The title says it all. This is something that has been lingering in my head for a long time, and I wanted to just dump it out for collecting my thoughts.
This post concentrates entirely to personal computer systems, because it is pointless to even discuss about mobile devices, which by design cannot be controlled by the user to same extent as a PC system. Maybe I’ll write some day a blog post with title Just say No to Mobile.
Without further introduction, let’s dive in to the matter.
You might be interested to find out that researchers found hundreds of sites in the Alexa top 50k list using so called session-relay scripts, basically meaning full spying, including key-loggers.
- Identify a user
- Correlate a user’s browsing activity within and across sessions
- Track users without transparency or control
Camera and microphone spying
Browser vulnerability exploitation
Aggressive ads, malvertising
Can you really trust your news site? Can you really trust your discussion forum? Even if you personally know the owner of these sites, can you trust the sites are not hacked, or the complicated chain of JS libraries is really completely free of security problems?
What can you do about it?
- Enter “add-on hell” and turn into a full-time security hipster. Endless tweaking and shopping of browser add-ons, switching different browsers and introducing new privacy problems (these add-ons usually require full access to everything).
- Most of the web sites work just fine. Some functionality may be absent, like images might not be visible etc.
- Many web sites load faster.
- Not so many ads!
- Most search engines like DuckDuckGo and Google work just fine.
Here are some specific, problematic sites and my solution for them:
- Facebook: dedicated container as a work-around “desktop app” (more information about that in the next section).
- Facebook messenger: Emacs ERC with bitlbee.
- YouTube: I could use dedicated container also for YouTube, but ended up using wonderful console application youtube-viewer.
- Twitter: Emacs twittering-mode
- Reddit: I tried console application rtv, but didn’t like the user experience. Ended up with a dedicated container.
- Online banking: dedicated containers.
Final thoughts and conclusions
As a conclusion, my solution consist of having two extremes: the bulk of web completely without JS, and then dedicated “desktop apps” for sites absolutely requiring JS.
I ended up building these “desktop apps” one by one with the web container technique described here. Some of the web apps might have desktop or console alternatives that offer much better experience without browser (like youtube-viewer/youtube-dl), but that depends on the personal taste.
Now I’m fully aware that my solution to this problem won’t never be mainstream because of its complexity, but I like to think it as a sort of prototype of the concept.
I’m a big fan of dedicated, desktop applications. You still remember those? Yes, those applications that run amazingly fast and which you can have an actual control over. Those were the days!
Computing goes in cycles. In a recent years, I’ve noticed few interesting emerging trends:
- Web-based applications packaged as a dedicated browser (electron etc.)
- Sandboxed, packaged desktop applications (flatpak etc.)
Here’s a great series of articles suggesting a JVM-based solution to the core problem.
Maybe we are now going towards a new era of platform-independent desktop applications that fix many usability and security problems of the past? I’m all for it.