Discussion:
[conspire] NoScript
Paul Zander
2018-09-20 17:17:45 UTC
Permalink
Someone, not on the CABAL list, asked why I use No Script and didn't it limit my access to some fancy websites. Below is my reply. Did I get this reasonably correct?


More and more websites use javascript. Also many of those scripts link to other websites.

Loading other websites means more web traffic. It takes time to establish the
links. What is the benefit to me to load facebook or
googlesyndication?


Javascripts take up CPU cycles on my computer. Using my resources to serve up ads I am not interested in. After I have bought something on line, why do I want to see ads for the same stuff?

Last, and most important, once a script is running on my computer, there are too many ways the bad actors can do things I don't want.
Rick Moen
2018-09-20 20:36:13 UTC
Permalink
Post by Paul Zander
Someone, not on the CABAL list, asked why I use No Script and didn't
it limit my access to some fancy websites. Below is my reply. Did I
get this reasonably correct?
More and more websites use javascript. Also many of those scripts link to other websites.
Loading other websites means more web traffic. It takes time to
establish the links. What is the benefit to me to load facebook or
googlesyndication?
Javascripts take up CPU cycles on my computer. Using my resources to
serve up ads I am not interested in. After I have bought something on
line, why do I want to see ads for the same stuff?
Last, and most important, once a script is running on my computer,
there are too many ways the bad actors can do things I don't want.
Sounds about right to me (alhough one could detail some of the many bad
actions by those bad actors to which you allude). I'd even shorten it
to: 'Because I want my Web browser to do what *I* ask, not what a bunch
of spooks and criminals want it to do.'


Javascript has turned out to be the keystone technology that drives
not just dynamic Web sites but just about all of the more-nefarious uses
of the Web (keystone in the sense that it's glue code making other
pieces of badness able to communicate and function), something possible
because it is grossly overfeatured and by default has an appalling lack
of security and privacy safeguards. The major browser manufacturers
have no incentive to fix that problem, in part because their priorities
are influenced by money they get from targeted advertising and other
shady industries that rely on data-mining and spying on users. So, the
lazy assumption that 'If this were dangerous and ripe for abuse, the
browser coders would have done something about it' turns out to be
grossly mistaken.

A depressing number of people using the Web utterly fail to face the
classic questions 'Who's the customer? What's the product? What pays
for the costs of these things?' So, they resist the notion that major
Web browser companies aren't strongly (or, frankly, at all) motivated to
look after their personal interests. They somehow think they're the
customers, even though they never paid a nickel.

E.g., I kept hearing Linux and other computer users expressing outrage
and incomprehension that Mozilla, Inc. keeps cutting the funding behind
the Thunderbird mail program, and moving to EOL the project. I ask
them: What's Mozilla's revenue model for Thunderbird? And, by
contrast, what's its revenue model for Firefox? Often, they can't get
their minds around the contrast, or indeed what the issue is, at all.

tl;dr: Gross intellectual laziness to the point of failure to grasp
self-interest remains a thing.
Ehud Kaldor
2018-09-23 04:02:17 UTC
Permalink
I would add to Paul's statements that it also gives me a list of all the
3rd parties called into the party (pun intended) whenever I go to a site.
Just knowing it, even if I end up whitelisting all, is good knowledge of
what types of functionality a web site is pulling in.
Post by Rick Moen
Post by Paul Zander
Someone, not on the CABAL list, asked why I use No Script and didn't
it limit my access to some fancy websites. Below is my reply. Did I
get this reasonably correct?
More and more websites use javascript. Also many of those scripts
link to other websites.
Loading other websites means more web traffic. It takes time to
establish the links. What is the benefit to me to load facebook or
googlesyndication?
Javascripts take up CPU cycles on my computer. Using my resources to
serve up ads I am not interested in. After I have bought something on
line, why do I want to see ads for the same stuff?
Last, and most important, once a script is running on my computer,
there are too many ways the bad actors can do things I don't want.
Sounds about right to me (alhough one could detail some of the many bad
actions by those bad actors to which you allude). I'd even shorten it
to: 'Because I want my Web browser to do what *I* ask, not what a bunch
of spooks and criminals want it to do.'
Javascript has turned out to be the keystone technology that drives
not just dynamic Web sites but just about all of the more-nefarious uses
of the Web (keystone in the sense that it's glue code making other
pieces of badness able to communicate and function), something possible
because it is grossly overfeatured and by default has an appalling lack
of security and privacy safeguards. The major browser manufacturers
have no incentive to fix that problem, in part because their priorities
are influenced by money they get from targeted advertising and other
shady industries that rely on data-mining and spying on users. So, the
lazy assumption that 'If this were dangerous and ripe for abuse, the
browser coders would have done something about it' turns out to be
grossly mistaken.
A depressing number of people using the Web utterly fail to face the
classic questions 'Who's the customer? What's the product? What pays
for the costs of these things?' So, they resist the notion that major
Web browser companies aren't strongly (or, frankly, at all) motivated to
look after their personal interests. They somehow think they're the
customers, even though they never paid a nickel.
E.g., I kept hearing Linux and other computer users expressing outrage
and incomprehension that Mozilla, Inc. keeps cutting the funding behind
the Thunderbird mail program, and moving to EOL the project. I ask
them: What's Mozilla's revenue model for Thunderbird? And, by
contrast, what's its revenue model for Firefox? Often, they can't get
their minds around the contrast, or indeed what the issue is, at all.
tl;dr: Gross intellectual laziness to the point of failure to grasp
self-interest remains a thing.
_______________________________________________
conspire mailing list
http://linuxmafia.com/mailman/listinfo/conspire
Tony Godshall
2018-09-26 20:37:35 UTC
Permalink
... it also gives me a list of all the 3rd parties called into the party (pun intended) whenever I go to a site. Just knowing it, even if I end up whitelisting all, is good knowledge of what types of functionality a web site is pulling in....
Amen to that. And one can make a more informed choice as to whether
one wants to continue to the site knowing what nefarious third parties
the primary site you are visiting has invited to the party.

Ivan Sergio Borgonovo
2018-09-26 06:37:44 UTC
Permalink
Post by Paul Zander
Someone, not on the CABAL list, asked why I use No Script and didn't it limit my access to some fancy websites. Below is my reply. Did I get this reasonably correct?
More and more websites use javascript. Also many of those scripts link to other websites.
Loading other websites means more web traffic. It takes time to establish the
links. What is the benefit to me to load facebook or
googlesyndication?
Javascripts take up CPU cycles on my computer. Using my resources to serve up ads I am not interested in. After I have bought something on line, why do I want to see ads for the same stuff?
Last, and most important, once a script is running on my computer, there are too many ways the bad actors can do things I don't want.
It seems that the WebExt version of NoScript is not going to get into
Debian. Probably because of some controversies related to the revenue
strategies of the author.

I know people in Palermo that knows Maone personally and they say he is
a good person with a family etc... and he has to live on something...

Being able to install noscript as a package was a major plus since I
didn't have to have multiple copies of the same plugin for every firefox
profile, I didn't have to rely on users (my family) upgrading it, I
didn't have to install it on every single profile my users have etc...

When firefox was moving from xul to webext extension probably some
preparatory changes made xul noscript stop to work with older releases
of noscript so thet you had to install the latest noscript and Debian
was lagging behind. Out of frustration I even decided to set up my home
debian repository and package the newer version of noscript.

Unfortunately it seems there is no shared method adopted by debian
packager to package firefox plugins, so that every plugin comes with a
different script to clone the git repo, patch etc...

So I lost interest in really learning the art.

Now since there's is no more reason to prefer noscript to alternatives
I'm starting to consider uMatrix [1] that seems a bit more granular and
thus may require more initial setup but should let people use websites
properly with a better compromise for security.

Firefox has some "tool" for administrators to manage configurations but
there seems no easy way to globally install plugins and I think letting
untrained people surf the internet without something like noscript or
ublock is crazy.

It seems that no browser has some easy way to globally manage plugins
and that reminds me Rick's questions "Who is the customer? What pays for
the costs of these things?".


[1] https://addons.mozilla.org/en-US/firefox/addon/umatrix/
--
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net
Paul Zander
2018-09-26 16:12:21 UTC
Permalink
On the general topic of security.
The other day someone from high up at Microsoft was on the television talking about how AI will be used to solve many big problems, like hurricane recovery.
Asked about security, he replied that Microsoft responds as soon as it learns about a threat.  No mention of actively looking for vulnerabilities or attempting to design them out from the start.

From: Ivan Sergio Borgonovo <***@webthatworks.it>
To: ***@linuxmafia.com
Sent: Tuesday, September 25, 2018 11:38 PM
Subject: Re: [conspire] NoScript
Someone, not on the CABAL list, asked why I use No Script and didn't it limit my access to some fancy websites.  Below is my reply.  Did I get this reasonably correct?
More and more websites use javascript.  Also many of those scripts link to other websites.
Loading other websites means more web traffic.  It takes time to establish the
links.  What is the benefit to me to load facebook or
googlesyndication?
Javascripts take up CPU cycles on my computer.  Using my resources to serve up ads I am not interested in.  After I have bought something on line, why do I want to see ads for the same stuff?
Last, and most important, once a script is running on my computer, there are too many ways the bad actors can do things I don't want.
It seems that the WebExt version of NoScript is not going to get into
Debian. Probably because of some controversies related to the revenue
strategies of the author.

I know people in Palermo that knows Maone personally and they say he is
a good person with a family etc... and he has to live on something...

Being able to install noscript as a package was a major plus since I
didn't have to have multiple copies of the same plugin for every firefox
profile, I didn't have to rely on users (my family) upgrading it, I
didn't have to install it on every single profile my users have etc...

When firefox was moving from xul to webext extension probably some
preparatory changes made xul noscript stop to work with older releases
of noscript so thet you had to install the latest noscript and Debian
was lagging behind. Out of frustration I even decided to set up my home
debian repository and package the newer version of noscript.

Unfortunately it seems there is no shared method adopted by debian
packager to package firefox plugins, so that every plugin comes with a
different script to clone the git repo, patch etc...

So I lost interest in really learning the art.

Now since there's is no more reason to prefer noscript to alternatives
I'm starting to consider uMatrix [1] that seems a bit more granular and
thus may require more initial setup but should let people use websites
properly with a better compromise for security.

Firefox has some "tool" for administrators to manage configurations but
there seems no easy way to globally install plugins and I think letting
untrained people surf the internet without something like noscript or
ublock is crazy.

It seems that no browser has some easy way to globally manage plugins
and that reminds me Rick's questions "Who is the customer? What pays for
the costs of these things?".


[1] https://addons.mozilla.org/en-US/firefox/addon/umatrix/
--
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net
Loading...