First, you cannot put on the same level this wide class of attacks with a single broken German Site.
Then, I think we should care more about people safety than about money.
I think this is the core of our disagreement here.
I ask you in all honesty: are you completely sure that the change you ask for is cheap?
I said "cheapest" not "cheap".
It's pretty cheap compared to the risk for milions of people and companies around the world. And compared to the geopolitical hazard of giving US so much power.
If an attacker want to enter your data in an hospital or bank, this might be the simplest way to enter the network.
Compared to this, making JS opt-in and safer is the cheapest solution.
the common man has no idea what JavaScript is.
That's why we should protect him. To deserve his trust.
Also, as I said before, I REALLY think that Mozilla, Google, Microsoft, Apple and Opera have the right to pursuit their own priorities!
But, they should inform their users. That's it!
To me, this is the core issue here.
With all their copywriters, it should be easy to write a blog like this:
To each user of Firefox/Google Chrome/IE/Edge/Safari/Opera, on any device:
We want to recall that (as everybody here already know) by using our browser, every web site you visit (and any CDN they trust) can
put illegal contents on your disk / smartphone
tunnel into your private network, despite your investments in a firewall and corporate proxy
use your computer and bandwidth to attack third parties
many other attacks that it's pointless to list here, since you should already know and understand them like we all do.
Also, as you should know, thanks to standard HTTP headers (Cache-Control and so on), you cannot detect them or prove in a court to have been victim of such attacks and breaches: they leave no evidence.
Note how this is just a recall and everybody already know all this and you should too since it's all by design: we just abide to the WHATWG Living Standards (that we wrote).
We wish you good browsing!
That's easy, don't you think? :-D
[...] hey please read this 50 different comments and blog posts and opinions I have disseminated around the web about it".
[...] Well, you're a trolling a bit about this, because as I said in my previous comment you don't seem willing to do the actual work in furthering your idea, just spamming your links anywhere you can.
You should probably look at things in the obvious chronological order:
I wrote an article, with all info required to a professional web programmer to fully understand the problem (that as you say everybody already know... but to be sure...)
Then, given the severity of the issue, I informally informed Mozilla (over twitter) in a way to pass unnoticed by anyone but a competent browser developer
On such lobsters thread (now censored) no one admitted or denied the problem.
On the bug report I was asked "How would you fix this bug?" and since I had spent hours to analyze the issue, I shared the obvious solutions.
I wrote a trivial exploit (the third I thought) just because a smart guy over the fediverse recalled me that "you cannot argue with a root shell" (I really didn't think it was required, as obvious as the attack are for a competent developer... but I saw myself younger stating the same and I thought it was nice to him to spend a couple of minutes to write a PoC)
And it's possible (think how Flash and Java were opt-in in the past) and technically easy.
The fact that is technically easy is totally irrelevant.
To me, instead, it's very important.
We have no excuse!
I refuse to do marketing for such kind of huge threats that affect millions of people world wide.
If people cannot trust the Information Technology as a whole to fix such a huge vulnerability as soon as possible, their trust is the true vulnerability, not JavaScript.
Somebody on #lobsters IRC channel said "Good luck fighting windmills!".
I thanked him. That's the whole point.
As a programmer, I want to deserve the trust of people around me.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
First, you cannot put on the same level this wide class of attacks with a single broken German Site.
My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.
A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.
It's pretty cheap compared to the risk for milions of people and companies around the world.
As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman
wrote here on dev.to:
you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now
And compared to the geopolitical hazard of giving US so much power.
You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.
I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.
But, they should inform their users. That's it!
Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.
I talked with a Mozilla developer that suggested to open a bug report to Mozilla.
Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:
and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.
Only after this discussion then Callahan told you to open the bug to ask for additional opinions.
I'm starting to think you're a well meaning troll, because you're bending the truth ;-)
As you can see, it's not my fault if I have to move from a platform to another.
That's exactly what a troll would say.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.
Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!
So it's not true they ignored you, they simply don't agree with you.
I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.
I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?
Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)
Now, I've never said that they are ignoring me. I've been banned from Lobsters, after all! ;-)
I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"
They do not have to answer to me, but to their users.
As for me being a troll blending the truth, really: think what you want. :-)
To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue). Just in case you wonder whether there is a troll here...
As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.
It was very usable. To many, it was more usable than it is today.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
First, you cannot put on the same level this wide class of attacks with a single broken German Site.
Then, I think we should care more about people safety than about money.
I think this is the core of our disagreement here.
I said "cheapest" not "cheap".
It's pretty cheap compared to the risk for milions of people and companies around the world. And compared to the geopolitical hazard of giving US so much power.
If an attacker want to enter your data in an hospital or bank, this might be the simplest way to enter the network.
Compared to this, making JS opt-in and safer is the cheapest solution.
That's why we should protect him. To deserve his trust.
Also, as I said before, I REALLY think that Mozilla, Google, Microsoft, Apple and Opera have the right to pursuit their own priorities!
But, they should inform their users. That's it!
To me, this is the core issue here.
With all their copywriters, it should be easy to write a blog like this:
That's easy, don't you think? :-D
You should probably look at things in the obvious chronological order:
Here we are.
As you can see, it's not my fault if I have to move from a platform to another.
One might think I'm the victim, not the troll. But really, think as you like: I do not care much about strangers' opinions.
To me, instead, it's very important.
We have no excuse!
I refuse to do marketing for such kind of huge threats that affect millions of people world wide.
If people cannot trust the Information Technology as a whole to fix such a huge vulnerability as soon as possible, their trust is the true vulnerability, not JavaScript.
Somebody on #lobsters IRC channel said "Good luck fighting windmills!".
I thanked him. That's the whole point.
As a programmer, I want to deserve the trust of people around me.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
Don't you want to prevent these attacks? Fine!
But you should inform your users.
My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.
A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.
As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman wrote here on dev.to:
You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.
I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.
Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.
Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:
and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.
Then, Wladimir Palant (AdBlock CTO!!), responded with:
Only after this discussion then Callahan told you to open the bug to ask for additional opinions.
I'm starting to think you're a well meaning troll, because you're bending the truth ;-)
That's exactly what a troll would say.
It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.
Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!
So it's not true they ignored you, they simply don't agree with you.
I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.
I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?
Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)
No.
That's the whole point. Since the very beginning.
Now, I've never said that they are ignoring me.
I've been banned from Lobsters, after all! ;-)
I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"
They do not have to answer to me, but to their users.
As for me being a troll blending the truth, really: think what you want. :-)
To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue).
Just in case you wonder whether there is a troll here...
As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.
It was very usable. To many, it was more usable than it is today.