Hello! I like both the above original post and your comment which both describe the general privacy/bloat issue and measures against.
But, aside from all the ads and tracking… what do you say about blocking JS to avoid shady malicous code running in your browser, delivered from a site you would normally trust, but was somehow manipulated and may someday find a way out of it’s sandbox (browser bugs, PDF vulnerabilities ect.)? Ok, one could disable plugins but you never know what’s next. How would you go about this issue with your approach? or did I miss something? I’m not an expert.
I hope my point and question is coming across, despite my English. ;)
Well, for one thing, the problem of “code delivered from a site you would normally trust but that is now malicious” is the same as the problem of “being mistaken about what sites to trust (and so accidentally trusting a site that was malicious all along)”.
As I understand your question, and as I understand the web and its technologies, the problem basically is that “if you run code (JavaScript) in your browser—code that is provided by arbitrary people on the internet—this is fundamentally a vulnerability”. And that’s true. There’s no solution to that basic fact other than “don’t run JavaScript”.
The matter really depends on how much you trust your browser vendor (Google, Apple, or Mozilla) to secure the browser against exploits that could harm/steal/pwn your computer or your data. If you trust them to a reasonable degree, then precautions short of “disable JavaScript entirely” suffice. If you really don’t trust them very much at all, then disable JavaScript (and possibly take even stricter measures to limit your exposure, such as running your browser in a VM, or some such thing; Richard Stallman’s browse-by-email workflow would be an extreme example of this).
Hello! I like both the above original post and your comment which both describe the general privacy/bloat issue and measures against.
But, aside from all the ads and tracking… what do you say about blocking JS to avoid shady malicous code running in your browser, delivered from a site you would normally trust, but was somehow manipulated and may someday find a way out of it’s sandbox (browser bugs, PDF vulnerabilities ect.)? Ok, one could disable plugins but you never know what’s next. How would you go about this issue with your approach? or did I miss something? I’m not an expert.
I hope my point and question is coming across, despite my English. ;)
Well, for one thing, the problem of “code delivered from a site you would normally trust but that is now malicious” is the same as the problem of “being mistaken about what sites to trust (and so accidentally trusting a site that was malicious all along)”.
As I understand your question, and as I understand the web and its technologies, the problem basically is that “if you run code (JavaScript) in your browser—code that is provided by arbitrary people on the internet—this is fundamentally a vulnerability”. And that’s true. There’s no solution to that basic fact other than “don’t run JavaScript”.
The matter really depends on how much you trust your browser vendor (Google, Apple, or Mozilla) to secure the browser against exploits that could harm/steal/pwn your computer or your data. If you trust them to a reasonable degree, then precautions short of “disable JavaScript entirely” suffice. If you really don’t trust them very much at all, then disable JavaScript (and possibly take even stricter measures to limit your exposure, such as running your browser in a VM, or some such thing; Richard Stallman’s browse-by-email workflow would be an extreme example of this).