The early days in the cyberspace used to be rather safe when compared to the increasingly hostile worldwide wild west, where various hostile governments, criminals, advertisers, and intelligence (or not so intelligence agencies) can inject stuff onto web pages you visit. Drive-by malware works like a bomb on the road-side, just head on to pick up your burger — and boom — you are done!
While operating systems (OSes) and web infrastructure providers have been trying to build up sandboxes and security frameworks onto the highways throughout the cyberspace, the reality is that today there are just more vulnerable devices out there that happily stay on executing whatever scripts on the servers and sites you won’t even be aware of when you visit.
There are perhaps 2 fundamental wrongs in the architecture design of the world wide west:
Trust by default. This is a bad idea, but it highlights the origins of the world wide west – the times in the society where, in fact, one could, by default, trust anyone.
Trust too much by default. However, the world is not your friend by default, and trusting anyone is a no-no. Something that every parent teaches their kids as one of the 1st lessons in life. Still, for some strange reason, the cyberspace will require you to abolish much of the wise words from your parents.
There are basically 2 approaches to address the issues of security. Either one needs to be a protégé of someone who can clear the mess and keep the bad stuff out, or one needs to take careful commitment to take care of oneself. In the society, this typically is something many from the so-called western world are keen to delegate to the abstract “State” — a liberal, lawful and impersonal result of the triangle of legislature, jurisdiction and enforcement, keeping them as far as possible from each other. Some think and many try to promote that as a valid security framework in the cyberspace. Other parties may consider more centrally oriented structures of power — something the former won't really like about. And at the far end lies the mythic anarchism — a no-no for many. How are the security framework and practices laid out in the cyberspace then? Interestingly, the abstract State fails to protect non-territorial cyberspace. There are no single dictators and even personal skills and capabilities are rather limited. To put it short: it is a mess — a mixture of rivalling parties that compete with each other, of their authority and ownership of the protégées.
In the meanwhile as the forces align themselves and try to find out who is the sheriff in town, what people can do to cast off their naivety, in practical terms, disable JavaScript in their browser by default. That is a small step, but can potentially be a giant leap for the humankind. JavaScript is perhaps the most dangerous of the web technologies (after Flash and Silverlight, amongst others). With its new improved capabilities, it can listen to microphones, watch cameras, draw on screens and open up additional network connections. Much of this can be done without an average user being aware of anything happening, just under the cover of a “usual” well-behaving online service. And the truth is, many of these are used for various legitimate needs. But like any good things, they can also be used for horribly bad means as well.
Luckily there are some things that can offer some protection against the world wide west. For some reason, many of those are not offered by default for people. Maybe someone does not like the idea that people are able to protect themselves? Indeed, in the blurred schematic layout where various parties are competing of the legitimacy and authority in the cyberspace, it may very well be in the interest of some to keep masses down. Whatever is the case, with small steps one can at least disable JavaScript by default. In the Firefox browser, there are at least 2 ways to do this. One of them is the very detailed NoScript, that offers a strict whitelisting policy to JavaScript execution in the browser context. But, given the complexity of the environment, the settings can be very complex as well. Then there is at least one more, a simple and virtually zero-configuration add-on for Firefox “Whitelist JavaScript Websites”, which does something that every browser perhaps should offer by default: a single button to toggle JavaScript execution on and off under a single web address. This takes a very broad interpretation of what constitutes a website but gives a practical and working result.
Installing the add-on may not take more than a minute. After that, your toolbar includes a red malware symbol for every web site you visit. This symbol indicates that all and every JavaScript codes on the page, wherever they come, will not be able to move their feet, hands or even whistle around. Only after you feel confident to be friends with the site, you can pull the shoes off, cast off your coat of invisibility and start to have fun with the site. Now you are friends already, and you trust that the site would not eat you, at least not for breakfast and not without salt and pepper. This kind of social privacy, freedom and respect stays largely, if not completely, absent in the default state of cyberspace. You are forced to be friends with even corrupt State officials, bank clerks, every intelligence agency of the world and even with your neighbours and alike. Barely anybody would like to do that in the real world.
The absence of social rites to agree on friendships in the cyberspace shows itself on the other side of the coin like the access of the head of the local bank to come to sit in your bedroom and intelligence officers to check your toilet and stuff. The side-effect of the by default disabled JavaScript is obvious like a formal dress. Going to your local bank with only bikinis on might not come to the heads of many, or to visit local immigration office with your night pants on, but unknowingly, due to the lack of social customs, skills, traditions, tools and means of communications, we are forced to be friends with even the worst dictators of the world, with virtually anyone.
Disable your JavaScript by default now! It is like putting a decent dress on, shaving or having a shower before going out. If you don’t do that for yourself, do it for the sake of others. Nobody wants to see your font-list or screen resolution in any case. And certainly, you should not even let them the possibility to try to watch or listen to you.
Author
Kristo Helasvuo, Guest Author.