First, you cannot put on the same level this wide class of attacks with a single broken German Site.
My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.
A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.
It's pretty cheap compared to the risk for milions of people and companies around the world.
As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman
wrote here on dev.to:
you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now
And compared to the geopolitical hazard of giving US so much power.
You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.
I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.
But, they should inform their users. That's it!
Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.
I talked with a Mozilla developer that suggested to open a bug report to Mozilla.
Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:
and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.
Only after this discussion then Callahan told you to open the bug to ask for additional opinions.
I'm starting to think you're a well meaning troll, because you're bending the truth ;-)
As you can see, it's not my fault if I have to move from a platform to another.
That's exactly what a troll would say.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.
Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!
So it's not true they ignored you, they simply don't agree with you.
I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.
I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?
Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)
Now, I've never said that they are ignoring me. I've been banned from Lobsters, after all! ;-)
I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"
They do not have to answer to me, but to their users.
As for me being a troll blending the truth, really: think what you want. :-)
To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue). Just in case you wonder whether there is a troll here...
As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.
It was very usable. To many, it was more usable than it is today.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.
A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.
As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman wrote here on dev.to:
You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.
I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.
Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.
Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:
and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.
Then, Wladimir Palant (AdBlock CTO!!), responded with:
Only after this discussion then Callahan told you to open the bug to ask for additional opinions.
I'm starting to think you're a well meaning troll, because you're bending the truth ;-)
That's exactly what a troll would say.
It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.
Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!
So it's not true they ignored you, they simply don't agree with you.
I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.
I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?
Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)
No.
That's the whole point. Since the very beginning.
Now, I've never said that they are ignoring me.
I've been banned from Lobsters, after all! ;-)
I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"
They do not have to answer to me, but to their users.
As for me being a troll blending the truth, really: think what you want. :-)
To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue).
Just in case you wonder whether there is a troll here...
As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.
It was very usable. To many, it was more usable than it is today.