[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FSD as a Git repository

From: Sergey Matveev
Subject: Re: FSD as a Git repository
Date: Tue, 20 Jul 2021 19:13:09 +0300
User-agent: Mutt/2.1.1 (2021-07-12)

*** Lorenzo L. Ancora via [2021-07-20 13:56]:
>The solution is not to convince people that "JavaScript is bad" but to
>educate them on the correct client-side implementation.

JavaScript is literally downloading of the program, that is
transparently executed somehow. No current web-browser allows you
controlling of that process: does anyone stores the hash of the
downloaded script and warns you that it is changed, shows you the diff,
asks for confirmation? It is just silly to blindly trust auto-executing
downloaded programs.

Modern Web-ecosystem is so complicated, that it is just impossible to
write web-engine from the ground:
That complexity guarantees that it can not be secure by definition.
No sandboxing protects you from from attacks on hardware like rowhammer,
Meltdown, Spectre and many similar:
You hardly can defence yourself even by running sandboxed JavaScript
inside virtual machine on another OS inside. Nothing will protect you
from the harmful software. The whole modern web-ecosystem is targeted
on running third-party downloaded software on each connection. You
literally loose control on you computer that way.
If someone wants to take everything from my hands and allow only to use
provided application (JavaScript script), then one can just give me the
VNC/X11/whatever remote graphical connection: it will be completely the
same for my computer. If I need to fill the complex dynamic input form,
or something far from being satisfied with already existing HTML forms,
then give me the telnet access, BBS like -- it is completely safe for
me and my computer, does not require any many-million-line-of-code
software, that you have to *very* regularly update because of constantly
changing and progressing JavaScript/DOM/CSS/whatever features. And the
form/site/application owner is happy too: no bothering about possible
source code obfuscation and compatibility problems.

People had to stop writing software/application they want me to execute
on my computer, when they just can share me the document they want to
show (HTML, images, PDFs, whatever). I already have transmission
protocols and document viewers available -- why should I download yet
another program I have to trust each time? If you use JavaScript, then
you do something completely wrong (or at least strange) from the
security and user's freedom point of view.

Sergey Matveev (
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]