Yes, I think the risks you mention are generally known or at least very unsurprising. But where we really disagree is in how close to reality those risks are. If someone wanted to target me personally and "ruin" my life, they probably could, sure. Even if they didn't use the tools you described, a determined attacker could do so in many other ways. But it makes no sense to live life in fear of conspiracies against single persons. Most (internet) attackers aren't doing that because it does not pay to do so. They want to cast a wide net to snare as many as possible before getting shut down. And if an attacker is targeting a specific person, then the reasons are probably localized to that situation. These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.
Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.
I think it is clear that we are not going to agree. So, the last word is yours if you want to respond further.
Yes, I think the risks you mention are generally known or at least very unsurprising.
Unsurprising to developers. But the world is large, there are many sensibilities, cultures, issues... trust me: for many many people, these are actual threats.
And if an attacker is targeting a specific person, then the reasons are probably localized to that situation.
Sure. Still there are many "localized attacks" that most companies would like to avoid.
These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.
In many place around the world, all people who make Free Speech something useful are "edge cases".
Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.
Many users would execute every JavaScript they can reach anyway.
But trust me, banks' systems will have strong policy about what you can or what you cannot execute.
Also, do not forget that it's not just matter of making JS opt-in.
It would not be enough. It also need to be safer.
I think it is clear that we are not going to agree.
We do not need to. History will judge, with time... ;-)
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Yes, I think the risks you mention are generally known or at least very unsurprising. But where we really disagree is in how close to reality those risks are. If someone wanted to target me personally and "ruin" my life, they probably could, sure. Even if they didn't use the tools you described, a determined attacker could do so in many other ways. But it makes no sense to live life in fear of conspiracies against single persons. Most (internet) attackers aren't doing that because it does not pay to do so. They want to cast a wide net to snare as many as possible before getting shut down. And if an attacker is targeting a specific person, then the reasons are probably localized to that situation. These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.
Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.
I think it is clear that we are not going to agree. So, the last word is yours if you want to respond further.
Unsurprising to developers. But the world is large, there are many sensibilities, cultures, issues... trust me: for many many people, these are actual threats.
Sure. Still there are many "localized attacks" that most companies would like to avoid.
In many place around the world, all people who make Free Speech something useful are "edge cases".
Many users would execute every JavaScript they can reach anyway.
But trust me, banks' systems will have strong policy about what you can or what you cannot execute.
Also, do not forget that it's not just matter of making JS opt-in.
It would not be enough. It also need to be safer.
We do not need to. History will judge, with time... ;-)