Bonum Certa Men Certa

Your Bank and Other Web Sites Are Running Creepy JavaScript That Records Your Every Action

Reprinted with permission from Ryan

Your bank and other Web sites are running creepy “Session-Replay” JavaScript that follows you around the site recording your every movement.



You’re not “supposed to know” about this, but NoScript can block that from running.



I had a conversation with Matthew Garrett (alleged security person, actual drama bomb thrower) on IRC the other day about the “security” of JavaScript.



He had previously promoted it as a “great way of running untrusted code”.



Unfortunately, there’s just nothing secure about JavaScript. It’s the most widely abused platform in all of computing because almost everyone ends up running it without thinking of the consequences, and browsers which are instructed to do so, do it without bothering to allow any user control over the process in their default state.



If you can’t trust code, it’s better to not have it running at all.



Especially if it’s not doing anything to help you, and is proprietary.



Garrett said that “total sandbox escapes” where the program gets out of your browser sandbox and starts interfering with another tab or running arbitrary malicious code outside of any sort of confinement is “rare” to the point where someone would need to be “targeting you” and willing to blow a Zero Day exploit to do it.



That’s not exactly true as we see time and time again in the real world. But let us not hang ourselves up too long on what the Dalek of Social Justice has said.



If you drop a copy of O’Reilly’s book on Sixth Edition JavaScript from the kitchen counter, you’ll be walking with a limp for a while. Far from something that adds a little bit of “interactivity” to a Web page, JavaScript is a full blown computer programming language, Turing-complete, that can be used to write and run almost anything.



(I laughed the other day when I noted that someone had ported all of the LAME MP3 Encoder to JavaScript. It’s like, you could. But why? This is even dumber than online Office suites. People have spent years and lots of effort writing high performance encoding routines in C. Let’s make things worse and shove it to a Web server!)



Very little of what I do on the Web calls for something like JavaScript.



Nobody asked me if I wanted applications that run best on my computer, where I control them, where Big Brother is not looking over my shoulder replaced by some online version on someone else’s computer that I may or may not be able to access, and if I can, it’s watching what I do with it.



I don’t use Services as a Software Substitute where I can avoid it, and the ones I do use tend to be licensed under the GNU Affero General Public License, which makes them Free and Open Source Software.



If I don’t like someone’s Searx search engine, I can use someone else’s. If I don’t like a Matrix (protocol) chat server’s moderation, I can go use another one. If anyone wants to know what the source code does, or make their instance work differently, they can!



Web applications don’t have to be malicious. It’s just that many of them are.



In general, every way that Microsoft’s proprietary software could hurt you before is wrong with their Web applications, and then they’ve invented new ways of being nasty as well. So thanks, no thanks.



The people who invented the Web and the earliest browsers (such as Marc Andreeson, who said as much in 1994) wanted to keep it lightweight. The idea of JavaScript and even Cascading Style Sheets were controversial.



They knew that if these “features” were added, the consequences would be severe. And they are severe!



The Web has basically become Microsoft Windows. Bloated, fat, slow, and requiring a new computer every 4-5 years because of how painful things get. Features that are only useful to advertisers and marketers and spyware and other parasites being bolted on with no debate by Google and Microsoft, and tossed in by Mozilla and Apple “for compatibility”. Worse, it’s all impossible to secure and it’s rather embarrassing how complicated the standards are to get it to do much at this point. (There are starting to be chat servers implemented in GeminiSpace. But on the Web, you need to run a 600 MB tab for that!).



Worse, the Web rots. It’s become mostly a spam farm. Things disappear. Domain squatters come in. All your links go to a scam now. The entire thing has become so balkanized by megacorporations that come and go that if you use those “services”, every 10 years you have to figure out where all the people you used to talk to are.



We have to start backing away from standards that are hacked together by companies that won’t exist in a few years based on speculative business plans, many of which ought to be criminal.



Attackers take advantage of whatever they can.



They take advantage of poorly coded applications, gaps in security policy whether deliberate or accidental (some Windows malware includes the calculator from Windows 7 to get past User Account Control and evade virus scanners, for example), or software distributors like Apple which do not ship Web browser security updates quickly (giving the attackers time to study the fix and start exploiting a long time before most users are patched), or users who do not apply fixes.



Recently, Apple had to rush two emergency fixes for the kernel in Mac and iOS and for Webkit (Safari) for zero day vulnerabilities, and it’s hardly even like it’s rare for in-the-wild attack code to be targeting these platforms.



A while back, China attacked and targeted Uyghurs using a Safari vulnerability in the JavaScript engine. They’re not the only nation state that hoards software vulnerabilities. The US FBI and NSA are known to do it.



But aside from the sandbox escapes and arbitrary code execution are privacy problems that Tracking and Session-Replay scripts cause.



According to an article from VICE from 2017 (compacted with NewsWaffle and archived), at that time, 482 of the top 50,000 Web sites had JavaScript programs that followed the user around and recorded things that can even include keystrokes that aren’t “submitted” yet, and mouse movement patterns, and some even tie your activity to your real identity.



This is….super creepy and super sketchy!



Richard Stallman’s JavaScript Trap essay pointed out that many users end up running non-Free JavaScript programs without thinking much about it. I pointed out in an earlier post about how much I like the add-on NoScript.



In many cases, JavaScript is bloated, it’s spyware, it’s proprietary, and at the very least, it does something unwanted and aggravating, such as powering news site paywalls.



Firefox, some time ago, joined the majority of Web browsers in removing the user’s ability to turn off JavaScript globally, but NoScript can add this back. You can do whatever you want to. You can whitelist domains that are “Just Enough” to make the site work.



Even browsing in the non-default mode of “Temporarily Allow All Top-Level Domains” would provide a lot of protection from malicious, annoying, and bloated third-party scripts without forcing you to do too much manual intervention.



But it isn’t even like JavaScript engines really are that secure. By the time Mozilla finally does declassify security hole fixes for a Firefox release, you can go back and easily see that the majority of really nasty ones involved JavaScript, so the more domains you have it coming in and executing from, the more likely one is to come in and do _something_ nasty.



Odds approach 100% very quickly that your browser is running some kind of malware without telling you.



It’s bad enough when programs are “legitimate” in the sense that they are what they say they are, do something useful, and just won’t tell you how they do it. That’s what Stallman’s complaints were in The JavaScript Trap.



Unfortunately, there’s never been a more useful language to abuse the user with, or a better place to run it, than JavaScript in a Web browser.



Admitting defeat and turning it all on out of laziness simply ensures that you will be encountering serious malware at some point.



Unfortunately, the JavaScipt Problem is bigger yet than proprietary software and malware running behind-the-scenes. Some site owners set their Web sites to simply lock out people who are using Tor Browser, a VPN, or just simply have JavaScript turned off.



CloudFlare, a Web cancer that just keeps growing bigger, now hosts about 1/5th of major Web sites and about as many smaller ones too, and has convinced site owners to set “security” settings high to bounce people who fit these categories. I’m a VPN and Tor user with NoScript, so I run into problems with those “Checking your browser” pages somewhat frequently.



The other day, I was trying to look at an article on Bleeping Computer, and CloudFlare blocked me for using my VPN. So I opened up Opera, which I only occasionally use because CloudFlare blocks their Opera “VPN” (proxy) except in the EU for some reason, so I had to view the article in Opera and then close Opera.



JavaScript is a major annoyance on banking Web sites. One of the advantages of running NoScript and just whitelisting the top domain for the bank is that I use 6 banks, and they all work with just first party scripting turned on. The rest is Session-Replay, data analytics, and other crap and garbage.



Why do I want some creepy third-party script looking over my shoulder while I’m banking or using any Web site for that matter?



When I went to the United States Social Security Administration and the Internal Revenue Service, I even found Session-Replay scripts that they were attempting to load from third-party domains!



Once again, with these scripts excised from the site, the functionality I wanted to use still worked. With your Web browser’s default settings, spyware companies are recording your actions even on government Web sites that you have to use!



I counted at least six tracking companies monitoring your usage of the Social Security Administration’s site. They’ve even outsourced compliance with the Americans With Disabilities Act to a tracking company that records your session!



On top of the security and privacy concerns are more practical ones.



Some JavaScript malware is designed to commit theft of utilities. Some sites resort to “mining” cryptocurrency with JavaScript and WebAssembly (which NoScript also handles). This runs your CPU hard and causes your power bills to rise as your battery life falls.



Firefox, indeed most major Web browsers, now have some sort of anti-cryptomining feature, but nothing’s perfect. The less sites even have the permission the less chance they’ll get one of these loaded.



Tracking scripts also take resources to run. They slow down page loads and instruct your computer to do things. That’s not “free”.



The Web site owners don’t want to make a big fuss about all of this crap that they load, because when you investigate what the companies are telling them, it’s usually like, “We can help you monetize your site and optimize your search engine results and tell you all of these things about your visitors and what they do.”. Stealing your resources to benefit themselves is what they do.



How does this compare with ad blocking, or running add-ons such as Decentraleyes?



Ad blocking and Decentraleyes (which hosts commonly used Web frameworks locally to avoid Content Delivery Network requests) compliment NoScript and add to the privacy you can expect to gain from it.



uBlock-Origin (an ad and tracking blocker) is already a pretty big hammer. It will block ads and tracker lookups completely if they’re in your blacklists.



Unfortunately, many things are not included for whatever reason. They tend to give priority to not breaking anything on a site you could conceivably want to use, and there have been cases where tracking companies used the US DMCA to be removed from ad blocking lists. So it’s not bulletproof. There are too many things that slip past them, and that’s where NoScript comes in.



Between these things, you should be able to reduce your browsing data usage by about half.



There are a few other extensions I really like, such as Google Container. I don’t use Google very much (preferring the Free and Open Source Searx instances) and I’d like to stay logged in, but not outside that container (so Google can’t easily track me in general across the Web).



As I’ve increasingly focused on Gemini (such as Chilly Weather and the NewsWaffle on Gemi.dev) instead of the Web, I’ve found few cases where I actually need JavaScript to run to power something I want or need to do on the Web.



Ironically, writing this blog post about JavaScript requires me to run some JavaScript.



Even then, not all of the domains that the WordPress.com editor wants to load are necessary, and when I go to read blogs, I don’t need JavaScript at all. You don’t even need a graphical Web browser to read this. You can load it in text browsers that don’t even support JavaScript, with cookies turned off.



You should block most of WordPress’s JavaScript. I think most of it comes from analytics sites.



As I continue looking into an escape from the Web for most activities, I still occasionally need to watch a video or refill a prescription or make appointments with my doctor, or use some dumb banking site, and pay my taxes. Unfortunately, thanks to JavaScript being as widely abused as it now is, you need NoScript to make sure that these creepy programs can’t run.



I’m considering moving to a Gemlog instead of WordPress, but I’m going to have to learn how to do that so it may be a while. Eventually, I would like to leave an “I’m not here anymore. Use Gemini.” message on WordPress.



We’ll see when I manage to get around to this.



Until then, turn off your JavaScript, mostly. The Web is more pleasant when there’s less of it.



Although I mostly read news in the NewsWaffle, most of the annoyances and slowdowns (bloated JavaScripts, annoying videos, tracking) are gone from news sites with NoScript. Even when I load a CNN article with uBlock-Origin and NoScript, it comes up instantly. CNN is infamous for its terrible page load performance.



You can get NoScript here:



Firefox Add-Ons / Homepage



License: GNU General Public License Version 2



There is also a port of the extension available for Firefox on Android.



Unfortunately, iOS users will just have to live with JavaScript. The version of Firefox on iOS isn’t the real Firefox with Gecko. It’s a neutered version that has to use the same engine as Safari by diktat of Apple.



Unfortunately, this means Web browsers on iOS are insecure and impossible to fix, and issues such as the one Apple rushed an emergency fix for cannot be user-mitigated by blocking active content.



Recent Techrights' Posts

Slop Nihilism is Funded by Big Oil
Eventually human civilisation will destroy itself
Professor Eben Moglen Recovering From Open Heart Surgery
From his public pages (this is not secret)
There Are Red Hat (IBM) Layoffs, But Google News is Infested With Slopfarms
It contributes a lot to misinformation and it encourages plagiarism
USA Not a Place for Free Speech
In America, as in the US, the attacks seem more enhanced or advanced these days
 
The True Cost of 'Generative Models'
Funded and promoted by the companies that profit from the waste
'Big Slop' Attacks Contemporary Information/Knowledge and Creative Works, 'Big Copyright' (Cartel) Attacks the Old
Someone at IA will hopefully "blow the whistle" on what they actually agreed
Why We Find It Difficult to Trust Rust
A comparison between C/C++ and Rust
Watching the OSI: Our Series Will Carry on Irrespective of the Chief's 'Resignation'
the OSI isn't even the real guardian of the term "Open Source"
Just What LibreOffice Needs? Another Language? (Rust)
what's all this concern about memory safety?
Many Microsoft Managers Are Leaving
"Hey hi" chaff or chaff about "hey hi" cannot eternally distract from the difficulties inside the company
Tomorrow, Microsoft's Tim Anderson's 'The Register MS' Offshoot Will Have Been Inactive for 2 Months (There's Also a Slop Problem)
We've already caught The Register MS using LLM slop for articles
Microsoft's Chief Legal Officer Leaves Microsoft After Nearly 30 Years
And not retiring
Even Windows Users Are Having Problems With "Secure Boot"
When it comes to security - Microsoft strives for the very opposite
Another Competition Crime of Microsoft, Long Facilitated and Advocated by a Bad Actor, Who is Funded by a Third Party to Commit Extortion Against People Who Have Correctly and Repeatedly Warned About It for Over 13 Year
We must always go back to the core issues
3 More Reasons to Replace Mozilla Firefox With LibreWolf
Thankfully there are de-enshittified versions of Firefox
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 16, 2025
IRC logs for Tuesday, September 16, 2025
Links 17/09/2025: Google Layoffs in "Hey Hi" (AI), Perplexity Hit With More "Hey Hi" (Plagiarism) Lawsuits
Links for the day
Gemini Links 17/09/2025: Reclaiming Things in a Digital Age and Moon Phases in CGI
Links for the day
Slopwatch: Google News is Slop, Google News is Plagiarism, Google News is Dying
Google is off the rails
Links 16/09/2025: "The Censorship Alarm Is Ringing in the Wrong Direction" and ASRock Does Microsoft E.E.E. on GNU/Linux
Links for the day
Serious "Breach of Confidentiality of Personal Data" in Europe's Second-Largest Institution, the EPO
Yes, the same EPO that routinely uses "data protection" and "GDPR" as a pretext for hiding or covering up its corruption and white-collar crimes (it even uses that as an excuse for refusing to obey courts' orders)
Adrienne Rockenhaus Says Her Husband Was Arrested for Running Tor and Denied Basic Rights in the United States
the US seems to be getting "russified" in its approach towards Tor
This is What Happens When Microsoft Canonical Lets Decisions on Ubuntu be Made by a Youngster From the British Army (Where He Did Mass Surveillance)
"Is Ubuntu Compromised?"
Back Doored Windows Giving GNU/Linux a Hard Time (Under the Guise of 'Security')
Is this complication intentional? Most likely, yes
Links 16/09/2025: Science, Security, and Conflicts
Links for the day
Gemini Links 16/09/2025: Command-line Options in POSIX Shell and Introducing Acre 0.9
Links for the day
Microsoft 'Secure' Boot Versus Dual Boot With GNU/Linux
they're meant to assume everything is OK
Links 16/09/2025: While Oracle Pretends to be Rich It's Firing About 70 MySQL Workers, "Oracle's Revenge" (Faking Demand With "AI")
Links for the day
Microsoft Has Just Published a New Web Page About "Secure Boot Update Process" (Microsoft Also Admits Issues; PCs Can Stop Booting)
Why was this page issued and published only hours ago?
Microsoft Lunduke: I Spread Hate and Then I Receive Hate
Cry us a river, Microsoft Lunduke
"Use Wayland" Isn't a Bugfix for X (X11 is Still Necessary)
They tell us X is "dead" and we must all be herded into Wayland ASAP
"Disable Secure Boot and Fast Boot. Wipe and Start Over."
At least they didn't say, buy a new computer...
The Oracle Ponzi Scheme
Oracle isn't doing well, but it's nowadays fashionable to say "clown" and "hey hi" to prop up one's stock, even based on nothing at all
The New Head of OSI is an "Hey Hi" (AI) Obsessed Person
when Bryant says "AI" that doesn't mean AI
Taking Out the Battery, Opening Up Your Computer, Just Like a "Normie" Would
At this stage, any person who still says "enable Secure Boot" is misguided or persuaded by companies that sell rootkits
Slopwatch: Serial Sloppers and Slopfarms Still Infesting Google News (Fake 'Articles' About "Linux" Spreading FUD)
searching for "Linux" today yields a lot of FUD
"Governments, local authorities, schools and hospitals can lead by example by procuring only Free Software"
Crossposted from Tux Machines
Cindy Cohn Leaving the Electronic Frontier Foundation While Its Co-founder John Gilmore, Whom She Apparently Helped Oust, Will Celebrate 40 Years of the Free Software Foundation, Inc.
EFF has been busy hoarding GAFAM money, whereas the latter is where all the real activism is done
The Reach of Techrights Has Broadened
We nowadays cover a broader range of issues
"Google is Googlebombing KDE's Project Banana"
So is Google googlebombing KDE's Project Banana? You decide.
Complicating Things for No Actual Benefit, Just Added Risk and More Difficulties Adding GNU/Linux and BSDs
Watch what it's like for people who wish to use BSDs
Some Very Large IRC Networks Are Growing
IRC will turn 38 next year
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, September 15, 2025
IRC logs for Monday, September 15, 2025
Links 16/09/2025: Autumn Party, RPG Planet, and Optical ROOPHLOCH
Links for the day
Geminispace Growing at Pace of Over 10% Per Year
Contrary to what some pessimists try to claim
Linux Mint Forums Today: Disable 'Secure Boot', It Doesn't Improve Security, It's Just a Microsoft Obstacle to GNU/Linux Users
They also mention MOK
What Ruben Amorim and Stefano Maffulli Have in Common
Censors Wikipedia and Social Control Media
Microsoft Won't Cooperate in Trying to Tackle EPO Corruption (Microsoft Profits From This Corruption)
Use something like BigBlueButton, Jami, Ring, and Jitsi instead
Solved Less Than an Hour Ago: Trying to Escape Windows, 'Secure Boot' Gets in the Way
'Secure Boot' wasn't meant to even exist in the first place
Stefano Maffulli, Executive Director of the Open Source Initiative, Resigns or Gets Removed (We'll Continue Covering OSI Scandals)
A dozen mentions of "AI", not much about "Open Source"
Andy Has Just Nailed It (Regarding Complexity and Failure, a la UEFI)
The users no longer own or control what they buy
Compatibility Support Module (CSM) Versus GNU/Linux Simplicity
what Andy recently called "solutionism"
Links 15/09/2025: "Postal Traffic to US Down by Over 80%" and 'Smart' Spinozacampus Laundry Room Goes AWOL
Links for the day
Gemini Links 15/09/2025: Dungeon Hustle and Deleting Oneself From the Net
Links for the day
Breach of EPO's Duty of Care or Cigna Reimbursement Issues
This is the sort of thing that motivated Luigi Mangione to assassinate a CEO
Ask Ubuntu About "Secure Boot" Violation and Laptops That Don't Boot GNU/Linux
Does anyone still believe that "Secure Boot" has anything at all to do with security?
We Are Sad to Hear the Story of Jonathan Riddell, Champion of KDE and GNU/Linux on Desktops/Laptops
I have enormous respect for Jonathan and everything he has done
Talking About the Problem vs Talking to the Problem
Wanting an audience is never a good excuse for compromising one's values and principles
Focusing on Patents
The reason we cover the EPO so much is that it's close to home
"Secure Boot Violation": The 'Joys' of Fake Security Gone Wrong
Not everyone reboots every day
Links 15/09/2025: Russia Invades Romanian Airspace, Penske Media Sues Google Over LLM Slop
Links for the day
Links 15/09/2025: Bitcoin ATMs Scam and "Conservative Cryptography" (Backdoors Fantasies)
Links for the day
EPO Imitates Microsoft: "Three Days or More Per Week" Inside the Office to Get a Desk to Work on; "the Office Breaches Its Promise Towards Staff and Acts in Breach of Its Duty of Care"
The EPO serves no actual function in Europe
Links 15/09/2025: Political Affairs, Censorship, and Copyrights
Links for the day
Gemini Links 15/09/2025: Music Genres, Invisible Networks, and Akademy 2025
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, September 14, 2025
IRC logs for Sunday, September 14, 2025