[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JavaScript is only a tool

From: Lorenzo L. Ancora
Subject: Re: JavaScript is only a tool
Date: Sat, 24 Jul 2021 15:40:40 +0000
User-agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Seems I have never used general purpose computers actually.

"General purpose computer: A computer designed to perform, or that is capable of performing, in a reasonably efficient manner, the functions required by both scientific and business applications. Note: A general purpose computer is often understood to be a large system, capable of supporting remote terminal operations, but it may also be a smaller computer, e.g., a desktop workstation." - quoted from Institute for Telecommunication Sciences (ITS), supervisioned by the National Telecommunications and Information Administration (NTIA) your desktop is a general purpose computer and you are using it now. Never doubt that! :-)

 When I
install naked FreeBSD, hardly I can even read PDFs! But I tend to extend
its functionality. I install software for viewing PDFs. Vim for better
text editing. Something for image viewing and video files watching.
But... well, I do not extend its functionality for running arbitrary
remote code, not installing firefox/chromium. I do not want my computer
to do general things -- only those I want to. And my computer even can
not process/view Word documents. Anyway I like that.

This is your personal decision, because evidently you have a very simple lifestyle that exempts you of many needs that the common person must satisfy. You certainly have my respect (as I respect simplicity and uniqueness), but unfortunately this is irrelevant because the rest of the world does not observe you, does not know you exist and, foremost, needs JavaScript for everyday, fundamental activities. Hence, JavaScript will still remain in use on 99% of desktop and mobile computers for the next decade or more.

Hardly a many-million-LOC software (modern browsers) can be ever
considered anyhow, but secure. They are much larger than the whole
operating system, with something like ZFS, full featured network daemons
and LaTeX. For example Theo truly noted that people hardly can secure
even "basic" virtualization technologies, so how can be talk seriously
about sandboxing in much more bloated software?

Defensive programming, sandboxing, modularization, extensibility, unit testing, etc. are all techniques which enlarge the size of the code while increasing its security and web browsers employ them. In addition, the attack surface is not directly proportional to the number of LOC (lucky for us all), so comparing the security of two software by the size of their source code is totally inaccurate.

Agreed. But are we talking about ecommerce, or about the fact, that
someone starts to push me applications (JS scripts) instead of documents
(the WWW, as it was born). Let's completely separate those worlds,
having completely different tasks and nothing in common. JavaScript and
all that beauty rendering things are only intended, useful and aimed for

The world wide web has evolved and end users are more demanding because they want multimedia content, real-time interactions, high accessibility and much more. End users expect the best.

JavaScript is required for chat, A/V streaming, live streaming, security, ecommerce, gaming, social networking, banking, and so on, plus it brings significant benefits in terms of security and accessibility in many other more traditional applications, especially if the site is large and needs faster ways to present information (end users rarely spend more than 30 seconds on a web page if their attention is not immediately captured).

1) I do not want to. Give me the WWW, the Web, distributed network of
documents, not the network of applications. 2) You can have interactivity
just by using something like VNC/telnet/X11 remote input/output sharing.

I hope this is a joke and you are not serious: nobody would grant you remote access to their computer just to show you a document or make a business offer. This has no sense whatsoever.

I assume that Microsoft Windows is used because it is necessary too?
If their needs and tasks are
ecommercing and running Windows-compatible-only videogames, then yes, it
is necessary for them. Web/WWW and web-browsers are about
documents/knowledge sharing. I do not use Windows, have never own
smartphones, do not use bank card -- how can I live without them if they
are necessary? ZFS for me is necessary without any doubts. Do not put
completely various tasks in one basket.

This looks like an attempt of Argumentum ad Passiones based on the words "Microsoft" and "Windows", a dialogue technique to bring an interlocutor into fallacy. Did you really think I wouldn't notice? :-)

For the rest, the overall paragraph is very unrealistic and could only be true if you lived outside of society or are a member of a very recluse community.

Please don't try to associate the fear/negative opinion towards "Microsoft Windows" (proprietary software solution) with JavaScript (standard programming language), because they are totally unrelated.
I wasn't born yesterday fella.

Billions of users can not be wrong?

End users only act to satisfy their needs, there is no right or wrong.
The same goes for webmasters, they want more visitors and so improve their websites to attract and fidelize them.

That is completely silly and lame thing to do: why update the system if
everything already pretty good solved your task? Are any of more modern
browsers version better? Maybe faster, more accessible?

Yes to all, and keeping the system up-to-date is a very important task.
All applications must be kept up-to-date at all times.

challenge demonstrates us that web is just becoming inaccessible more
and more. Literally if I have not updated my browser for half a year:
there will be web-sites (application-sites actually) that won't work at
all (won't display anything).

I'm sorry but I cannot comment on non-neutral and non-official sources of information. "" is a non-authoritative source of information by itself, so there is nothing to confute.

It is common for outdated web browsers to fail to display the latest web pages correctly, just as an older operating system cannot run newer software and an older PDF reader cannot display newer documents correctly. Then it also depends on the ability of the involved webmasters (many are simply not interested in offering retro-compatibility because their visitors are very young) and on the quality of the tested web browser.

And one of reasons to disable JavaScript: security. Untrusted
unauthenticated code can compromise, because of known hardware attack
vectors, everything. It is literally an opened backdoor.  This is not the 
reason to leave widely open known backdoor.
(and that is why I do not use "Linux" :-))

Please don't play on people's fear, it is not fair.

JavaScript runs in multiple sandboxes and is no more or less vulnerable than other web standards.

Obsolete computers are vulnerable and its your responsibility (or the responsibility of your sysadmin) to install the security patches when available. If you don't update your system, disabling JavaScript can only reduce the attack surface and the only solution is to disconnect it from the Internet. If you own vulnerable hardware, don't use it to browse the Internet in the first place.

Also, I'm glad you don't use Linux (in the sense that I like to see diversity), but from my point of view it's neither good nor bad. I am happy when my interlocutor is happy and I am sad when my interlocutor is sad: if the system you are using meets your expectations as mine are satisfied by Linux, I am happy for you.

[...] [...]

I'm sorry but I cannot comment on non-neutral and non-official sources of information. "" is a non-authoritative source of information by itself, so there is nothing to confute.

Simple, the "bad guys" (black hat hackers/crackers/lamers/criminals/...)
would immediately search and find vulnerabilities elsewhere in the formats

That thoughts are complete mess, in my opinion. "Finding bugs in format
parsers/protocols" vs "arbitrary software execution"?

The "arbitrary software execution" you are referring to is more correctly stated as "managed script execution in unprivileged sandbox" and the bugs they may find in format and protocols would allow the real "arbitrary software execution", precisely a "unprivileged arbitrary execution of privileged software by code injection". So, the hypothetical global lack of support for JavaScript would only lead to more serious security vulnerabilities to be found, and in the meanwhile another (potentially more complex) scripting language is created to replace the economic/functional hole left by JavaScript.

Banks could be fully satisfied with TLS/IPsec
secured ordinary HTML forms, BBS/telnet/VNC/whatever remote sessions.
Neither banks, nor governments need to run arbitrary closed software on
my computer.

By law, banks have to discern legitimate users' legitimate web browsers from clients trying to simulate a web browser; they must also carry out checks on a time basis by law, to avoid brute force attacks and complicate the potential thefts of credentials (and I'm sure also other horrible frauds). Banks are forced to use all possible means to secure their web portals.

I am glad ecommerce will disappear, honestly. I loved FidoNet, where all
commerce was consolidated only and only in specialized echoareas and you
literally can be forbidden to access that network if you will advertise
anything in other areas.

Ecommerce will never disappear, it can only increase over time.
If someone told you that ecommerce will disappear, they obviously meant that they are moving to Antarctica, where the Internet connection is absent.

So... if you do not control firmware of your hard drive, that hardly can
influence/prohibit/control much of the things you do on computer, then
you say "damn it! I am not in full control! well, okay, let everyone can
do literally anything on my computer, I allow every Web-server to send
me arbitrary code for execution".

The only solution is to keep the operating system, firmware and web browser up to date. Disabling JavaScript will only reduce the attack surface, if you firmware is vulnerable there will be tons of attack vectors outside the sandbox. Alternatively you can unplug the network cable (after what I've read, I am convinced that you always use a network cable).

What will happen, as has always happened, is that the systems will become
more and more complex and therefore they will run even more and more

Nope. When I moved from Makefiles to redo -- everything became more
simple. When I moved to daemontools+ucspi-tcp, everything became more
simple. When I moved to (for example, that did not happen) OpenBSD,
everything became more simple. And more secure.

Writing of Makefiles, their syntax is horrible and needlessly complex, so literally anything is an improvement; for daemontools and OpenBSD I cannot comment because I lack context.

 Experienced users tend
to throw away enormous complex bloated desktop environments and use tily
tiling window managers. Word -> LaTeX. And so on, and so on.

Those are just people who have a lot of free time and still a lot of experience to do.

Among the many people I met, those who made the most "scene" with their computers were also the most incompetent and arrogant, because the need to appear in a certain way slowed down their intellectual progress and worsened their character. Nowadays I consider "smart" those who can find the solution which is more fit for their work environment, so to allow effective collaboration in the workplace and to easily ensure the working environment does not negatively impact their force of will. For example, I use the MATE Desktop Environment with great satisfaction and avoid like the pest anything that could make the life more complex to me in the early morning, to my family members or eventually to my coworkers.

As nature demonstrates everyday, potential and quality are prevalent in adaptable solutions.

Well, it is okay to read some plaintext or HTML. I really believe that
neither NSA, nor Russian FSB can create such documents, that will
exploit some bug in my less/lynx/whatever.


if you need strong online security, use a secure DNS which filters unsafe 

Someone decides if *I* should visit exact domains? Nah, I do not think so.

You should think otherwise, because you can't know in advance if a domain is safe, as it can be compromised without you knowing. DNS blacklists are very useful and prevent the spread of malware.

If you have a family, you should really take into consideration using a secure DNS server, because preventing is better than curing. Using a safe DNS server, a good firewall and an up-to-date web browser is a better solution than disabling JavaScript on their personal computers allowing their online browsing to be miserable.

if you don't trust the author of a local program, don't make it executable.

Exactly that is what I do! No trustworthy author will try to push his
program for execution on my computer, like modern Web-sites tend to do
all the time.

That's a pretty nasty phrase, because JavaScript programmers might be offended. In fact, the webmasters who use JavaScript (90%) are honest workers and professionals.
You're not advertising your group well with this way of expressing yourself.

It's uneconomical, because colorful, animated web pages help sell products,

Agreed. That is why most people hate advertisements and tries hardly not
to see those annoying animated web pages. I remind that beauty colorful
products selling in completely irrelevant task/need for free software
people, for people in need of sharing information, not selling the
products. Modern Web browsers, JS, CSS: for selling products -- agreed.

Everyone hates advertisements, but they are necessary for everyone, even for those who distribute free software but do not intend to ask for donations, for example. Without ads, you wouldn't be able to download anything for free, because domains, servers and staff have a cost.

From the point of view of security then, since HTTP is stateless and the
telnet/ssh sessions are statefull
Actually that is complete hypocrisy. Because all modern Web-browsers,
HTTP/2 and HTTP/3 are very hardly try to *exactly* leave session
long-lived as much as they can. Literally keeping TLS resumption tickets
for days. telnet/ssh sessions in practice will last only when you work
with the remote side. TCP can be stateless, but not the cookies and
JS storages.
Wrong word. I mean "fallacy".

This does not make the protocols stateful, they remain stateless.
Developers, in fact, have to respect the standard and the state must be kept with distinct means. In addition, webmasters and web server developer cannot base their commits on inconsistent - albeit standard-compliant - client software behavior.

So, in any possible scenario, your are "downgrading" your security. :-)

The only answer is: the world does what is simple and sells well. According
to commercial logic, an FTP server does not help sales, a professional
interactive web page does.

That is true. Because FTP/WWW were not created in selling and money
gathering in mind. They solve another tasks. Modern Web browsers solve
another tasks: controlling the user's computer by pulling pushed
applications on it, to sell, and earn the money.

I read an unmotivably strong way of expressing oneself and a very weak syntax. Are you really convinced of your words?

The vendors of "modern" (correctly called "up-to-date") web browsers are not conspiring against their users (or you), they are just aware that it all depends on the economic growth. One of the purposes of JavaScript (and of all software) is to make money, as people normally have to earn income to live and be useful to their community or to the human kind.

So if you ask me "Can we win against JavaScript and the entire world that
uses it?", my answer is "No pals, you can't."; if you ask me "Can we make
people aware of how JavaScript is implemented?" my answer is "Yes and you
should do it".

Can we win against ecommerce? Of course not! Impossible. Agreed.
But I critiqued only the fact, that you think that ecommerce-related
technologies are needed for completely unrelated tasks like WWW,
distributed documents network. It is literally like saying that Unity
(game engine, as far as I heard) is totally necessary! Maybe yes... for
game designers. However I believe that one can quickly create very
beautiful and interactive, VR-friendly "pages" for even more selling.
You are very right with the subject "JavaScript is only a tool".
It is just missing "for ecommerce" suffix.

There is nothing to win or to lose and ecommerce, while being one of the powerful driving forces behind its development, is only one of the many purposes of JavaScript. JavaScript is necessary and irreplaceable for great part of the websites, either by being a required dependency or by representing a huge improvement for the user experience.

Il 20/07/21 21:29, Sergey Matveev ha scritto:
Seems I have never used general purpose computers actually. When I
install naked FreeBSD, hardly I can even read PDFs! But I tend to extend
its functionality. I install software for viewing PDFs. Vim for better
text editing. Something for image viewing and video files watching.
But... well, I do not extend its functionality for running arbitrary
remote code, not installing firefox/chromium. I do not want my computer
to do general things -- only those I want to. And my computer even can
not process/view Word documents. Anyway I like that.

All messages from/to this account should be considered private.
Messages from/to newsletters should not be reshared.
TZ: Europe/Rome (Italy - CEST).

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]