I think there are more appropriate places to talk about it, before escalating that to the browsers...
But AFAIK, there is no faster way to get it fixed.
And actually, I still think they will make JS opt-in it before a Law will force them to.
Right now (there's nothing inherently wrong with that) you look like a person that is trying to get attention without actually doing the work. Sorry if I sound harsh.
Harsh? Come on! Count how many times I've been called troll, absurd, bizarre, spammer... You are not even trying to be harsh! :-D
But you are wrong: I'm not trying to get attention for me, but for the attacks.
If you want to try to invent more exploits, you are welcome!
Do you want to write a nice Latex paper to publish somewhere? Please do it! You do not even have to cite me! Really!
I do not own that report.
I just want that issue fixed for everybody.
And it's possible (think how Flash and Java were opt-in in the past) and technically easy.
Still don't agree :D
Fine!
But if you change your mind, or if you have more questions, you know were to find me! ;-)
The problem in your reasoning is that software is always the cheapest component to fix.
Is it in this case? Are you totally sure? Did you have lengthy discussions with security experts and browser developers about this?
Remember the Smoosh gate ? Developers and vendors panicked for a while because someone proposed to change one single method name in a 11 year old JavaScript library because Firefox Nightly broke a german website.
I ask you in all honesty: are you completely sure that the change you ask for is cheap?
Opt-in and safer JavaScript is pretty easy to implement for a browser vendor.
You talk about the technical ("hey, you just need to put an if in the code") but the issue here it's not how complicated is to change the code, the issue is totally different.
And it would actually improve the web in many ways.
Sure, I've argued at length on the benefits of disabling JS for slow clients after reading the news about Chrome Android that it's thinking to implement that but again, there's a logical reasoning behind that.
You forget about something though: the common man has no idea what JavaScript is. Yeah there are many people who use adblockers which curb JavaScript usage but they know what advertising means and they install an addon to their browser promising to limit advertising. JavaScript is nowhere to be seen in this conversation.
Your request is totally different, your request is "my opinion is that we should break the entire world wide web because... hey please read this 50 different comments and blog posts and opinions I have disseminated around the web about it".
This will certainly result in millions of people installing any browser that leaves JavaScript on, again not because they know what JS is, but because the websites they like work with that but don't work with the others.
It tooks Microsoft decades to disable ActiveX, after probably spending years talking to partners and customers and discussing about a path away from that. They didn't write a Medium article, then broke the web just for the sake of winning an argument.
I've been called troll, absurd, bizarre, spammer
Well, you're a trolling a bit about this, because as I said in my previous comment you don't seem willing to do the actual work in furthering your idea, just spamming your links anywhere you can.
I don't think your idea is absurd, I think you're not grasping the enormity of what you ask.
Can the web survive without JavaScript enabled by default? Probably yes, but not overnight. It will take years, if not decades for developers and content owners to adapt.
Do you want to write a nice Latex paper to publish somewhere? Please do it! You do not even have to cite me! Really!
That's my point, you should be the one doing it. If you managed to convince zero people in all this time this makes me think there's a fallacy in your proposal. If you manage to convince a single security or browser developer, why not writing a paper with them? Or writing it yourself?
This "hey I want to save the web but you do the work for me after you read all these links I disseminated on Mozilla, Chromium, lobters, medium and on and on" approach is definitely one of the reasons why they're not taking you seriously (also the fact that you totally ignore the part of my response when I asked you if you discussed it at length with experts in the industry)
And it's possible (think how Flash and Java were opt-in in the past) and technically easy.
The fact that is technically easy is totally irrelevant. Throwing away 3 billion smartphones is technically easy and can be done overnight (it just requires people open the trash can and drop the phone from their hands) but there are many reasons why we don't do it.
It might happen and probably we'll live to see it disable but I don't think it will be because someone opened an issue on the wrong bug tracker telling people about something they already know ;-)
Random ideas on how you could be taken more seriously quoted by my previous comment:
talk about it with industry experts in public and in private
condense your dozens of disseminated opinions in a single place
then talk about it with industry experts in public and in private
heck, you can even make a website: "weshouldisablejs.com" where you can illustrate your points, the solutions, your opinion on what will happen to the top 100 Alexa websites with JS disabled. Add screenshots and/or videos for some of them. Use large fonts, link opinions of other people that corroborate your thesis, even offer partial gradual solutions and so on
A lot of people are not convinced of climate change despite evidence, scientific consensus, feel good documentaries and visible effects.
If you truly believe in this, do the work and do it right, otherwise it's just words. You might be right (I'm not 100% convinced you are) but my opinion is that you're ineffective if this is your attitude (and the results are showing)
First, you cannot put on the same level this wide class of attacks with a single broken German Site.
Then, I think we should care more about people safety than about money.
I think this is the core of our disagreement here.
I ask you in all honesty: are you completely sure that the change you ask for is cheap?
I said "cheapest" not "cheap".
It's pretty cheap compared to the risk for milions of people and companies around the world. And compared to the geopolitical hazard of giving US so much power.
If an attacker want to enter your data in an hospital or bank, this might be the simplest way to enter the network.
Compared to this, making JS opt-in and safer is the cheapest solution.
the common man has no idea what JavaScript is.
That's why we should protect him. To deserve his trust.
Also, as I said before, I REALLY think that Mozilla, Google, Microsoft, Apple and Opera have the right to pursuit their own priorities!
But, they should inform their users. That's it!
To me, this is the core issue here.
With all their copywriters, it should be easy to write a blog like this:
To each user of Firefox/Google Chrome/IE/Edge/Safari/Opera, on any device:
We want to recall that (as everybody here already know) by using our browser, every web site you visit (and any CDN they trust) can
put illegal contents on your disk / smartphone
tunnel into your private network, despite your investments in a firewall and corporate proxy
use your computer and bandwidth to attack third parties
many other attacks that it's pointless to list here, since you should already know and understand them like we all do.
Also, as you should know, thanks to standard HTTP headers (Cache-Control and so on), you cannot detect them or prove in a court to have been victim of such attacks and breaches: they leave no evidence.
Note how this is just a recall and everybody already know all this and you should too since it's all by design: we just abide to the WHATWG Living Standards (that we wrote).
We wish you good browsing!
That's easy, don't you think? :-D
[...] hey please read this 50 different comments and blog posts and opinions I have disseminated around the web about it".
[...] Well, you're a trolling a bit about this, because as I said in my previous comment you don't seem willing to do the actual work in furthering your idea, just spamming your links anywhere you can.
You should probably look at things in the obvious chronological order:
I wrote an article, with all info required to a professional web programmer to fully understand the problem (that as you say everybody already know... but to be sure...)
Then, given the severity of the issue, I informally informed Mozilla (over twitter) in a way to pass unnoticed by anyone but a competent browser developer
On such lobsters thread (now censored) no one admitted or denied the problem.
On the bug report I was asked "How would you fix this bug?" and since I had spent hours to analyze the issue, I shared the obvious solutions.
I wrote a trivial exploit (the third I thought) just because a smart guy over the fediverse recalled me that "you cannot argue with a root shell" (I really didn't think it was required, as obvious as the attack are for a competent developer... but I saw myself younger stating the same and I thought it was nice to him to spend a couple of minutes to write a PoC)
And it's possible (think how Flash and Java were opt-in in the past) and technically easy.
The fact that is technically easy is totally irrelevant.
To me, instead, it's very important.
We have no excuse!
I refuse to do marketing for such kind of huge threats that affect millions of people world wide.
If people cannot trust the Information Technology as a whole to fix such a huge vulnerability as soon as possible, their trust is the true vulnerability, not JavaScript.
Somebody on #lobsters IRC channel said "Good luck fighting windmills!".
I thanked him. That's the whole point.
As a programmer, I want to deserve the trust of people around me.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
First, you cannot put on the same level this wide class of attacks with a single broken German Site.
My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.
A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.
It's pretty cheap compared to the risk for milions of people and companies around the world.
As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman
wrote here on dev.to:
you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now
And compared to the geopolitical hazard of giving US so much power.
You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.
I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.
But, they should inform their users. That's it!
Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.
I talked with a Mozilla developer that suggested to open a bug report to Mozilla.
Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:
and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.
Only after this discussion then Callahan told you to open the bug to ask for additional opinions.
I'm starting to think you're a well meaning troll, because you're bending the truth ;-)
As you can see, it's not my fault if I have to move from a platform to another.
That's exactly what a troll would say.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.
Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!
So it's not true they ignored you, they simply don't agree with you.
I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.
I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?
Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)
Now, I've never said that they are ignoring me. I've been banned from Lobsters, after all! ;-)
I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"
They do not have to answer to me, but to their users.
As for me being a troll blending the truth, really: think what you want. :-)
To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue). Just in case you wonder whether there is a troll here...
As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.
It was very usable. To many, it was more usable than it is today.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
The problem in your reasoning is that software is always the cheapest component to fix.
Opt-in and safer JavaScript is pretty easy to implement for a browser vendor.
And it would actually improve the web in many ways.
But AFAIK, there is no faster way to get it fixed.
And actually, I still think they will make JS opt-in it before a Law will force them to.
Harsh? Come on! Count how many times I've been called troll, absurd, bizarre, spammer... You are not even trying to be harsh! :-D
But you are wrong: I'm not trying to get attention for me, but for the attacks.
If you want to try to invent more exploits, you are welcome!
Do you want to write a nice Latex paper to publish somewhere? Please do it! You do not even have to cite me! Really!
I do not own that report.
I just want that issue fixed for everybody.
And it's possible (think how Flash and Java were opt-in in the past) and technically easy.
Fine!
But if you change your mind, or if you have more questions, you know were to find me! ;-)
Is it in this case? Are you totally sure? Did you have lengthy discussions with security experts and browser developers about this?
Remember the Smoosh gate ? Developers and vendors panicked for a while because someone proposed to change one single method name in a 11 year old JavaScript library because Firefox Nightly broke a german website.
I ask you in all honesty: are you completely sure that the change you ask for is cheap?
You talk about the technical ("hey, you just need to put an if in the code") but the issue here it's not how complicated is to change the code, the issue is totally different.
Sure, I've argued at length on the benefits of disabling JS for slow clients after reading the news about Chrome Android that it's thinking to implement that but again, there's a logical reasoning behind that.
You forget about something though: the common man has no idea what JavaScript is. Yeah there are many people who use adblockers which curb JavaScript usage but they know what advertising means and they install an addon to their browser promising to limit advertising. JavaScript is nowhere to be seen in this conversation.
Your request is totally different, your request is "my opinion is that we should break the entire world wide web because... hey please read this 50 different comments and blog posts and opinions I have disseminated around the web about it".
This will certainly result in millions of people installing any browser that leaves JavaScript on, again not because they know what JS is, but because the websites they like work with that but don't work with the others.
It tooks Microsoft decades to disable ActiveX, after probably spending years talking to partners and customers and discussing about a path away from that. They didn't write a Medium article, then broke the web just for the sake of winning an argument.
Well, you're a trolling a bit about this, because as I said in my previous comment you don't seem willing to do the actual work in furthering your idea, just spamming your links anywhere you can.
I don't think your idea is absurd, I think you're not grasping the enormity of what you ask.
Can the web survive without JavaScript enabled by default? Probably yes, but not overnight. It will take years, if not decades for developers and content owners to adapt.
That's my point, you should be the one doing it. If you managed to convince zero people in all this time this makes me think there's a fallacy in your proposal. If you manage to convince a single security or browser developer, why not writing a paper with them? Or writing it yourself?
This "hey I want to save the web but you do the work for me after you read all these links I disseminated on Mozilla, Chromium, lobters, medium and on and on" approach is definitely one of the reasons why they're not taking you seriously (also the fact that you totally ignore the part of my response when I asked you if you discussed it at length with experts in the industry)
The fact that is technically easy is totally irrelevant. Throwing away 3 billion smartphones is technically easy and can be done overnight (it just requires people open the trash can and drop the phone from their hands) but there are many reasons why we don't do it.
It might happen and probably we'll live to see it disable but I don't think it will be because someone opened an issue on the wrong bug tracker telling people about something they already know ;-)
Random ideas on how you could be taken more seriously quoted by my previous comment:
A lot of people are not convinced of climate change despite evidence, scientific consensus, feel good documentaries and visible effects.
If you truly believe in this, do the work and do it right, otherwise it's just words. You might be right (I'm not 100% convinced you are) but my opinion is that you're ineffective if this is your attitude (and the results are showing)
First, you cannot put on the same level this wide class of attacks with a single broken German Site.
Then, I think we should care more about people safety than about money.
I think this is the core of our disagreement here.
I said "cheapest" not "cheap".
It's pretty cheap compared to the risk for milions of people and companies around the world. And compared to the geopolitical hazard of giving US so much power.
If an attacker want to enter your data in an hospital or bank, this might be the simplest way to enter the network.
Compared to this, making JS opt-in and safer is the cheapest solution.
That's why we should protect him. To deserve his trust.
Also, as I said before, I REALLY think that Mozilla, Google, Microsoft, Apple and Opera have the right to pursuit their own priorities!
But, they should inform their users. That's it!
To me, this is the core issue here.
With all their copywriters, it should be easy to write a blog like this:
That's easy, don't you think? :-D
You should probably look at things in the obvious chronological order:
Here we are.
As you can see, it's not my fault if I have to move from a platform to another.
One might think I'm the victim, not the troll. But really, think as you like: I do not care much about strangers' opinions.
To me, instead, it's very important.
We have no excuse!
I refuse to do marketing for such kind of huge threats that affect millions of people world wide.
If people cannot trust the Information Technology as a whole to fix such a huge vulnerability as soon as possible, their trust is the true vulnerability, not JavaScript.
Somebody on #lobsters IRC channel said "Good luck fighting windmills!".
I thanked him. That's the whole point.
As a programmer, I want to deserve the trust of people around me.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
Don't you want to prevent these attacks? Fine!
But you should inform your users.
My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.
A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.
As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman wrote here on dev.to:
You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.
I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.
Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.
Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:
and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.
Then, Wladimir Palant (AdBlock CTO!!), responded with:
Only after this discussion then Callahan told you to open the bug to ask for additional opinions.
I'm starting to think you're a well meaning troll, because you're bending the truth ;-)
That's exactly what a troll would say.
It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.
Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!
So it's not true they ignored you, they simply don't agree with you.
I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.
I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?
Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)
No.
That's the whole point. Since the very beginning.
Now, I've never said that they are ignoring me.
I've been banned from Lobsters, after all! ;-)
I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"
They do not have to answer to me, but to their users.
As for me being a troll blending the truth, really: think what you want. :-)
To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue).
Just in case you wonder whether there is a troll here...
As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.
It was very usable. To many, it was more usable than it is today.