I really do not understand the sort of Luddite motivations that drive someone to disable Javascript. You're drawing an arbitrary line in the sand that cuts you off from a great deal of perfectly legitimate functionality. Could you explain exactly what you're gaining in return? Isn't this just another incarnation of 1990s-era cookie paranoia?

It seems to me that if you use an up-to-date browser and an ounce of common sense when you surf the Web, you have little to fear from Javascript. And if you don't, no technological measures short of total disconnection will save you from yourself.

Yes, I normally block videos and all plugins. I don't have to block images by default any more, thankfully the obnoxious animated ones have mostly moved to Flash.

Occasionally I'll switch browsers and permit specific youtube videos.

For that matter, why not use Lynx?

My recollection is that Lynx does not support proportionally-spaced fonts or images. If this is incorrect, I'll consider using it.

In fact, I do know someone who uses exclusively text-based browsers. She's doing research on accessibility issues for the visually impaired.

I really do not understand the sort of Luddite motivations that drive someone to disable Javascript.

Maybe if you didn't presume it to be a Luddite motivation, you'd have a chance at understanding it.

You're drawing an arbitrary line in the sand that cuts you off from a great deal of perfectly legitimate functionality. Could you explain exactly what you're gaining in return?

Well I will enable script for specific sites that I want to do business with. But it's done intentionally and limited in scope. If the site requires scripts from a bunch of shady domains and ad networks, I'm much less likely to do business with them.

By aggressively disabling Javascript and not installing Flash I gain:

1. Security: Less attack surface, less frequent patching, less risk of getting pwned by drive-by malware. Fewer trusted domains in my page origin.

2. Privacy: A lot of advertiser tracking stuff depends on script running in your browser. Declining to run their script seems to cut down significantly on the amount of personally-identifiable info you're constantly broadcasting as you use the web.

3. Faster page loading.

4. Fewer advertisements, pop-overs, and other useless blinking crap in my visual field detracting from the words and occasional image on the page which convey 99% of the meaning.

5. By avoiding proprietary plug-ins I follow open standard (w3c, IETF) technologies. These are consistently winners in the long run.

6. I learn a little about the mindset of the developer of the site. Take a look at who's running script in your browser in news.ycombinator.com and compare that to any of the Gawker media sites for example.

Isn't this just another incarnation of 1990s-era cookie paranoia?

Similar in some ways, different in others. Cookies have some very similar security properties to that of scripts WRT same-origin.

It seems to me that if you use an up-to-date browser and an ounce of common sense when you surf the Web, you have little to fear from Javascript. And if you don't, no technological measures short of total disconnection will save you from yourself.

That's the "all or nothing, it's hopeless, give up" argument and yeah most people are willing to give up their security and privacy when you throw that in their face.

But not me. I find it more interesting to learn something (e.g., what scripts are being used where and why) than I really care to see yet another video on the web (even if it does involve oscilloscopes).

No, it was the "Use sound computing practices and you'll probably be OK, but you could still be hit by a bus if you step outside and an asteroid if you don't" argument. In other words, the same sort of compromise that we all make every day when we interact with the world.

Thanks for the explanation; it does answer my questions. We probably won't be able to find common ground, though -- I actually prefer to see ads for oscilloscopes and hosting services, rather than tampons and farm implements.

What I hear you saying is that we all have to weigh risk vs. benefit as we interact with the world. I certainly agree in principle, but maybe we don't judge the sides the same way.

I saw one study claiming the majority of PCs (59%) are pwned by malware. This seemed to be a bit biased and non-scientific, but we know there are multi-million node botnets so the actual number is quite high. So the comparison isn't with the risk of getting hit by a bus, the baseline expectation from the typical user behavior you advocate is to be compromised periodically.

I work for a data security company by day and research that stuff at night too. So I'm painfully aware that on any given day there are usually multiple not-yet-patched vulnerabilities. Occasionally I have customer info on my computer, info about not-yet-public vulnerabilities, or I just can't afford the energy needed to clean up afterwards if I were to get pwned. I judge the downside risk much higher than the upside.

So I mostly interact with the web with a browser Noscript mode, and even that via a series of virtual machines and remote access that don't allow file or clipboard sharing. It turns out that I liked the web better without the 2.0 anyway.

We probably won't be able to find common ground, though -- I actually prefer to see ads for oscilloscopes and hosting services, rather than tampons and farm implements.

Now if there were a way to allow only Oscilloscope Pr0n I'd be all over that. I do in fact have DigiKey and Mouser whitelisted. :-)

How many of those attacks came through Javascript, though? It would be interesting if there were a public resource that keeps track of attack vectors, so we could accurately assess the risks.

The majority of the opportunistic drive-by web malware seems to depend on script. Sometimes the vulnerability is in the Javascript interpreter itself, sometimes the attacker wants to lightly obfuscate web sites and payloads from scanners, and sometimes it seems the malware authors are just lousy web designers using script gratuitously.

If you also eliminate Adobe products from your attack surface, you've bypassed a huge percentage of web malware.

Of course if you're the subject of a targeted attack then all bets are off.

It would be interesting if there were a public resource that keeps track of attack vectors, so we could accurately assess the risks.

There are many, but for specific bugs they try to agree on at least the central "CVE" number: http://cve.mitre.org/ http://web.nvd.nist.gov/view/vuln/search-results?query=javas... http://www.kb.cert.org/vuls/

For attack vectors in general, see: http://cwe.mitre.org/data/slices/2000.html http://cwe.mitre.org/