Joon-T Posted March 6, 2018 Share Posted March 6, 2018 Hi all. I'm a newcomer on Hak5 forum but have been following the channel on Youtube for a little while now. I'm a (moderate) fan. I've been an IT person for about 20 years now and all aspects of security do matter to me. In a previous job I was watching the network security and providing users with common good practices. Although I'm no expert I try my best to act as responsibly as can be, leaving room for improvement — I guess there's plenty of it... For several years now the growing number of security flaws, exploits, vulnerabilities and hacks that have been reported through the news and all the channels that I happened to browse give me the creeps: yahoo breaches, XSS, CPU flaws, software bugs and poor programming practices, which government agencies profit from for spying, poor IoT security, connected spy-tools from Google and Amazon... (I'll stop there.) Not that I'm afraid I rather feel disgusted to the point of wanting to run away from a great part of the technology as much and as far as possible. As a recent measure I am running no-script and am, well, contemplating how the modern web browsing age depends on it... and breaks! For having been a web developer, too, I find it infuriating to see most of these sites rely on javascript to provide the simplest animation or gadget while CSS-only is much wiser and profitable to the user experience. As if no developer couldn't do without like their lives depended on it... (that's only my perception, probably exaggerated.) As I also follow the news and behind the (not-so) recent Meltdown and Spectre flaws that top it all I fee like whatever I can do ends up like putting steel locks with 12 digits on a tipi's curtain. So as for Javascript does it make sense to disable it, given that I don't perceive a browser as a safe platform when it comes to security? I have to confess that I asked this question recently and got slapped so bad I was treated like an obsolete, retrograde, has-been, last-century, ignorant monkey. Anyway I'm pleased to see there are still lots of sites perfectly working without and I'm not sure I'm inclined to going back to a full javascript-enabled experience... Thanks a whole lot, guys and keep the good work. Quote Link to comment Share on other sites More sharing options...
digininja Posted March 6, 2018 Share Posted March 6, 2018 Like you say, good luck using the internet without JS. I tried it for a while years ago and it was a pain then, having to whitelist all the sites that I wanted to use and then tweak the policies to get things working. I think that it is a nice idea but one that is doomed to failure. Quote Link to comment Share on other sites More sharing options...
Joon-T Posted March 6, 2018 Author Share Posted March 6, 2018 40 minutes ago, digininja said: Like you say, good luck using the internet without JS. I tried it for a while years ago and it was a pain then, having to whitelist all the sites that I wanted to use and then tweak the policies to get things working. Thanks for your lights, digininja. This said, you've explained how pointless it is on a usability standpoint. I'd like to know more about the security aspects. Like is it pointless even as a security measure given all the other back-doors, known and unknown? You see, I'm not the kind of "give in without thinking twice". Quote Link to comment Share on other sites More sharing options...
digininja Posted March 6, 2018 Share Posted March 6, 2018 It depends on what you allow to run, if you are very careful and selective then maybe. Some sites are insisting that you allow JS to allow their adverts to load before giving you access to the content. If you do, then any malicious advert served through that network gets you owned. There have also been a few recent examples of sites which have been compromised and things like JS based crypto miners added to their own, local JS libraries so if you allowed that, otherwise legit site, to run JS then you'd be owned. So I'd say it isn't pointless, just really hard to make work without making it pointless by allowing too much to make it useless. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 9, 2018 Share Posted March 9, 2018 If you have a lightweight site that doesn't use JS then it wouldn't hurt to disable JS on your site. Stop people injecting JS into your website (CPU miners etc.). Quote Link to comment Share on other sites More sharing options...
digininja Posted March 9, 2018 Share Posted March 9, 2018 You've got it the wrong way round, he was asking about disabling it in the browser not on a site. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted March 13, 2018 Share Posted March 13, 2018 On 3/9/2018 at 6:41 PM, digininja said: You've got it the wrong way round, he was asking about disabling it in the browser not on a site. I know, but I'm saying that it wouldn't hurt others if someone managed to plant JS into your website when it's disabled on your own website. It doesn't matter - I was just making a random comment from another POV. Quote Link to comment Share on other sites More sharing options...
Joon-T Posted September 29 Author Share Posted September 29 On 3/6/2018 at 6:04 PM, digininja said: It depends on what you allow to run, if you are very careful and selective then maybe. Some sites are insisting that you allow JS to allow their adverts to load before giving you access to the content. If you do, then any malicious advert served through that network gets you owned. There have also been a few recent examples of sites which have been compromised and things like JS based crypto miners added to their own, local JS libraries so if you allowed that, otherwise legit site, to run JS then you'd be owned. So I'd say it isn't pointless, just really hard to make work without making it pointless by allowing too much to make it useless. Necro posting, I assume... I installed NoScript Firefox extension since I asked and I must admit I never regretted it, to a point I feel something is missing whenever I create a new profile, all blank 😄 . As a bonus I get to see how crappy the internet has become (thanks Google et al.): blank page if JS is disabled, no cookie/consent hookers most of the time... Besides page loading can be faster in some circumstances. I honestly recommend that option. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 29 Share Posted September 29 I'm surprised any of the internet works properly without JavaScript today. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.