non-free sw on websites
- Inicie sesión ou rexístrese para enviar comentarios
I read RMS' article about Javascript, Flash, and other non-free website code:
https://www.gnu.org/philosophy/javascript-trap.html
In what ways are users vulnerable to proprietary Javascript? If there are examples, could you please provide links?
A great amount of websites. From the top of my head, pretty much everything Google.
I mean, in what ways can third parties control the non-free website software, that a user may not agree with if fully informed?
For example: can non-free website software access and report on information in users' web browsers? How about local home folders?
It's kind of an odd thing, because in the name of security, JavaScript tends to be a somewhat castrated language, at least when it's loaded on the request of a web page. You have all these settings in a browser for what it can and cannot do, and JavaScript's ability is usually crippled by default. Then you have NoScript, which blocks even more of JavaScript's ability to do what it wants. However, it's still a programming language, and you simply can't design a decent programming language that makes all malicious functionality impossible.
One basic example of malicious use of JavaScript code is fingerprinting, and this is quite common. For instance, HTML5 introduced the canvas element, allowing JavaScript to be used to draw things, a useful thing for games. But by taking advantage of slight differences in the way browsers handle this, it's possible to retrieve canvas data and use it to uniquely identify you. This is one particular thing that Web browser developers (but especially the Tor Project) have been trying to crack down on, but it's a difficult, ongoing battle.
I'm sure there are other examples of malicious functionality observed in JavaScript programs, but I can't think of any right now.
I'm not really an expert on the matter, but from what I understand it is a significant risk. The Wikipedia article on Cross-site scripting (XSS) might be an interesting read.[0]
[0]https://en.wikipedia.org/wiki/Cross-site_scripting
Obviously the worst thing about proprietary JavaScript is that it's proprietary. You don't have the 4 freedoms.
Besides that JavaScript can be used for snooping various things, some listed at https://panopticlick.eff.org/
Also, the JavaScript sandboxes on many applications are not too good and there are quite a few exploits that take advantage of JS. E.g. https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/
I posted my IMO on harmful effects of non-free JavaScript here:
https://trisquel.info/en/forum/harmful-effects-non-free-javascript
tl;dr: tricking users, unnecessarily tracking of user actions on pages,
obfuscation or primitive digital restrictions management (hard to tell,
not sure what reCAPTCHA and YouTube use now).
Andrew
Thanks for the great essay- I'm now convinced that I should keep LibreJS enabled.
I think of it this way, Facebook and I presume Google track users when they're logged out and not even on their sites through all sorts of code that we can't see or opt out of.
http://www.cnet.com/news/facebook-we-do-track-logged-out-users-but-trust-us/#!
andrew -- I read that post on javashajt a few weeks ago reading about something in the forum - I found it excellent and very exaustive!
thanks andrew! :)
Thanks guys, all your responses are very helpful.
- Inicie sesión ou rexístrese para enviar comentarios