Go Beyond

Only read if you don't mind being offended.


The Case Against Javascript

The Tor community is perhaps the most anti-Javascript I have found. I for one have hated the language, a shotgun pointed at your feet without any pain receptors to know when you've blown your foot off, but generally felt it fine to be enabled.

Sure, I knew about the battery API and some of the numerous other ways you could be tracked. I decided the best workaround was not to disable Javascript but sandbox the browser. And if privacy was concern, put the browser in a VM and Torify it.

But the more I mull it over, the more I think I may be missing something. Generally speaking, I have always avoided Javascript whenever easy to do so. This blog for instance, has none unless you wish to buy Fifty-two with Money Button. And I might go ahead and remove that. Though SporeStack and Double Mixer both have quite a bit of Javascript.

On the flipside, Javascript actually makes privacy easier with Double Mixer and it makes my regular API consumable by even browsers for SporeStack. I avoid 3rd party Javascript whenever possible. I'm not using tracking or analytics.

So as much as one can use Javascript "the nice way," I am doing it.

But, it seems many choose to disable Javascript entirely. Why? What could be so sinister about Javascript from a user's point of view?

Philosophical arguments against Javscript

  1. Javascript presents an opportunity for unbounded browser applications. Limitless pursuits become a means unto themselves and not a means unto an end. (This is partly tongue-in-cheek, partly serious.)

Security arguments against Javascript.

  1. Javascript is, to my knowledge, the most complicated and thus exploitable part of the browser stack.
  2. Javascript also acts as an ideal "delivery vector" for all kinds of evil, if an exploit is found. A page refreshing automatically in the typical HTML fashion is obvious and sending data in POST requests. Without "breaking in" further, with Javascript if you were able to say keylog, you could deliver it in XMLHTTPRequests or the like without the user having any visual indication of what's going on.
  3. Spectre attacks and Rowhammer are almost impossible without Javascript. If such an attack were implemented without, the user would likely see an absurd amount of page refreshes or the like. And the rate would probably be too slow to be meaningful.

Privacy arguments against Javascript.

  1. Javascript makes tracking much easier. Not just tracking who you are but tracking how you type, what you like, and what you think. Obviously, there's loads of tracking without Javascript. But Javascript can make that tracking much more specific and much more granular.

HTML vs Javascript

I've found in web development that HTML and Javascript play nicely to a point. A very limited point. In more advanced use, HTML behaviors interfere with Javascript and vice versa. If you go "too far" into the Javascript camp you have to go all the way. Browsers have some behaviors like saving form selections. If the form is all Javascript, it can't do that. Then you have to track that stuff if you want it.

It's interesting to see how one language and set of behaviors interacts with another. Some amount is fine, but too much and Javascript simply does not get along with HTML. They are two different paradigms.

Javascript isn't all bad

You'd have to be ignorant or a complete fool to think Javascript is all bad. A little bit of Javascript can go a long way and save you from a lot of grief. Javascript can even improve user privacy, having data kept locally vs needing a request for any kind of computation on user data.

But...

If you think about security models, most people are back to single user systems. Their user account on their laptop is their life. If that gets compromised, who cares about root access or not. The gold is in the guest bedroom, not the master closet. So who cares if the attacker doesn't make it to the master closet? They've already got the gold.

These days, 90% of a user's interactions with the internet or any data could be through a browser. There's no real separation between webpages. Cookies carry over. There's no OS-level sandboxing between tabs. It's very common to have documents in Google Documents, personal life in Facebook, and videos on Youtube. Then if you add in shopping, Reddit, Voat, Poal, etc, it all happens under the same field. If one page has some linked page that manages to compromise the browser, the whole person is compromised. Even if the browser is sandboxed separate from the rest of the system. I'm not saying every user puts their whole life in a browser, but most do. Even if you do "private browsing," most attacks from pages in the private window likely could easily get data out of the non-private window.

Thus I would say the security model in Qubes should probably be applied to the browser. Tabs being isolated processes. Or maybe just using different windows sandboxed from one another. I'm not saying that browser developers are morons and there's no security at all. I applaud Mozilla for Rust and the lengths most browsers go to sandbox. But, they are extremely complicated applications and that complexity simply makes holes invetiable. And unfortunately, if the browser is compromised it's not just one page, it's probably all of a user's important data. If not right away, certainly if a keylogger is put in place. Which if you own the browser, you can log keystrokes in the browser. Just wait for the passwords. Or steal the cookies and proxy through the browser to get logged in sessions where needed.

Security risks really aren't all, even though I keep harping on them. Products will tend to keep advancing in an arms race fashion up to any limits imposed. It used to be enough to show a graphic on the side of a website and sell it as an ad. Now the companies buying advertizing want to know who their ad is going to, engagement, demographics, etc. And a social media website has to be sufficiently engaging. Dopamine is being gamed to get people more and more addicted as they are the product.

Javascript makes it far easier to see engagement. A user can scroll through an infinite feed. With Javascript the company can easily track what you look at, how long, what you type (whether or not you send it), and where your mouse pointer is. In turn this data is used to tune machine learning profiles just for you. Your own interactions, possibly more honest than your own personal admissions about your interests, tune algorithms that then target more content for you. You are feeding the machine which is holding you captive. The websites start to learn more about you than you know about you. They know what content will keep you from exiting out. They know what ads will engage you the most so they make the most money on them.

Like computer systems, humans are exploitable. Javascript may not be the villian here, but it is almost mandatory in enabling such extreme tracking. I don't think it's infeasible that corporations can predict what you will find irresistible. They know what kind of political ads will trigger your emotions to sway you. They know your insecurities.

Sure, there's a lot of mess in the data. You go and get a coffee and it looks like you're really focused on one thing. Or does it? You're not moving your mouse pointer. These developers are pretty bright. They know what to look out for. And while nothing is perfect, an unaware person can easily be manipulated and held captive by the dopamine they can't resist.

I wish this was fiction but it's not. Or if it's not, it's very, very close to reality.

If you ever disable Javascript you practically get a different Internet. Sure, 30% of sites don't work at all. But everything comes at you slower. There's no infinite scrolling. Pages load a heck of a lot faster. And of course then there's the many, many partly broken pages. But it's (relatively) calm. It's closer to sitting in a library than playing Frogger with traffic on an infite lane highway.

Finally, I think I see why people disable Javascript. Most of them are paranoid Tor users. For the ones who can't easily sandbox their browser, disabling Javascript makes them much safer. And it prevents nevarious attempts to correlate users based on typing patterns. This is actually a thing. I don't know what Bank of America does with the data, but when I type in my password my keystrokes get sent to them base64 encoded. Other websites can easily track this. They have data on who you are based on how you type. Just one more way you can be tracked. (This also means Bank of America has plain text password data -- a huge no-no.)

The sad thing is that as technology advances, so do expectations. And in many ways, Javascript free websites can't compete with their Javascript counterparts. They're simply less engaging. If you're a company whose product is its users, this is a bad trait to have. If you're a user, you'll likely gravitate to the dopamine. Or perhaps you'll breathe a sigh of relief when cat pictures, politics, and ads aren't flying at you at a million miles an hour.

Keep in mind you can design websites to function properly with and without Javascript, there is the noscript tag. It is more work. I'd like to avoid it altogether though if I can.

Gotta add Javascript purging to the to-do list for SporeStack.

Thanks for reading.

PS: If you like reading rants about software, this is the place to be.

2020-04-01 Update: I've removed the Fifty-Two Money Button page, so there's no Javascript on Go Beyond at all. (Not an April Fool's joke, not sure why it would be though.)