
Joined: 09/13/2010

"Outside of the web you're trusting your repo and that's it."

But still trusting, and thanks for proving my point - people do not typically audit the software that they install on their computer, even though they can. I have to admit that even I didn't audit every program I got. Don't get me wrong: It's still a problem, just not a problem that is somehow limited to the web which is how the original argument was framed. It's a problem period.

J.B. Nicholson-Owens
Offline
Joined: 06/09/2014

name at domain wrote:
> But still trusting, and thanks for proving my point - people do not
> typically audit the software that they install on their computer, even
> though they can. I have to admit that even I didn't audit every program
> I got.

Nobody audits all the software they have, regardless of which operating
system they're running. Even for people using nothing but Free Software
there's far too much Free Software out there to audit every program on
anyone's complete system. Consider that most computer users aren't
programmers and this means most computer users won't be auditing
programs themselves. At most, they'll get someone else they trust to
audit software on their behalf.

This strongly favors software freedom to be sure -- the best we can do
is to give every computer user the freedoms of Free Software and make
available the Free Software they need to do whatever they want to do
with a computer. Nonfree software doesn't become ethical just because
most computer users can't audit what they're running.

That said, if you have a plan for allowing most computer users to vet
Free Software programs without trusting anyone else, I'm guessing we're
all interested to learn how that would work.

jxself
Offline
Joined: 09/13/2010

"Nobody audits all the software they have, regardless of which operating
system they're running."

Exactly, so this issues shouldn't be presented as something specific to the web.

onpon4
Offline
Joined: 05/30/2012

You're missing the crucial point: automatic JavaScript installation is automatic, and it's also very frequent and basically invisible. This is completely different from most software installation, which is not very frequent and requires direct action from the user. User scripts and extensions are what's comparable to installing software from the Trisquel repository, not the usual automatic JavaScript installation.

jxself
Offline
Joined: 09/13/2010

I completely understand the issue. I'm raising issue with only one of the points in your original argument is all, and nothing more, which is about being unaudited. As I've explained, that's not a JavaScript-specific issue.

onpon4
Offline
Joined: 05/30/2012

Exactly. With Trisquel's repos, the average user is trusting the developers of Trisquel. With JavaScript code on the Web, they're trusting anyone who has a Web page and has decided to use JavaScript (so, that's basically anyone who has a Web page). And we're talking sometimes dozens of scripts for each one.

With Trisquel, a very small number of people will look, because all new software installation and updates require manual intervention. If an intentional malicious feature is found, they will make a fuss about it, completely destroying the credibility of the Trisquel developers responsible, or perhaps the Trisquel project itself.

But with JavaScript on the Web, you download a program, install it, use it once, and then discard it, over and over again. In effect, this means you get automatic updates, and you have no easy way to tell when an update occurs; it could be that the script changes every day or even every minute. Add to that the sheer number of scripts you install each day, which can add up to the hundreds, and you have a gigantic increase in the amount of auditing needed, while at the same time the capacity for a minority of people to audit is almost completely diminished.

jxself said:
> [LibreJS] could also be enhanced with an option to not
> run even free JavaScript without some sort of indication
> from the person using the browser. Why not make that
> suggestion to the LibreJS developers?

I did make that suggestion on the bug-gnuzilla post. I didn't suggest it as an extension to LibreJS, but as a replacement for it, and I suggested it as the regular behavior, not an "option". If the user has to explicitly permit any script before it is installed, it would solve the problem.

But thinking about it, we already have a mechanism to manually install JavaScript: user scripts. Why go through all the work necessary to convert automatically loaded JavaScript into manually loaded JavaScript, when we already have a mechanism for the latter? It's a waste of effort, and our time would be better spent campaigning for websites to stop requiring JavaScript extensions to work.

onpon4
Offline
Joined: 05/30/2012

Also, I think campaigning for "no JavaScript" would be a lot easier than "libre JavaScript with special tags so that a program can tell that it's libre". The latter is something that is only of interest to us; it has almost nothing to do with any practical interests. The former, though, applies to security, privacy, and accessibility as well, for example (especially security and privacy).

jxself
Offline
Joined: 09/13/2010

"I did make that suggestion on the bug-gnuzilla post. I didn't suggest it as an extension to LibreJS, but as a replacement for it, and I suggested it as the regular behavior, not an "option"."

It could be an option that's on by default. I suspect your idea might gain more traction with them if it were suggested as something to include in LibreJS rather than something to replace it.

quantumgravity
Offline
Joined: 04/22/2013

That's like saying: i trust my bank when lending them money and since i already trust someone, i can give my money as well to every random dude who asks me for it.
The analogy would be even more correct if people on the street didn't even have to ask me for it but could take it out of my pocket without my knowledge.
I don't think i made your point.

lloydsmart

I am a member!

Offline
Joined: 12/22/2012

Nonfree software doesn't become ethical just because
most computer users can't audit what they're running.

Amen! The amount of times I've been trying to explain free software to someone, and they've come back with "I'm not a programmer, so I can't read the source code anyway". It gets frustrating hearing that over and over.

But I still maintain that there's no point to something like LibreJS. Javascript isn't going to go away until something better comes along. That's where our energy should be focused. It's called picking your battles. Changing the entire Internet without offering any objective benefit, for a cause most people don't understand, is not one we're likely to win.

EDIT: Hmm, this was meant to be a direct reply to JB's post - not sure why it went in as a reply to the main topic. Oh well.

danieru
Offline
Joined: 01/06/2013

I came to the same conclusion 5 month ago, so now I disable javascript globally.

Javascript should be use only for decorative purposes, letting the user to chose.

It shouldn't be use to something that without javascript the website breaks, or in this case, provide a non-javascript version of the website.

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

I wrote a SaaSS app (fully free software, with available source and the
server running in user's office). Without JavaScript for its user
interface it would be unusably tedious and slow to use (I tried when
developing it; it still isn't as good as it could be due to my limited
experience with client-side development).

What solution do you propose for developers like me? Should I ask the
user to spend more time waiting for pages to load, type all data that
some JavaScript code can easily fill, or write a much more complex
desktop program doing the same task?

Many projects that seemingly just remove nonfree software do solve real
problems: they support free replacements for such software, find (and
get fixed) real licensing issues in upstream software, solve unrelated
issues (e.g. all work that Trisquel does for usability and
accessibility), etc. I think the whole benefit of LibreJS for
user/developer is being more aware of license compliance of one's own
code (and possibly not getting offended by people mistakenly calling the
program nonfree). I don't see such benefits in what you propose.

Putting all features in the browser won't work: some are really
domain-specific. Static analysis won't work much more than e.g. video
downloader programs do (they find specific text on specific sites; it's
easy for a human to find working video URLs that they won't find), it's
obvious that it cannot work in all cases without running the code.

onpon4
Offline
Joined: 05/30/2012

A downloaded program doesn't need to be "much more complex" than the equivalent JavaScript program. It can even be exactly the same one. The way it is currently, you can use a user script. But it would also be perfectly possible to develop a standalone JavaScript application runner (which wouldn't differ much from the modern Web browser, but would make installation of the JavaScript software explicit, and that's the important bit).

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

Ok, use the browser with different URLs and invent a new method of
updating the software. (And rewrite the server-side part to provide a
more orthogonal API. Think how to justify having the server or deal
with installing a TeX distro on user's computer...)

I'm not using user scripts for things that they would be probably good
for (like making some sites more useful without their restrictive
scripts) since I haven't seen good documentation of them nor a
repository of already written ones that would help me find a useful one
or learn how to write them. I haven't spent enough time to know if I
looked at wrong places for this.

onpon4
Offline
Joined: 05/30/2012

There used to be a site called userscripts.org. There's a mirror of it here:

http://userscripts-mirror.org/

danieru
Offline
Joined: 01/06/2013

>Without JavaScript for its user interface it would be unusably tedious and slow to use
If that script is only for decorative purposes, for my it's okay.

>or write a much more complex desktop program doing the same task
Personally, I always prefer off-line desktop apps, and depending how you write it and what language you choose then does not have to be much more complex.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Sure it would be nice to have an alternative to java script. sadly I don't see that coming soon. As someone pointed out - disable javascript globaly!!! Donate to Giorgio Maone and use his incredible addon - noscript!!!
Yea that's right -
NOOOOOOO
scriiiipt
:-)

andrew
Offline
Joined: 04/19/2012

I would just like to add that there are concrete examples of websites
that abuse JavaScript for various reasons, such as:

1. Websites that use JavaScript to provide annoying behaviour to the
user, e.g. popups, trying to prevent the user from leaving the page

2. Websites that create misleading (and potentially malicious) popups
that look like a desktop UI (usually Windows) to trick the user

3. Websites that use JavaScript to change the webpage behaviour to
collect data from the user in a way that they would not reasonably
expect (such as Facebook collecting data typed in forms before the
user submits the form, collecting data on when the user hovers
over certain page elements and rewriting URLs onclick to track which
external links the user clicks without the user noticing)

4. Websites that use JavaScript for 'fingerprinting' the user (also
note that, paradoxically, not running JavaScript makes a user more
unique)

I entirely agree with onpon's point that JavaScript isn't fit for many
purposes of typical web browsing, i.e. reading documents, viewing
images, watching videos etc. which can (now) be provided with standalone
HTML. As a side note, I think the same is also true for cookies,
although this isn't a freedom issue but a privacy issue.

I think that web browsing that involves client-side web applications is
typically separate enough that it could be provided as separate
applications or as user scripts. Given the popularity of add-ons when
Firefox was released and the popularity of mobile apps, I don't think
this approach is entirely unrealistic either.

Although I'm not entirely familiar with userscripts.org (I know about
Greasemonkey but never used many scripts) I think the way forward would
be to create user scripts for all of the common proprietary scripts that
are in use today, e.g. Google reCAPTCHA (used on many websites and
Cloudflare), Disqus (used for comments), and popular software packages
like Drupal and phpBB which already use free JavaScript, i.e. port to GM
where possible and detect when the scripts should be used.

The main issue would be the many websites use page-specific JavaScript
which would be very tedious to replace with user scripts. Also, last
time I checked there were some limitations in user scripts such as
setting timer events that rely on JavaScript being enabled as a workaround.

Anyway, just my thoughts.

Andrew

Michał Masłowski

I am a member!

I am a translator!

Offline
Joined: 05/15/2010

Two more examples of malicious scripts: ones preventing the user from
reading more than five articles per month, and ones showing full-size
ads for mobile apps when browsing on a phone browser.

Usual ad-blocking addons should handle these, while they might need
changes to disable only a part of multiple scripts merged into one file
(if it's needed).

We need an alternative to automatically updating unreviewed software and
to the app stores.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

"4. Websites that use JavaScript for 'fingerprinting' the user (also note that, paradoxically, not running JavaScript makes a user more unique)"

andrew i've enjoyed reading your post and agree with you. but the point 4. is not true. at least not for me - tried with several computers..
Java script allows websites to know a lot about your hardware and software. Thus it makes you stick out by a complex and thorough diplay of many factors of your equipment (fonts, time, monitor resolution, dom storage,plugins). All of these are hidden if javascript is disabled.

On my current pc if I do the test on panopticlick (eff) I get 11 with javascript turned off, which is pretty good.
I get 22 with javascript on, which is enough to uniquely identify me on the net (according to the eff.org)

andrew
Offline
Joined: 04/19/2012

superdude83 wrote:
> "4. Websites that use JavaScript for 'fingerprinting' the user (also
> note that, paradoxically, not running JavaScript makes a user more
> unique)"
>
>
> andrew i've enjoyed reading your post and agree with you. but the
> point 4. is not true. at least not for me - tried with several
> computers.. Java script allows websites to know a lot about your
> hardware and software. Thus it makes you stick out by a complex and
> thorough diplay of many factors of your equipment (fonts, time,
> monitor resolution, dom storage,plugins). All of these are hidden if
> javascript is disabled.

This is all true. What I meant was that not that many users disable
JavaScript which makes those users stand out more. It's easy to test
from a server--just serve a JS file that would make an AJAX call or load
an image with a unique ID, and if it doesn't hear back then the user
probably has JS disabled.

I don't have any statistics on how many users disable JavaScript so I
don't know how much of a problem it is. Although I'd imagine a sizeable
number of Tor Browser Bundle users would disable JavaScript.

Andrew

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Andrew . SADLY you are right - not many users disable javascript. I see what you are talking about - if one disables javascript then he sticks out, for few people do that. But in the same time disabling javascript makes you less footprintable..Not to mention the security benefits that come from disabling java..

A little digression here. But I really care about the topic, so...

I've been a windblows user for so many years (since I was a kid) and never gave many thoughts about security and privacy. I started taking this issue seriously a couple of years ago (snowden really got my attention)- I had a rough time securing and locking down windows 7. As I learned more and more about security and about computers in general, I felt frustrated with windblowz so much - then I switched to gnu/linux and really loved it since day one. I learned more in one year with gnu/linux then in 15 years with microshit!!
Problem is many people don't even know about alternatives. They see gnulinux as something old, complex and useless.
But the biggest problem yet is - the vast majority of people don't give a f... about their privacy - look at them spontaneously posting their pictures and personal life info on something like facebook - I mean - it's horrifying!!

The whole point of this digression is- The average dude doesn't disable java nor flash beacause of ignorance and/or indifference. For the same reason that average dude doesn't care about free software or even know the difference..
And that is very sad beacuse doing so they give up freedom. Yet I cannot blame them, for I was that average dude not long ago...

lembas
Offline
Joined: 05/13/2010

> Andrew . SADLY you are right - not many users disable javascript. I see what you are talking about - if one disables javascript then he sticks out, for few people do that. But in the same time disabling javascript makes you less footprintable..Not to mention the security benefits that come from disabling java..

I hope you're not confusing Java and JavaScript, those are different beasts.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Am talking about javascript!! Anyway thanks for pointing that out lembas - i see i wrote java two times - what I really meant was javascript
ciaouzzz!!