non-free sw on websites

10 respostas [Última entrada]
muhammed
Desconectado
Joined: 04/13/2013

I read RMS' article about Javascript, Flash, and other non-free website code:

https://www.gnu.org/philosophy/javascript-trap.html

In what ways are users vulnerable to proprietary Javascript? If there are examples, could you please provide links?

JadedCtrl
Desconectado
Joined: 08/11/2014

A great amount of websites. From the top of my head, pretty much everything Google.

muhammed
Desconectado
Joined: 04/13/2013

I mean, in what ways can third parties control the non-free website software, that a user may not agree with if fully informed?

For example: can non-free website software access and report on information in users' web browsers? How about local home folders?

onpon4
Desconectado
Joined: 05/30/2012

It's kind of an odd thing, because in the name of security, JavaScript tends to be a somewhat castrated language, at least when it's loaded on the request of a web page. You have all these settings in a browser for what it can and cannot do, and JavaScript's ability is usually crippled by default. Then you have NoScript, which blocks even more of JavaScript's ability to do what it wants. However, it's still a programming language, and you simply can't design a decent programming language that makes all malicious functionality impossible.

One basic example of malicious use of JavaScript code is fingerprinting, and this is quite common. For instance, HTML5 introduced the canvas element, allowing JavaScript to be used to draw things, a useful thing for games. But by taking advantage of slight differences in the way browsers handle this, it's possible to retrieve canvas data and use it to uniquely identify you. This is one particular thing that Web browser developers (but especially the Tor Project) have been trying to crack down on, but it's a difficult, ongoing battle.

I'm sure there are other examples of malicious functionality observed in JavaScript programs, but I can't think of any right now.

BlinkingArrow

I am a member!

Desconectado
Joined: 12/27/2011

I'm not really an expert on the matter, but from what I understand it is a significant risk. The Wikipedia article on Cross-site scripting (XSS) might be an interesting read.[0]

[0]https://en.wikipedia.org/wiki/Cross-site_scripting

lembas
Desconectado
Joined: 05/13/2010

Obviously the worst thing about proprietary JavaScript is that it's proprietary. You don't have the 4 freedoms.

Besides that JavaScript can be used for snooping various things, some listed at https://panopticlick.eff.org/

Also, the JavaScript sandboxes on many applications are not too good and there are quite a few exploits that take advantage of JS. E.g. https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/

andrew
Desconectado
Joined: 04/19/2012

I posted my IMO on harmful effects of non-free JavaScript here:
https://trisquel.info/en/forum/harmful-effects-non-free-javascript

tl;dr: tricking users, unnecessarily tracking of user actions on pages,
obfuscation or primitive digital restrictions management (hard to tell,
not sure what reCAPTCHA and YouTube use now).

Andrew

JadedCtrl
Desconectado
Joined: 08/11/2014

Thanks for the great essay- I'm now convinced that I should keep LibreJS enabled.

linuxbookpro
Desconectado
Joined: 03/18/2012

I think of it this way, Facebook and I presume Google track users when they're logged out and not even on their sites through all sorts of code that we can't see or opt out of.

http://www.cnet.com/news/facebook-we-do-track-logged-out-users-but-trust-us/#!

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

andrew -- I read that post on javashajt a few weeks ago reading about something in the forum - I found it excellent and very exaustive!
thanks andrew! :)

muhammed
Desconectado
Joined: 04/13/2013

Thanks guys, all your responses are very helpful.