The title says it all. This is something that has been lingering in my head for a long time, and I wanted to just dump it out for collecting my thoughts.

This post concentrates entirely to personal computer systems, because it is pointless to even discuss about mobile devices, which by design cannot be controlled by the user to same extent as a PC system. Maybe I’ll write some day a blog post with title Just say No to Mobile.

I want to make clear that this isn’t about JavaScript as programming language, or software platform. It’s about the trust model of Web, or more like a completely absent trust model. JavaScript just happens to be the main language of modern Web. Same issues apply also to other dynamic content, like Flash and Silverlight.

Without further introduction, let’s dive in to the matter.

JavaScript is bad, m’kay

I’ve come to a simple conclusion: JavaScript is no good, and we should do something about it. There are many very serious problems in JavaScript, and they all spring from a fundamental design problems (or to be more precise, lack of design) of the Web as we know it today:

  • JavaScript is a full computing platform, that can use the browser as a kind of Operating System. It can use the computers hardware resources, such as the microphone and camera. It can do arbitrary computation within the limits of JavaScript sandbox. These limits are not very much limiting at all, as we’ll see later.
  • There’s no integrity checking of JavaScript whatsoever. Any web site can link to any 3rd party to push arbitrary JavaScript to your computer, and none of that code is verified to be good. There is no standard mechanism for that (I’m now thinking about code signature systems).

Here are some examples of specific problems related to JavaScript.

Session-replay scripts

You might be interested to find out that researchers found hundreds of sites in the Alexa top 50k list using so called session-relay scripts, basically meaning full spying, including key-loggers.

Browser fingerprinting

JavaScript is integral part of privacy problem called browser fingerprinting that can be used to

  • Identify a user
  • Correlate a user’s browsing activity within and across sessions
  • Track users without transparency or control

Cross-device tracking

Cross-device tracking is technique where the users activities are correlated over multiple devices. For example, ad-platform on your phone might be listening to your television through the microphone, or ultra-sound beacons sent by a piece of JavaScript on your browser. This is totally crazy and scary, all just to sell you stuff you don’t need.

Camera and microphone spying

With the WebRTC API, capturing video and audio with JavaScript is very easy. Fortunately major browsers at least try to make it clear and ask for permissions.

Hacked websites

Still as of 2018, the world is full of web sites prone to SQL injection and XSS-attacks. How can you be sure your favorite web site is not one of the victims, defaced, and serving you bad JavaScript? Some people even go as far as to say web applications are impossible to secure.

Browser vulnerability exploitation

Browsers are complicated, and JavaScript makes them even more complicated. In a recent Microsoft patch Tuesday, there was again handful of fixes for the MS JavaScript engine Chakra.

Aggressive ads, malvertising

Malvertising is activity where the malicious actor signs up to a legitimate advertising network, and starts to inject malicious links and JavaScript. Needless to say, most advertising platforms requires JavaScript to function. Quote from the Wikipedia article: Malvertising is attractive to attackers because they can be easily spread across a large number of legitimate websites without directly compromising those websites.

Cryptojacking

Cryptojacking is a prime example of someone making money with your computer without asking your permission. In effect, when you visit a web site installing cryptojacking JavaScript to your computer (deliberately, or maybe by web site hacking, or malvertising), the malicious actor starts converting your electricity to money. That sort of activity used to be called stealing.

Over-complicated ecosystems

This article described the situation quite well in 2016. Today the situation is absolutely ridiculous. The complications of JavaScript are such widespread that there’s even a humorous diagnosis called JS fatigue.

In short, browser enabled with JavaScript and cookies may be best thought as a planetary computing system where one voluntarily hands down the computing resources to arbitrary party, offering the resources for free exploitation.

Can you really trust your news site? Can you really trust your discussion forum? Even if you personally know the owner of these sites, can you trust the sites are not hacked, or the complicated chain of JS libraries is really completely free of security problems?

When you enter the world of JavaScript, you totally risk everything else you have done in order to keep your computer in your own control.

What can you do about it?

If you are now convinced that JavaScript is no good, what can you do about it? Options are limited, and very limiting:

  • Enter “add-on hell” and turn into a full-time security hipster. Endless tweaking and shopping of browser add-ons, switching different browsers and introducing new privacy problems (these add-ons usually require full access to everything).
  • Disable JavaScript entirely.

For many years, I’ve tried the first option, but to be brutally honest, I’m tired of it. It just makes no sense. So I decided to try out the unspeakable, and disabled the JavaScript completely.

The JavaScript-free experiment

Many people have done the same experiment, for example here. The author of that article concluded in “reluctantly turning on the JavaScript” at the end of week because of usability problems. In this section, I try address some of these issues.

I’ve also now used the JavaScript-free web for about a week, and here are some of my observations:

  • Most of the web sites work just fine. Some functionality may be absent, like images might not be visible etc.
  • Many web sites load faster.
  • Not so many ads!
  • Most search engines like DuckDuckGo and Google work just fine.

Obviously there are many web sites that are completely based on the JavaScript, and they simply just won’t work. Examples of such sites are Facebook, Twitter, online banks etc.

But there’s one interesting trend here: Sites really, truly requiring JavaScript are more like full-blown online applications. They are not sites where you just go and get some information (think of Wikipedia, online manuals, news sites etc.).

Here are some specific, problematic sites and my solution for them:

  • Facebook: dedicated container as a work-around “desktop app” (more information about that in the next section).
  • Facebook messenger: Emacs ERC with bitlbee.
  • YouTube: I could use dedicated container also for YouTube, but ended up using wonderful console application youtube-viewer.
  • Twitter: Emacs twittering-mode
  • Reddit: I tried console application rtv, but didn’t like the user experience. Ended up with a dedicated container.
  • Online banking: dedicated containers.

Final thoughts and conclusions

As a conclusion, my solution consist of having two extremes: the bulk of web completely without JS, and then dedicated “desktop apps” for sites absolutely requiring JS.

I ended up building these “desktop apps” one by one with the web container technique described here. Some of the web apps might have desktop or console alternatives that offer much better experience without browser (like youtube-viewer/youtube-dl), but that depends on the personal taste.

Now I’m fully aware that my solution to this problem won’t never be mainstream because of its complexity, but I like to think it as a sort of prototype of the concept.

As a long-term solution, I’d love to see JavaScript to simply go away in its current chaotic form. I’m not objecting here the concept of online application, it’s just the technology. I think we are just abusing the original idea of JavaScript, which was to enhance static web pages.

I’m a big fan of dedicated, desktop applications. You still remember those? Yes, those applications that run amazingly fast and which you can have an actual control over. Those were the days!

Computing goes in cycles. In a recent years, I’ve noticed few interesting emerging trends:

  • Web-based applications packaged as a dedicated browser (electron etc.)
  • Sandboxed, packaged desktop applications (flatpak etc.)

Here’s a great series of articles suggesting a JVM-based solution to the core problem.

Maybe we are now going towards a new era of platform-independent desktop applications that fix many usability and security problems of the past? I’m all for it.