Richard "GNU" Stallman on "The JavaScript Trap"

[Giorgio Maone]

He nods at NoScript, too.
What do you think?

[luntrus]

Hi Giorgio Maone,

It is a complicated question. For incompatibility reasons he has a proper argument, and in the ideal situation where the code was set free for the user, the data still would not be. Do not forget the origin is computed from the document.

And as far as the code goes, has that stopped anyone reversing in the past?.
And what in the case where this code is being created "on the fly" dynamically generated and not by any open source code.
Can the user control the propriety application, according to what NoScript does on code, he or she can.

But the main question for the NoScript- community would be: "Is there a security risk if the user wants to replace the one code with the other". Or couldn't that be done? Anyway the user could discriminate between the good (open source), the evil (propriety) and the ugly (malicious, bad, and spaghetti), furthermore there are users that take a strict or a more lenient view to what to use.

Well Giorgio, you started some discussion in this thread, I am sure about that,

luntrus

[Tom T.]

Most of the article was way over my head, but perhaps it helps that I can represent a closer-to-average user.

Finally, we need to change free browsers to support freedom for users of pages with Javascript. First of all, browsers should be able to tell the user about nontrivial non-free Javascript programs, rather than running them. Perhaps NoScript could be adapted to do this.

I must be missing something. Doesn't NS already tell the user about *all* JS that is running or attempting to run, or blocked?

Browser users also need a convenient facility to specify Javascript code to use instead of the Javascript in a certain page.

This guy lives on a strange planet where all Internet users are expert JS programmers. We can't even convince the average user to dump IE for Fx, and then we can't convince some of those to add NS. The idea that the majority of users will go around writing their own JS to substitute for what the page has is ludicrous.

Again, forgive me for what I don't understand. (You can try explaining it to me if you like). NS has already introduced script surrogates, so doesn't NS already take care of the problem? If not, how not?

[Nan M]

Edit.
This isn't a place where nuances are worth the trouble.

[Tom T.]

it would be very helpful to be given half a clue about which active content just might be ethical and usable

To whom? "ethical" and "usable" are both subjective judgments. What is ethical to you might not be to me, and vice versa. NS gives us the power to make those decisions for ourselves. I don't want anyone -- Capital, Labour, Government, the Pope, or anyone else -- deciding these things for me.

"Safe" and "Dangerous" are judgments I trust NS to make regarding XSS, clickjacking, etc., because I don't have the knowledge to make them.

As previous post mentioned, I still don't understand what exactly -- in a concrete example -- Stallman's ideas would give the non-JS-reading majority that NS doesn't already do for us. A clear hypothetical example would help.

[Fatman]

IMHO, when it comes to javascript, the less, the better.

For me, the same is true for flash.

I am a regular peruser of ZDNET, and it looks a lot better once their advertising crap has been sent to /dev/null. Between No Script and Ad Blocker, when I go to that site, it is a lot less cluttered.

Still, however, I feel the final decision should be left up to the user.

[GµårÐïåñ]

Nan M, I think you made great points, and
Tom T., I know where you are coming from also,

I am on the side of the world being full of ideas, perspectives and knowledge and it comes down to what works for each individual and that doesn't make either wrong or right, just different

Fatman, I am all for pretty, extended function, this and that but not at the cost of sanity to easily and efficiently review information without being overwhelmingly cluttered, so I am all for NoScript and Adblock and RequestPolicy strategy to reducing clutter but you are right that its ultimately each person's decision how to approach it.

[luntrus]

Hi GµårÐïåñ,

As this is partly a philosophical debate as Stallman is the GNU Philosopher pur sang, I think it is important to look where the spearhead innovation is found (very good directions where being shown by the developers of GoogleChrome and its more privacy-friendly counterpart SRWare's Iron, the virtual machine aspects of the browsers is the way to go, throw out the malware code together with shutting down the browser. Fx can be in some ways be considered as a Monster-truck that is in need of a development U-turn, but just goes on into a pre-planned direction without possibilities for correction.
I would say if Iron for instance was coming with extensions like ABP, NoScript, RequestPolicy, CSP etc. also a lot of security savvy browser users would have left for that browser. So one never knows where innovation in development is found and where propriety-ish tendencies are setting in. We have to be aware of these tendencies always.
Now my question with the new Google plans for deep packet inspection to offer a better way to satisfy their adSense revenue market is frightening, what can the average user do to be protected against this loss of privacy and freedom.
The solution can be as simple as adopting an apt hosts file, but this is also way over the heads of the average browser user. It reminds me of an old saying by an influential man, and I adopt it to this example: "If one human being looses online privacy it is considered a disaster, if millions tend to loose it it is just statistics". The protest is calmed by some trivial blinking success story, the others are satisfied by some rubber bot, the results are just plain "evil". Where can NoScript help us? I think it can in many respects here, as it already has me and others,

luntrus

[GµårÐïåñ]

luntrus, thank you for that, I find the perspective refreshing. I agree that I would like to see solutions that are sandboxed in a way that will isolate and dump when done. As you stated that was the idea going into GoogleChrome (which I have used and although it works fine, I had several issues with it that bothered me, enough to uninstall it) and I'll be honest, not sure about SRWare's Iron, will look into that, but the virtualization idea has been kicked around for a while and although great in theory has some limitations that need to be addressed and overcome before being globally usable. In certain scenarios, I wouldn't touch it without it but in some scenarios, the overhead and performance totally kills the efficiency needed to make it globally effective. I am sure progress will be made and there will come a time that it will probably become standard practice. You are right in that if we don't try, if we don't allow for some faith in a proof of concept that it might miss something great, so being open to new ideas is always a requirement of advancement but that needs to be balanced against potential carelessness or over eagerness towards progress that ends up setting us back.

I have always found tracking, user profiling and data mining to cross a certain ethical and comfort line for me personally and I have always actively been against it, maybe because I am jaded due to what I know and have seen and have done or maybe simply that I find the concept overbearing and too intrusive, no way to know for sure other than the fact that I don't like it Ultimately, some degree of tracking will always be a part of our lives and more so each day when technology needs to keep up with the solutions that defeat it. In the case of Google, I can see your point about the potential horror of it and although I would love to believe that any company that tells me "we believe in do no evil" is trustworthy, I would still feel better if they didn't push each and every day to know more and gather more on me, just my feeling on the subject.

anyway, thank you for the giving me the opportunity to pour out a little preach and whine I just hope that I have not gone too far off topic and my apologies in advance if I have.

[jogo]

He nods at NoScript, too.

Can someone ask Stallman again please? I wonder what would his reply be based on the new evidence of pissed-off developers playing counter-strike with their code.

[Giorgio Maone]

Well, the whole Stallman's point comes out corroborated by this incident IMHO.

[Foam Head]

Most of what Stallman proposes (IMHO) is either impractical (it's nigh folly to attempt on-the-fly replacement of "nontrivial non-free" JavaScript with an open/free alternative) or not particularly useful (adding @source and @license comments will be compressed out to reduce space). However, the article gave me one interesting thought that might be applicable to NoScript...

As Stallman mentions, JavaScript started out as a minor helper for page display, and although it can now be used for industrial sized functionality, it is often still used as such. For example, glancing at the source for the smilies in this forum's post editor, it's not overly complicated stuff. If we assume that all such trivial scripts are innocuous enough that they cannot directly harm the user, then NoScript could allow/disallow pages with only trivial scripts.

Obviously the big issue is the assumption that trivial scripts cannot directly harm the user. How NoScript identifies a trivial script would become highly important and, if NoScript became popular enough, could be specifically targeted by attackers. However, if the detection erred on the side of caution and was simple enough, it could work.

However, even if the "triviality" of a script could be easily and reliably determined, would there be enough web sites that just contain trivial scripts (if there's even one nontrivial script, you have to disable the entire page) to make this worthwhile? As most web sites push towards more and more complexity, it wouldn't make sense to program something that only works on a small percentage of all popular web sites.

So I don't know how appropriate or how viable this would be for NoScript, but the Stallman article did flicker this idea.
Cheers,
-Foam

[Lucas Malor]

The matter about free software is interesting, but it's not convenient to download the GPL every time a free script is loaded...

The other point is much more interesting: triviality. If a JS code contains nothing potentially harmful, why NoScript must not allow it by default? This will ease things for the end-user.

The problem is: if the JS code is not linked outside the document but it's inside the HTML code, can NoScript instruct Firefox to ignore only that piece of code?

[Giorgio Maone]

The other point is much more interesting: triviality. If a JS code contains nothing potentially harmful, why NoScript must not allow it by default? This will ease things for the end-user.

Of course it would, but I'm afraid it's impossible.
You can't reliably tell whether a piece of code is innocuous without executing it, either in a VM/sandbox (if you're yourself a program, like NoScript) or in your mind, and even then you shouldn't be so self-confident.

The problem is: if the JS code is not linked outside the document but it's inside the HTML code, can NoScript instruct Firefox to ignore only that piece of code?

This is a problem, but the minor one, see above.

[Lucas Malor]

You can't reliably tell whether a piece of code is innocuous without executing it

You are right, but it could be a good compromise. NoScript could do this only for "reliable" sites (noscript.net/about)

EDIT:

you shouldn't be so self-confident

Interesting site