I have been banned from Lobste.rs, ask me anything.

Giacomo Tesio on September 11, 2018

Let me start by saying that Lobste.rs is a great community that I enjoined for more than an year. Several very smart guys hungs there, and I got ... [Read Full]
markdown guide
 

I think you mean well but I totally agree with the response you had on Firefox's and Chromium's bug trackers.

The first thing they said on Firefox's bug tracker:

This is not a bug in Firefox.
Bugzilla is not a discussion forum.

Furthermore, what you seek to discuss is not specific to Mozilla or Firefox.

And then on Chromium's:

Filing a bug here isn't the way to change web standards no matter how you feel about them.

I agree, you opened an issue on both bug trackers pasting tons of content (not an actual bug of the browser) and the recipe you gave is: disable JavaScript everywhere.

The rest of the page is you discussing your world view and potential threats in the wrong environment.

I'm not debating the validity of your argument but I think you raised it in the wrong places. As said by one of the people that responded to you (a security engineer at Mozilla!):

To clarify, this post is not intended to stop the discussion. It just needs to move to a forum that is meant for discussions.
Please read our etiquette and contributor guidelines at bugzilla.mozilla.org/page.cgi?id=e....

:-)

 

I think that if people can be attacked or leak personal informations through my software, it's a bug in such software.

I agree this is a bug in the very design of the Web that Mozilla promoted since the invention of WHATWG.

However expensive, though, it's a bug.

Now, given how WHATWG's Living Standards work, you have to fix the implementations to fix the standards.

Thus I started opening a bug report to the browser that (pretend to) care about their users' privacy.

Then I reported the issue to Chromium too because, to my knowledge, they are also affected.

Note: I was suggested to open these issues also by an Italian lawyer specialized in IT. Because, according to him, once the issue is known both organisations can be held accountable for breaches occurred through their softwares.

And, since they are members of WHATWG, the same should be true for WHATWG and each of their members.

That's why I think that those trackers were the proper place to describe this wide set of attacks.

 

What you're describing though is not a bug, it's a flaw in how the web works. That doesn't mean that your reasoning is wrong, it's just that you're barking up the wrong tree.

The fact I can die with riding in a car it's not a bug of the car maker (I can die in any car), it's an inherent flaw in transportation :D

I think there are more appropriate places to talk about it, before escalating that to the browsers:

  • security mailing lists
  • working groups
  • public forums
  • twitter (seriously, most security, browsers and JS developers are on Twitter)
  • dev.to :D
  • hacker news

Then when you get traction (and discussed possible solutions at length with other developers expert in the subject matter) you can open bugs in the browsers bug trackers with actual possible solutions.

Right now (there's nothing inherently wrong with that) you look like a person that is trying to get attention without actually doing the work. Sorry if I sound harsh.

Note: I was suggested to open these issues also by an Italian lawyer specialized in IT. Because, according to him, once the issue is known both organisations can be hend accountable for breaches occurred through their softwares.

This is almost science fiction though. You're describing, again, a flaw in how the web works and thinking about suing browser makers? Getting lawyers involved (based on what?) is sure a way to have a friendly discussion about something that might end up being really important for everyone...

Do you see where I'm going?

That's why I think that those trackers were the proper place to describe this wide set of attacks.

Still don't agree :D

The problem in your reasoning is that software is always the cheapest component to fix.

Opt-in and safer JavaScript is pretty easy to implement for a browser vendor.

And it would actually improve the web in many ways.

I think there are more appropriate places to talk about it, before escalating that to the browsers...

But AFAIK, there is no faster way to get it fixed.

And actually, I still think they will make JS opt-in it before a Law will force them to.

Right now (there's nothing inherently wrong with that) you look like a person that is trying to get attention without actually doing the work. Sorry if I sound harsh.

Harsh? Come on! Count how many times I've been called troll, absurd, bizarre, spammer... You are not even trying to be harsh! :-D

But you are wrong: I'm not trying to get attention for me, but for the attacks.

If you want to try to invent more exploits, you are welcome!

Do you want to write a nice Latex paper to publish somewhere? Please do it! You do not even have to cite me! Really!

I do not own that report.

I just want that issue fixed for everybody.

And it's possible (think how Flash and Java were opt-in in the past) and technically easy.

Still don't agree :D

Fine!

But if you change your mind, or if you have more questions, you know were to find me! ;-)

The problem in your reasoning is that software is always the cheapest component to fix.

Is it in this case? Are you totally sure? Did you have lengthy discussions with security experts and browser developers about this?

Remember the Smoosh gate ? Developers and vendors panicked for a while because someone proposed to change one single method name in a 11 year old JavaScript library because Firefox Nightly broke a german website.

I ask you in all honesty: are you completely sure that the change you ask for is cheap?

Opt-in and safer JavaScript is pretty easy to implement for a browser vendor.

You talk about the technical ("hey, you just need to put an if in the code") but the issue here it's not how complicated is to change the code, the issue is totally different.

And it would actually improve the web in many ways.

Sure, I've argued at length on the benefits of disabling JS for slow clients after reading the news about Chrome Android that it's thinking to implement that but again, there's a logical reasoning behind that.

You forget about something though: the common man has no idea what JavaScript is. Yeah there are many people who use adblockers which curb JavaScript usage but they know what advertising means and they install an addon to their browser promising to limit advertising. JavaScript is nowhere to be seen in this conversation.

Your request is totally different, your request is "my opinion is that we should break the entire world wide web because... hey please read this 50 different comments and blog posts and opinions I have disseminated around the web about it".

This will certainly result in millions of people installing any browser that leaves JavaScript on, again not because they know what JS is, but because the websites they like work with that but don't work with the others.

It tooks Microsoft decades to disable ActiveX, after probably spending years talking to partners and customers and discussing about a path away from that. They didn't write a Medium article, then broke the web just for the sake of winning an argument.

I've been called troll, absurd, bizarre, spammer

Well, you're a trolling a bit about this, because as I said in my previous comment you don't seem willing to do the actual work in furthering your idea, just spamming your links anywhere you can.

I don't think your idea is absurd, I think you're not grasping the enormity of what you ask.

Can the web survive without JavaScript enabled by default? Probably yes, but not overnight. It will take years, if not decades for developers and content owners to adapt.

Do you want to write a nice Latex paper to publish somewhere? Please do it! You do not even have to cite me! Really!

That's my point, you should be the one doing it. If you managed to convince zero people in all this time this makes me think there's a fallacy in your proposal. If you manage to convince a single security or browser developer, why not writing a paper with them? Or writing it yourself?

This "hey I want to save the web but you do the work for me after you read all these links I disseminated on Mozilla, Chromium, lobters, medium and on and on" approach is definitely one of the reasons why they're not taking you seriously (also the fact that you totally ignore the part of my response when I asked you if you discussed it at length with experts in the industry)

And it's possible (think how Flash and Java were opt-in in the past) and technically easy.

The fact that is technically easy is totally irrelevant. Throwing away 3 billion smartphones is technically easy and can be done overnight (it just requires people open the trash can and drop the phone from their hands) but there are many reasons why we don't do it.

It might happen and probably we'll live to see it disable but I don't think it will be because someone opened an issue on the wrong bug tracker telling people about something they already know ;-)

Random ideas on how you could be taken more seriously quoted by my previous comment:

  • talk about it with industry experts in public and in private
  • condense your dozens of disseminated opinions in a single place
  • then talk about it with industry experts in public and in private
  • heck, you can even make a website: "weshouldisablejs.com" where you can illustrate your points, the solutions, your opinion on what will happen to the top 100 Alexa websites with JS disabled. Add screenshots and/or videos for some of them. Use large fonts, link opinions of other people that corroborate your thesis, even offer partial gradual solutions and so on

A lot of people are not convinced of climate change despite evidence, scientific consensus, feel good documentaries and visible effects.

If you truly believe in this, do the work and do it right, otherwise it's just words. You might be right (I'm not 100% convinced you are) but my opinion is that you're ineffective if this is your attitude (and the results are showing)

First, you cannot put on the same level this wide class of attacks with a single broken German Site.

Then, I think we should care more about people safety than about money.

I think this is the core of our disagreement here.

I ask you in all honesty: are you completely sure that the change you ask for is cheap?

I said "cheapest" not "cheap".

It's pretty cheap compared to the risk for milions of people and companies around the world. And compared to the geopolitical hazard of giving US so much power.

If an attacker want to enter your data in an hospital or bank, this might be the simplest way to enter the network.

Compared to this, making JS opt-in and safer is the cheapest solution.

the common man has no idea what JavaScript is.

That's why we should protect him. To deserve his trust.

Also, as I said before, I REALLY think that Mozilla, Google, Microsoft, Apple and Opera have the right to pursuit their own priorities!

But, they should inform their users. That's it!

To me, this is the core issue here.

With all their copywriters, it should be easy to write a blog like this:

To each user of Firefox/Google Chrome/IE/Edge/Safari/Opera, on any device:

We want to recall that (as everybody here already know) by using our browser, every web site you visit (and any CDN they trust) can

  • put illegal contents on your disk / smartphone
  • tunnel into your private network, despite your investments in a firewall and corporate proxy
  • use your computer and bandwidth to attack third parties
  • many other attacks that it's pointless to list here, since you should already know and understand them like we all do.

Also, as you should know, thanks to standard HTTP headers (Cache-Control and so on), you cannot detect them or prove in a court to have been victim of such attacks and breaches: they leave no evidence.

Note how this is just a recall and everybody already know all this and you should too since it's all by design: we just abide to the WHATWG Living Standards (that we wrote).

We wish you good browsing!

That's easy, don't you think? :-D

[...] hey please read this 50 different comments and blog posts and opinions I have disseminated around the web about it".

[...] Well, you're a trolling a bit about this, because as I said in my previous comment you don't seem willing to do the actual work in furthering your idea, just spamming your links anywhere you can.

You should probably look at things in the obvious chronological order:

  1. I wrote an article, with all info required to a professional web programmer to fully understand the problem (that as you say everybody already know... but to be sure...)
  2. Then, given the severity of the issue, I informally informed Mozilla (over twitter) in a way to pass unnoticed by anyone but a competent browser developer
  3. I talked with a Mozilla developer that suggested to open a bug report to Mozilla.
  4. I opened the bug report as he said and it was closed referencing a Lobsters thread to continue the discussion
  5. On such lobsters thread (now censored) no one admitted or denied the problem.
  6. On the bug report I was asked "How would you fix this bug?" and since I had spent hours to analyze the issue, I shared the obvious solutions.
  7. I wrote a trivial exploit (the third I thought) just because a smart guy over the fediverse recalled me that "you cannot argue with a root shell" (I really didn't think it was required, as obvious as the attack are for a competent developer... but I saw myself younger stating the same and I thought it was nice to him to spend a couple of minutes to write a PoC)
  8. I have been banned from Lobsters.

Here we are.

As you can see, it's not my fault if I have to move from a platform to another.

One might think I'm the victim, not the troll. But really, think as you like: I do not care much about strangers' opinions.

And it's possible (think how Flash and Java were opt-in in the past) and technically easy.

The fact that is technically easy is totally irrelevant.

To me, instead, it's very important.

We have no excuse!

I refuse to do marketing for such kind of huge threats that affect millions of people world wide.

If people cannot trust the Information Technology as a whole to fix such a huge vulnerability as soon as possible, their trust is the true vulnerability, not JavaScript.

Somebody on #lobsters IRC channel said "Good luck fighting windmills!".

I thanked him. That's the whole point.

As a programmer, I want to deserve the trust of people around me.

And as a hacker, I feel disgust for this total lack of intellectual honesty.

Don't you want to prevent these attacks? Fine!

But you should inform your users.

First, you cannot put on the same level this wide class of attacks with a single broken German Site.

My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.

A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.

It's pretty cheap compared to the risk for milions of people and companies around the world.

As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman wrote here on dev.to:

you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now

And compared to the geopolitical hazard of giving US so much power.

You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.

I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.

But, they should inform their users. That's it!

Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.

I talked with a Mozilla developer that suggested to open a bug report to Mozilla.

Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:

a

and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.

Then, Wladimir Palant (AdBlock CTO!!), responded with:

b

Only after this discussion then Callahan told you to open the bug to ask for additional opinions.

I'm starting to think you're a well meaning troll, because you're bending the truth ;-)

As you can see, it's not my fault if I have to move from a platform to another.

That's exactly what a troll would say.

And as a hacker, I feel disgust for this total lack of intellectual honesty.

It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.

Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!

So it's not true they ignored you, they simply don't agree with you.

I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.

I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?

Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)

Also, as I said before, I REALLY think that Mozilla, Google, Microsoft, Apple and Opera have the right to pursuit their own priorities!

But, they should inform their users. That's it!

Sure, and that's a valid point. But...

No.

That's the whole point. Since the very beginning.

Now, I've never said that they are ignoring me.
I've been banned from Lobsters, after all! ;-)

I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"

They do not have to answer to me, but to their users.


As for me being a troll blending the truth, really: think what you want. :-)

To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue).
Just in case you wonder whether there is a troll here...

As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.

It was very usable. To many, it was more usable than it is today.

 

I think the problem is that you have discovered that the emperor has no clothes!

The web IS broken by design. Firefox can't fix the bug without breaking nearly every website. So they would rather pretend it didn't exist.

You could fix one of the issues (illegal content on hard drive) by disabling caching to disk. I have done this before by symlinking ~/.cache/mozilla to a directory on /tmp (mounted as tmpfs). Of course you lose the cache if you reboot, but it is not that annoying if you have a fast enough connection. I have a script to do it here

 

Except that in the fable everybody laugh at the king, not at the kid! :-)

Thanks for the suggestion I'll surely try your script.

Note however that I'm not afraid for my own security.

Even if nobody could prove the attack in a court, a simple logging proxy could detect it. Then it's just a matter of how to fight back! ;-)

The problem is for everybody else!

Thanks to Mozilla, Google and friends most people stay vulnerable because they are not aware of the risks!

 

The issue you point out is totally valid. However, I would tend to agree that it is not a bug. It feels a lot more like a needed security feature to put on the backlog to implement. Software development is iterative after all, and with JS's initial release the world just settled for "getting it working". Then later has gone back to address various security issues that adding more features has created.

I believe the reason you come off as antagonistic is because you are passionate about a very real danger. But you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now. Browsing the web has been risky for quite a while. Visiting an unknown site that no one has recommended to you is at your own peril. You can easily get viruses, malware, or hacked by doing so. Sites who are actually concerned about security can implement things in such a way to ensure better security. But ultimately the user has the only real choice in the matter.

So the feature request for browsers might be to grade site security based on the employed security features and vulnerabilities, and warn the user when the grade is below a certain threshold. Similar to the TLS warnings. But this kind of feature has a consequence that the barrier to entry in building websites just got a lot higher. Not to mention being pretty hard to implement checks across disparate and unstandardized features which provide a fair grade. But I would love the fact injected ads would probably bring a low score. :)

So anyway, my perspective is that things have to work this way necessarily to work at all for now. And it certainly has benefits... the good as well as the bad have a lower barrier to make web apps. (The barrier is already pretty high nowadays.) Frankly, it will likely take major incidents to catalyze support, standardization, and streamlining of security procedures such that sites could be accurately graded quickly enough to not disrupt the browsing experience. But I say keep fighting the fight to improve the situation. It's worth doing.

 

Thanks for sharing your opinion but I think we disagree at a very basic level, pretty summarized by this sentence:

But you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now.

I do not think people are aware that any site they visit could send them (but only to them, not to everybody) malicious JavaScript that can enter their private networks, probe and access the services available there.

Nor they are aware that any web site they visit could learn their political or sexual interests by timing the load time of specific third party pages or images (a trivial timing attack to the browser cache) and then blackmail them to extort money (or worse just disclosure them to hurt their reputation).

Moreover I do not think that any Government or company is aware or would accept these sort of risks. A single naive employee using WIFI to read an article like this, could open a breach.

Not to talk about the fact that any CDN could do the same through third party sites.

I do not think people understand or accept all this.

On the other hand, most people would understand a simple browser that ask them to enable JavaScript execution on a per website basis, as they did years ago while enabling Flash or Java applets.

Opt-in JavaScript might hurts some business models that rely on the blind execution of code on your PC, but it would not change the usability of the web too much.

It would not break the Web, it would fix it.

 

Yes, I think the risks you mention are generally known or at least very unsurprising. But where we really disagree is in how close to reality those risks are. If someone wanted to target me personally and "ruin" my life, they probably could, sure. Even if they didn't use the tools you described, a determined attacker could do so in many other ways. But it makes no sense to live life in fear of conspiracies against single persons. Most (internet) attackers aren't doing that because it does not pay to do so. They want to cast a wide net to snare as many as possible before getting shut down. And if an attacker is targeting a specific person, then the reasons are probably localized to that situation. These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.

Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.

I think it is clear that we are not going to agree. So, the last word is yours if you want to respond further.

Yes, I think the risks you mention are generally known or at least very unsurprising.

Unsurprising to developers. But the world is large, there are many sensibilities, cultures, issues... trust me: for many many people, these are actual threats.

And if an attacker is targeting a specific person, then the reasons are probably localized to that situation.

Sure. Still there are many "localized attacks" that most companies would like to avoid.

These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.

In many place around the world, all people who make Free Speech something useful are "edge cases".

Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.

Many users would execute every JavaScript they can reach anyway.

But trust me, banks' systems will have strong policy about what you can or what you cannot execute.

Also, do not forget that it's not just matter of making JS opt-in.

It would not be enough. It also need to be safer.

I think it is clear that we are not going to agree.

We do not need to. History will judge, with time... ;-)

 

Since you're newish here, what have you thought about dev.to thus far?

 

Another little feedback about dev.to:

  • I loved the Sponsor settings: I think that it's very respectful of people that share contents here
  • I loved the RSS import feature
  • I'd like to have access to basic log info about my articles here, to build a poor man analytics (even just referrals and visit time would do)
 

Well, so far it feels good. :-)

The core feature of a community, to me, is the curiosity of members.

To a hacker, curiosity means intellectual honesty, as you want to learn more than you want to win an argument. So far I've got good dialogues here and this is a good sign.

Also, I like that everybody can read dev.to with JavaScript disabled.

I'm a bit confused by the markdown flavor here, since I cannot use the usual "double spaces at eol" to put a BR tag. But I can live with it. :-)

 

Thanks for the feedback. Markdown flavors are really tough to get right, but we'll try to bring clarity and/or configuration as things progress.

want to learn more than you want to win an argument.

Of course, as an administrator, we hope all members keep the dialog constructive, and I think this is a great approach.

What we try to encourage is the asking of questions rather than always just commenting on posts and articles. Usually, OP would love to elaborate on certain parts.

I think it's a good approach.

"Good question!" Is the best compliment an hacker can do.

 

I think the fundamental problem is that most regular people who use the Web don't really care about security. They'll only care about security if they're personally affected in a serious way by a breach. So far, this has not affected enough people in a serious enough way for it to really matter to most regular computer and internet users.

Because of this, there isn't much pressure on browser developers to radically re-imagine browser security. There's a lot more pressure on them to make things convenient and easy.

 

most regular people who use the Web don't really care about security.
[...]
Because of this, there isn't much pressure on browser developers to radically re-imagine browser security.

True.

Most people do not understand networking enough to ponder the risks.

But why we setup SSL certificates?
Why we teach them to not execute programs they receive in email?

We try to protect them.

To some, it's just a matter of empty marketing.
Others do that as part of a strategy toward centralization or for fear of Law.
Others do that because... they cannot do otherwise.

There's a lot more pressure on them to make things convenient and easy.

This cannot be a justification, however.

And a safer JavaScript that people opt-in on a web site basis wouldn't make the web worse, but better: easier to use and more convenient to most people.

 
 
 

Nice!

I really think you should add a reference to your hack to the bug report at bugzilla.mozilla.org/show_bug.cgi?...

(And maybe you could reference the bug report from your page so that people landing there can learn about a few other attacks they are vulnerable to)

Once you realize that you can gain control of the IPs, the bandwidth, the RAM, the CPU and the disk of your victims (and potentially other resources too) it's just a matter of fantasy to ideate attacks.

code of conduct - report abuse