noscript is 10 years!

[stef]

On Fri, May 15, 2015 at 11:45:47PM +0900, Lodewijk andré de la porte wrote:
> Noscript is admission of failure to sandbox, and a step away from
> webapplications.

webapplications are simple development cost externalisations by the VC
vultures and their startup slaves and js are a perfect tool in gathering more
private information to sell that.

webapplications shouldn't exist in the first place, there's OS level binaries
that should be used instead. but i totally understand that the time-to-market
and the RoI of hiring a bunch of dumb jsdevs is greatly more profitable than
doing it right. the incentives of the system subvert and cannibalize the
system itself. omnomnom.

since you addressed sandboxing, i'm much more of a fan of reducing the attack
surface than sandboxing. sandboxing should be only used in a defense-in-depth
setup, with other factors being more important, like reducing all the layers
of cruft underneath.

also lets not forget that the security in browsers is like the security
offered by tls, it's mostly in the interest of the industries, not the users
sitting behind the browsers. sandboxing in chrome for example is good enough
for the startups to not leech the data in other tabs, but looking at the
results of various exploit compos confirms that the more resourceful
attackers are not much deterred by the sandboxing. whereas noscript is indeed
in the interest of the user, not the industries.


-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt