Jump to content

Does it make sense to disable javascript as a security measure nowadays?


Recommended Posts

Hi all.

I'm a newcomer on Hak5 forum but have been following the channel on Youtube for a little while now. I'm a (moderate) fan.

I've been an IT person for about 20 years now and all aspects of security do matter to me. In a previous job I was watching the network security and providing users with common good practices. Although I'm no expert I try my best to act as responsibly as can be, leaving room for improvement — I guess there's plenty of it...

For several years now the growing number of security flaws, exploits, vulnerabilities and hacks that have been reported through the news and all the channels that I happened to browse give me the creeps: yahoo breaches, XSS, CPU flaws, software bugs and poor programming practices, which government agencies profit from for spying, poor IoT security, connected spy-tools from Google and Amazon... (I'll stop there.) Not that I'm afraid I rather feel disgusted to the point of wanting to run away from a great part of the technology as much and as far as possible.

As a recent measure I am running no-script and am, well, contemplating how the modern web browsing age depends on it... and breaks! For having been a web developer, too, I find it infuriating to see most of these sites rely on javascript to provide the simplest animation or gadget while CSS-only is much wiser and profitable to the user experience. As if no developer couldn't do without like their lives depended on it... (that's only my perception, probably exaggerated.)

As I also follow the news and behind the (not-so) recent Meltdown and Spectre flaws that top it all I fee like whatever I can do ends up like putting steel locks with 12 digits on a tipi's curtain.

So as for Javascript does it make sense to disable it, given that I don't perceive a browser as a safe platform when it comes to security? I have to confess that I asked this question recently and got slapped so bad I was treated like an obsolete, retrograde, has-been, last-century, ignorant monkey.

Anyway I'm pleased to see there are still lots of sites perfectly working without and I'm not sure I'm inclined to going back to a full javascript-enabled experience...

Thanks a whole lot, guys and keep the good work.

Link to comment
Share on other sites

Like you say, good luck using the internet without JS. I tried it for a while years ago and it was a pain then, having to whitelist all the sites that I wanted to use and then tweak the policies to get things working.

I think that it is a nice idea but one that is doomed to failure.

Link to comment
Share on other sites

40 minutes ago, digininja said:

Like you say, good luck using the internet without JS. I tried it for a while years ago and it was a pain then, having to whitelist all the sites that I wanted to use and then tweak the policies to get things working.

Thanks for your lights, digininja. This said, you've explained how pointless it is on a usability standpoint. I'd like to know more about the security aspects. Like is it pointless even as a security measure given all the other back-doors, known and unknown? You see, I'm not the kind of "give in without thinking twice".

Link to comment
Share on other sites

It depends on what you allow to run, if you are very careful and selective then maybe. Some sites are insisting that you allow JS to allow their adverts to load before giving you access to the content. If you do, then any malicious advert served through that network gets you owned.

There have also been a few recent examples of sites which have been compromised and things like JS based crypto miners added to their own, local JS libraries so if you allowed that, otherwise legit site, to run JS then you'd be owned.

So I'd say it isn't pointless, just really hard to make work without making it pointless by allowing too much to make it useless.

Link to comment
Share on other sites

On 3/9/2018 at 6:41 PM, digininja said:

You've got it the wrong way round, he was asking about disabling it in the browser not on a site.

I know, but I'm saying that it wouldn't hurt others if someone managed to plant JS into your website when it's disabled on your own website.

It doesn't matter - I was just making a random comment from another POV.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...