Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
15-20 years ago, I'd have agreed with you. But apart from a select few news sites and exceedingly rare static sites, what percentage of websites most users use day to day actually function even minimally without JavaScript?
I'm convinced that in practice, most users would be conditioned to whitelist pretty much every site they visit due to all the breakage. Still a privacy and security improvement, but a massive one? I'm not sure.
Very happy to be convinced otherwise.
Yep, software dev here for a static marketing site for a product. We are in a constant battle with PMs and SEO who want Google tracking, Facebook, TikTok, A/B testing, cursor tracking, etc. We're trying to keep page-speeds fast while loading megabytes of external JS code...
Luckily all that can be blocked by the end user without affecting the site though, all you'd lose is some carousels and accordions etc that are done with a few lines of code.
Tried and can confirm almost every webpage even static ones which could be simple as rock needs truckload of bloat js code to be loaded from ext servers.
It's incredibly annoying, but it gets easier over time as you fill out you whitelist.
One of the big advantages to something like NoScript is that it lets you enable scripts only from certain domains. So you can enable the functionally-required scripts while still blocking other scripts.
But yes, it's a giant pain in the ass. It's absurd that the web has devolved into such a state.
I had been doing this since long time and I am super comfortable with this as most of the websites that I come across does not need JavaScript to function.
Even for the websites that need JavaScript and I need them, I try to replace them with open source apps and clients.
You can list the websites you use and require JavaScript and I can give you alternatives if you want.
Happy to help you.
It's great that it works for you and that you strive to spread your knowledge. Personally, I'm quite happy with my DNS filtering/uBlock Origin and restrictive browser approach and already employ alternatives where feasible in my custom use case.
Thanks for your offer, though!
I agree that most websites don't load without JavaScript, but you don't need seven or more different domains with java allowed for the main site to work. Most sites have their own, plus six google domains, including tag manager, Facebook, etc. I whitelist the website and leave the analytics and tracking domains off.
Here's a counter-argument to yours... disabling javascript can actually make you stand out like a glowing sun. Just like how ad-blockers can be used for fingerprinting, the fact that you're not loading any JS, or any resources it might have fetched, can greatly increase your fingerprint. Along with combining TLS fingerprinting, HTTP headers and HTML/CSS tricks you can still be singled out pretty well without any JS. The fact that you have JS disabled automatically puts you in a very small list of people, so not as many data points are even needed for an accurate fingerprint.
Disabling javascript increases security, and offers a little bit of privacy. Those are both separate from anonymity, but people conflate the three often.
For example, javascript can be made to do arbitrary websoccket or http connections to any ip/hostname your computer has access to — even local networks or localhost.
I use the browser extension Port authority to block it.
Of course, port scanning is used by ebay to scan users computers, and discord.
Disabling javascript prevents websites from tracking exactly what you do on each site, or what local ports you have open. This is definitely an increase in privacy, as it relates to hiding what you're doing. However, you noted it comes at the cost of anonymity, as you become uniquely identifiable.
Of course if you're not blocking js entirely but using something like port authority, then that can potentially be detected and used against you just like I mentioned, so yeah it's a tradeoff you just have to decide on based on your own individual threat model.
You're suggesting a whitelisting approach which I've used for a long time. But in the end, I I was so upset that most websites required me to enable JavaScript for their unique website because they would otherwise be broken. And I was only interested in blocking it for specific webpages so I ended up having a blacklisting approach which I recommend to keep some sanity, but that's my opinion :)
I've been doing this for a few years and eventually got tired of whitelisting websites. I've went as far as using NoScript for fine-grained control, but what's the point? If you need a single feature JS, or a single article on a domain, you will let everything run if you grant the permissions, so why bother?
Better keep JS on and run an up-to-date browser with a custom DNS to filter out known malicious websites. Also, don't visit random links, that's an actually good advice.
You'd end up whitelisting sob many sites that it makes this approach worthless in my opinion.
Instead I've settled on blocking scripts by default and whitelisting subdomains until the site works. It does require more time and effort, but it's probably the only way to meaningfully block parts of javascript apart from just not using that website.
Depending on how exactly you so this, you'll end up with a huge filter list. Mine in uBlock Origin has 245kB when exported.
You do end up whitelisting a lot of sites, but seeing that a site is using Javascript this way lets you weigh up if you feel it's worth the security risk to enable it or not.
This combined with using a DNS over HTTPS or DNS over TLS that filters out things such as Control D is golden
They have several levels on their free DNS. Level zero has no filtering at all. Level one filters out known malware and shit. Level two filters out known malware and advertising. And level three does known malware advertising and social media.
NoScript
I had to switch to uMatrix after NoScript broke all embedded media. It seems to still block all the 3rd party scripts, but allows 1st party by default so less severe website breakage.
Umatrix did not get updates since very long time, is there is a active fork you use?
UMatrix still works fine though. I think Palemoon has their own fork of UMatrix they maintain.
Unfortunately no, I haven't found a fork under active development.
Should be on by default lol
Thanks for the heads up.
I prefer to block the bad scripts with uBlock/AdGuard and use the rest of them.
The security part is the reason I use NoScript to do this. We've all typo squatted sites we visit, I'm sure. But if I typo squat a site I frequently visit and see the JavaScript disabled, it forces me to recheck I'm on the right site. Granted it's only happened once where I didn't realize I typo'd until seeing it was disabled, but it only takes 1 time to lose everything...
Not sure the fingerprint concerns are too major for me either. Hopefully most scenarios, I'm flagged as a bot or crawler and out of some data that would otherwise have been collected. Who knows. I imagine that JavaScript makes up for way more fingerprinting though.
For critical functionality like banking and stuff it's also a good idea to put a bookmark to the right site on the toolbar and then only ever access it via bookmarks.