flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
From a comment about "Electron"

https://what.thedailywtf.com/post/1212135 wrote:
I'm a technical writer - I write manuals, which are available online at our website. Most of them are published in multiple formats at once: ePub, PDF, multi-page HTML (one page is one section), or single page HTML where the entire manual is on one page. This is very useful for searching - if you want to look up what some command or config file does, you open the single page document, hit Ctrl+F, and find exactly what you're looking for if you're a bit smart about it.

Some of these manuals are huge - the biggest one I've seen was close to 800 A4 pages in PDF, and 400-500 pages is not uncommon. That used to be just fine years ago, but then some genius decided to redesign our customer portal. During that process, they came up with a ridiculously ugly style sheet (the text is gray, headings gray, admonitions have a gray background... the website seriously is like 50 shades of gray), but that's not the main problem.

The main problem is that they decided to use some sort of javascript library that relies heavily on regular expressions to do syntax highlighting client-side in the HTML versions. Before, syntax highlighting was done during the build. When we published a guide, the build job that generated the HTML and PDF and ePub did this, once, and then when anyone opened a document in their browser, the browser just rendered any code samples as plain HTML plus some CSS. It was lightning fast. But now, instead of doing this once, it's done "dynamically" on your system every time you open any document, because "that's how modern websites work" or some shit like that. I've never heard a satisfactory explanation. When you open some of our developer documentation that contains a lot of code samples, it brings lesser machines and browsers to their figurative knees. Single-threaded browsers like Firefox without Electrolysis literally hang for minutes at a time, even on fairly powerful hardware (like my desktop with an overclocked i5-6600K and 32 gigs of RAM) - while the fans scream like banshees.

This isn't some kind of small company, it's an international corporation that's basically a nerd household name. We get millions of hits on our docs per month. This one fucking javascript library alone is probably responsible for billions of tons of pollution to be released into our atmosphere over the few years it's been used, for no good reason. Customers complain that they have to use PDFs because they literally can't work with the HTML versions. The website people have been aware of the problem for years. I even made them fix it a little bit so the problem isn't as severe as before - but that just means Firefox now hangs for a minute instead of five minutes. All of this could be very easily avoided by ditching the JS library and doing highlighting at build time, but no, that's not fucking web 4.0 enough. Fucking hell.

Highlighting is mine, not in the original post.
Post 22 Aug 2017, 19:43
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 861
^ perfect example why "fresh layouts" and "modern look" and other buzzword bullshit piss me off. I hope everyone who fucking changes something for the sake of change has a special spot in Hell, assuming that even exists.
Post 22 Aug 2017, 20:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
Sites have the ability to track you at will, no need for cookies or canvas tricks for this one:

https://www.ghacks.net/2017/08/29/browsers-leak-installed-extensions-to-sites/ wrote:
By telling apart the two centralized checks that are part of the extension settings validation (either because of the side-channel or because of the different exception behaviors), it is possible to completely enumerate all the installed extensions. It is sufficient for an attacker to simply probe in a loop all existing extensions to precisely enumerate the ones installed in the system.

So what can we do to stop this behaviour? Oh, yeah, here it is ... Smile

https://www.ghacks.net/2017/08/29/browsers-leak-installed-extensions-to-sites/ wrote:
Since these attacks rely on scripts, any script blocker protects against it.

Post 02 Sep 2017, 15:06
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6948
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
too many sites require script to run Crying or Very sad
Post 03 Sep 2017, 04:07
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 861
They can just track your IP address tho. If you use VPN for super paranoia, and enable javascript without a VM, you've got bigger problems to deal with than a simple tracking of extensions.
Post 03 Sep 2017, 12:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua

Furs wrote:
They can just track your IP address tho.

That doesn't really work though. Many companies have only a few external IP addresses but many internal users. And the one you mentioned, VPNs can also have many users mapped across a few IP addresses. Home users can sometimes restart their access box and get a new IP address. Some ISPs enforce a new IP address every so often. Other ISPs share IP addresses among users using a NAT to reuse the limited v4 address space. Many home users use a router and an internal NAT to share the connection with many devices. People use TOR. People travel from place to place. People steal their neighbours WiFi. People change ISPs. In short, using an IP address as an identifier has problems.
Post 03 Sep 2017, 12:48
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
Zerodium is offering USD1,000,000 for a TOR browser exploit.

https://zerodium.com/tor.html wrote:
ZERODIUM, the premium zero-day acquisition platform, announces and hosts a Tor Browser Zero-Day Bounty. ZERODIUM will pay a total of one million U.S. dollars ($1,000,000) in rewards to acquire zero-day exploits for Tor Browser on Tails Linux and Windows.

But you can see their level of confidence in the JS code.

https://zerodium.com/tor.html wrote:
... technical challenge: develop a fully functional zero-day exploit for Tor Browser with JavaScript BLOCKED!

Post 15 Sep 2017, 21:36
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6948
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
the whole internet might get reset into different mode because of this challenge, Wink

surely a great time, emerging of new browser that run came with simple built-in programming keyword,

human simply love complexities and more complexities, Laughing
Post 15 Sep 2017, 23:00
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
Post 29 Sep 2017, 03:22
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
Exfiltration of personal data by session-replay scripts
http://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

Exfiltration of personal data by session-replay scripts wrote:
But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.


Quote:
What can go wrong? In short, a lot.

Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.

So what happens if you disable JS? Oh yeah, nothing happens; that's how it should be.
Post 16 Nov 2017, 17:19
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 861
When enabling scripts on a website, always assume it can take over your entire browser as if you ran an app with the same privileges. Smile

When you do that, you realize the extent of damage or spying it can cause, so take measures to protect yourself against that. I wonder, does it also "stream" the screen itself or just keystrokes etc?

BTW how do you watch youtube if you don't use JS at all?
Post 16 Nov 2017, 18:07
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua

Furs wrote:
BTW how do you watch youtube if you don't use JS at all?

I download the mp4 file.
Post 16 Nov 2017, 18:41
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
There is a little more to the above link about "analytics" (aka spying/logging/tracking etc.):

Quote:
The screenshot of Chrome’s network inspector shows the leaked data being sent letter-by-letter as it is typed. The user’s full credit card number, expiration, CVV number, name, and billing address are leaked on this page.

Those data are going to third party sites, not the main site you think you are sending these data to, before you press submit or send.
Post 17 Nov 2017, 10:21
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 861

revolution wrote:
I download the mp4 file.

Mind sharing how? The video download extensions I use only work if the video is "started" which of course requires Javascript.
Post 17 Nov 2017, 13:10
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
I use an add-on for FF called MP4 Downloader.
Post 17 Nov 2017, 13:32
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9

< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.