[linux-elitists] Browser fingerprinting

Cathal Garvey cathalgarvey at cathalgarvey.me
Tue Oct 15 05:16:21 PDT 2013 

> Javascript can be controlled by being recompiled into the Caja subset
> of javascript.
I've been thinking along these lines, all right.
So what functions of Javascript are nonessential to the concept of a
"rich webapp" but useful for abuse and fingerprinting? If you could
strip JS down to a set of awesome functions that reduce the abuse
potential, what stuff would you strip out?

A lot of the nasty stuff isn't even JS engine stuff, it's DOM stuff
from the browser being made available to JS, so it's not entirely
linguistic. A lot of it's bad API, probably much harder to fix.

Still, reduced-set JS, with an in-browser standard for verifying signed
JS code, would be great. I'm often boggled when I think this over that
RMS forgot to include code signing in his suggestion for how to markup
non-trivial JS with source code and license text; I figured "code
verification" would be a crucial part of the Free Software philosophy
when it comes to drive-by code.

Another crucial change I'd like to see: immutable javascript. When
including a script with the <script> tag, there should be an attribute
"immutable=true" and another saying "opaque=true" that prevents *code
in the page* from reading or modifying that script, while not
preventing the user from reading or auditing the code. Ability of
dynamically included/injected JS to fuck up or spy on other JS on the
page is the principal reason that you can't trust JS-crypto even if you
trust the host.

On Tue, 15 Oct 2013 21:51:46 +1000
"James A. Donald" <jamesd at echeque.com> wrote:

> On 2013-10-15 19:54, Cathal Garvey wrote:
> >> with folks that refuse to run JavaScript
> > Not "JavaScript"; "Unverified, potentially malicious code with a
> > rich history of exploits inside a frame I use to navigate the online
> > world". It wouldn't matter if the code was LISP or Python; the
> > problem isn't the language, it's the context.
> >
> > That said, I do run Javascript, albiet through NoScript. I just wish
> > there were more fine-grained policy restrictions I could place on
> > it, such as "No XmlHttpRequest/Websocket" or "No browser
> > introspection (fonts, boundaries, etc.)", and let webapps that are
> > trying to fingerprint me without my permission just crash and burn.
> 
> Javascript can be controlled by being recompiled into the Caja subset
> of javascript.
> 
> In practice, however, this is only done when a server controlled by
> one organization is generating a web page containing javascript
> controlled by another organization - Caja is used to protect one
> website against another, but not used to protect the client against
> the website.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20131015/b49056d4/attachment-0001.sig>

More information about the cypherpunks mailing list