Google Won't Let You Sign In If You Disabled JavaScript In Your Browser

An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts.

"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."

Good

Maybe this javascript thing will finally take off

Re:Good

[jellomizer]

Actually Google has been leading JavaScript adoption for over a decade.
Even back in the early 2000's web/web app developers were slow to use Javascript on their pages (Or limited to input validation). Mostly because they were afraid of people using old browsers that didn't support it. If you did a lot of stuff, you probably didn't get the customer, because you cannot reference an other popular site that needs Javascript.
Then with Googles Autocomplete feature and Google Maps, becoming a popular feature, it opened the door for the rest of us to apply Javascript,Ajax and DHTML to the pages.
I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.

Now Javascript has its issues... However it is used on all major browsers, and if coded well, it makes your pages load and run faster. (if not then we have the suckyness we think of wanting to block Javascript for)

Re:Good

...whoosh...

Re:Good

[UnknownSoldier]

> and if coded well,

IF

That's a mighty big if as websites pull in JS and images from a dozen different sites ...

Re:Good

[jellomizer]

But how well it is coded, applies to all software.
Companies always try to hire non-programmers to make their stuff. Thinking this guy can write code so he is good enough. They figure they are saving money. They are not they are just making crap that is hard to maintain, and the end users just hate.

Re: Good

Was that Google flushing after taking a huge dump?

Re:Good

[jythie]

And of course javascript based solutions just happening to be the easiest type for search and ad systems to troll is just a fringe benefit.

Re:Good

[sycodon]

My Very Large Defense company employer disables javascript via group policies.

Security reasons.

Re:Good

I allow javascript, but not third-party anything. No third-party js - does away with a lot of trackers and "analytics" that I don't need.
Also no third-party images/buttons - does away with facebook tracking (via like-buttons and logos)

Of course some sites break when their menu navigation system try to pull in a third-party crappy library - but there are more sites than I need out there anyway. As they say, if you depend on too much, then you don't get the customer. Shops in particular would do well to serve all they depend on from the same place. There are so many adblocking schemes - why turn away 5%-10% of the customers? Shops profit from purchases, not from ads shown. Quite the contrary, they pay for ads. And ad not shown, is one payout less. And the lost ad is not a problem when the customer found the webshop anyway.

Re:Good

[oh_my_080980980]

Are you fucking kidding me? Web developers weren't using JavaScript back in 2000? What planet were you on? Seriously stop sucking Google's dick.

Re:Good

[oh_my_080980980]

So you just backed tracked on your own argument. Please just stop. You do not know what you are fucking talking about.

People block JavaScript for security reasons because of all the malicious stuff it can do. Google forcing you to enable JavaScript is fucking stupid. Hint, they can do what they want without enabling JavaScript. Google is looking for something else.

Re:Good

Not only is "Mister Developer" sucking Googles's dick, he's swallowing their jizz by the bucketful.

Re:Good

Indeed. JS allows them to monitor you computer for software installed: fonts, cookie, css history, referer, screen resolution, CPU arch, you name it. No website has a right to know any of this, so I block it all. FastMail doesn't do this to you, and I switched years ago when Google, et al began their spying and tracking in earnest. All of this can be blocked easily with Firefox (about:config and add-ons), Pi-hole, and using services which respect your privacy.

Re:Good

Google is looking for something else.

Hits the nail on the head. Yes, it's about security. And privacy. And for Google it's about collecting more data, regardless of the risks to you.

The push toward JS overkill is rejecting the golden rule of web design: Make sure your page degrades gracefully and don't tell visitors that your site is "best viewed in last week's version of Chrome or Firefox".

I actually see an increasing number of pages that pull in a dozen external scripts to add pizzazz, then also use noscript tags. But they're only using the noscript tags to make sure that people with script disabled still get a tracking pixel, while the page itself is actually broken without script!

Re:Good

Security reasons that now include preventing you from signing into Google. Perhaps a good thing all around?

Re:Good

I'm not sure you have ever actually done any web-based development or that you understand literally anything about web interfaces. If you had, you would know that removing Javascript from a web-based email client returns you to the halcyon days of 1994 where every click refreshes the page and removes any concept of dynamic ANYTHING. So no, in fact they cannot do what they want without enabling Javascript or something similar.

Re:Good

How do you use literally any websites?

Re:Good

Google forcing you to enable JavaScript is fucking stupid

Google forces us to enable JavaScript because Google has a MALICIOUS intent, period.

Re:Good

[phorm]

Would your very large defense company employer actually let you sign into Google services?
I'd imagine that stuff like gmail/drive/etc are probably considered a liability.

Re:Good

Am sure someone will come with a plugin or other tool to either give false info to such JS requests or deny/disable those types of requests directly.

Re:Good

You can, and some addons such as Random Agent Spoofer do that, disable some JS APIs, but I doubt there are addons that can disable arbitrary objects or functions, or make them return arbitrary values, though I would be happy to be corrected. That would require to edit source code, perhaps non-trivially, if values were to randomly change on the fly, let alone depending on some white/black list., and recompile browser.

Note that Mozilla and Google keep introducing new intrusive APIs all the time, so you have to perpetually re-examine every new browser version to find and disable newly added fingerprinting APIs, though you have to do that anyway, because they also keep adding new telemetry vectors.

Only .01%?

[PuddleBoy]

So Google says that only 1 in 10,000 of us have a Google account and disable Javascript?

I feel special.

Re:Only .01%?

Probably because anyone paranoid (rightfully) about JS is even more skeptical of intentionally storing information with Google.

Re:Only .01%?

Special needs coming through.

Re:Only .01%?

[sabt-pestnu]

You should. I would wager that most of us NoScript-using folks don't have Google accounts.

Re:Only .01%?

[jellomizer]

You can only really trust Javascript as much as you trust the page creators.

Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised, and you are just missing out on features which may make your browsing a bit easier.

Re:Only .01%?

[vm146j2]

...that you know about.

Re:Only .01%?

Exactly. Never have I ever had a Google account. You don't even have to for Android anymore. What am I missing?

Re:Only .01%?

Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised, and you are just missing out on features which may make your browsing a bit easier.

Really? So all of the data on my computer is compromised because I happened to log into a website?

There's more to my life than what the web sees. if I happen to log onto my webmail provider they certainly already had access to the emails I received there but nothing more. If I have to enable Javascript to log in then I increase the attack surface that they (or one of their many 3rd party script providers) can use to attack my computer.

You can only really trust Javascript as much as you trust the page creators.

You got that partially right. Most pages use 3rd party scripts hosted externally. You're not just trusting the page creator, but every 3rd party they send you to.

Re:Only .01%?

[AmiMoJo]

I disabled Javascript for my bank's web site. Whatever scripts they run make entering my details very, very slow. Probably some kind of key-logging prevention.

I use YesScript, Javascript is enabled unless I disable it for a site. uBlock Origin blocks third party scripts by default. I find that's a good compromise between breakage and blocking.

Re:Only .01%?

Like background bitcoin mining.

Re:Only .01%?

[lgw]

Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised,

Fun fact: web sites often contain content originating from more than one company. You might trust the people you're giving your info to, but is there an ad anywhere on their web site? Heck, even banks run web content from "partners" these days.

Re:Only .01%?

[oh_my_080980980]

Ok so you're a Google Troll. Please fuck off.

Legitimate sites get hacked ass-hole.

Re:Only .01%?

[HiThere]

Well, I've got an account with them, but I'm OK with never logging into it again.

Re:Only .01%?

Check out uMatrix from the same author, if you haven't. Think noScript, but with a much nicer GUI and the ability to block different types of resources (ie block XHR and scripts from ads.domain.com, allow media and scripts from cdn.domain.com, etc.)

Re:Only .01%?

Five addons that work together to solve this conundrum:

ublock, privacy badger, redirects fixer, searchonymous, and cookie autodelete (on Firefox it can also automatically delete localstorage.) If you're feeling adventurous, use one of the addons that selectively blocks referrals.

I used to use noscript, but I got sick of having to screw with it all the time. These addons combined take the hassle out of it.

Re:Only .01%?

Android Cherry Dumpling Banana Split needs a google account. So I created one just for it. GetOnYourKneesAndBlowMeAndIWillTellYouMyPassweord@gmail.com. Not used for anything else.

I never enable JavaScript (and block all ads) and if a particular website does not like they can go fuck themselves. I have better things to do and better places to go.

Re:Only .01%?

Yeah, because they use outlook.com (aka hotmail)

It's 1st of November, not April

[Opportunist]

ENABLE Javascript to increase security.

Now I've seen it all.

Re:It's 1st of November, not April

[gweihir]

Indeed. Truly staggering. Something seems to be badly broken in the brains of the people behind this.

Re:It's 1st of November, not April

So much this.

What fraction of all the web-foisted security vulnerabilities use Javascript as an attack vector? Thinking back to the last 10 or 15 years of reporting, I'd say it's in excess of 90%.

Anyone who wants security on the web keeps javascript disabled.

The stupidity is strong.

Re:It's 1st of November, not April

[jellomizer]

I commonly use Javascript to Ajax Call and get a new session key a few times a minute. I do this so if someone did a screen/varable/back button capture of the page, they wouldn't be able to use that data without authentication. If it tries to renew an expired key, it brings you back to the login screen, and additional data will not be read or saved with an invalid key.
Is it fool proof, no, is this all I am doing for security No. but it is putting an extra layer of security that wasn't there before. It is the equivalent of not hiding the key under the welcome map.
So yes you can use Javascript to increase security.

Re:It's 1st of November, not April

Something seems to be badly broken in the brains of the people behind this.

Not when you realize that Javascript is primarily about user-tracking, not functionality or "safety". Those are the ways to sell it to the dumb masses. Google's is a mass surveillance company, and javascript allows much better tracking of people as they use and move around the web.

Requiring it is completely consistent with Google's business goals of knowing everything about everybody.

Re:It's 1st of November, not April

Not YOUR security, dummy. Google wants the keys to the castle to snoop around and make sure you are who you say you are.

Re:It's 1st of November, not April

[gweihir]

True.

Re:It's 1st of November, not April

So it is a high number. But it is NOT 90%. Remember Flash? Yeah, that didn't need Javascript for most of the exploits - just an object tag. Remember Java? Same thing. If you had said last 1 or 2 years, I would buy the 90% thing.

Re:It's 1st of November, not April

[bentcd]

Enable javascript to improve security for Google, not for yourself.

To improve security for yourself, don't have a Google account.

Re:It's 1st of November, not April

[squiggleslash]

I'm about 90% sure that most security vulnerabilities involved plugins, Flash being the biggest offender but also with problems in plugins that should know better like Java. And, of course, there's ActiveX, plus the ability to download .exes or MSIs and tell people they're OK honest and you should have it because it installs this awesome toolbar.

I don't recall seeing many Javascript vulnerabilities. The only serious ones I can think of are:

1. There are a few XSS vulnerabilities that have popped up from time to time. While initially the browser makers blamed the webdevs for this, they've tightened up the scope for XSS attacks to make them extremely difficult over the years.
2. One of the CPU branch-prediction bugs from last year was exploitable via JS, I forget which but IIRC it was the less severe one and was still pretty close to impossible to exploit in a real world scenario (yes, you could build a carefully constructed proof of concept where you knew exactly what browser was being used on a specific CPU on a specific version of a specific operating system with specific versions of specific shared libraries installed, but outside of that it was hard to exploit.

Ultimately any web technology can be poorly implemented in such a way that it'll lead to exploits. I wouldn't be remotely surprised to hear, even today, of a buffer overflow bug in a GIF or HTML parser. Disabling JS seems like poor security to me, it reduces the attack surface, sure, but so does disabling images, and like the latter it means most modern web pages aren't going to work properly.

Re:It's 1st of November, not April

[lgw]

You're about 5 years out of date, I think. Flash is mostly dead, IE is mostly dead, ActiveX is long dead (outside of corporate intranets, where it may linger). It's all about the browser and JS exploits now.

Of course, XSS is big too, and technically you don't need JS for that, so I'm with you there. There have only been a handful of media exploits (and mostly from the Snowden leaks - they're quite valuable).

Re:It's 1st of November, not April

[Opportunist]

But now that Flash is dead and Oracle is doing its best to kill Java with some ridiculous licensing plans, Javascript remains the only sensible vector.

Ok, aside of VB, but for that you also need to download and open Office files.

Re:It's 1st of November, not April

Yes, it is crazy.

And it buys them no security at all. It is easy enough to set the client to run no javascript, except that validation script google uses for its test. With a little more work, you can avoid running the script, and just send a response so it looks like the script ran.

This is how most anti-js solutions works: whitelist the few scripts needed to make some major sites work, block all the rest. No other site scripts, not even other scripts from the same site. So there goes the privacy-wasting trackers, the time-wasting bitcoin miners, the screenspace- and bandwith-wasting ad-loading mechanisms. While we keep the site navigation & login stuff.

Re:It's 1st of November, not April

[vbdasc]

Indeed. Requiring client-side JS won't stop the crooks, IMHO, simply because they can tamper with their browsers/web clients and modify the behaviors of their JS engines as they see fit. OTOH, it will make life harder for the power users that disable JS for security reasons. Bottom line - bad, user-hostile idea from Google.

Re:It's 1st of November, not April

[oh_my_080980980]

Hi I'm a Google Troll. I have my head up Google's ass. Please don't listen to best practices in cyber security.

Re:It's 1st of November, not April

Finally, after countless years of quietly removing 2 or 3 days from the month of February my plan has come to fruition. Everyone believed it was November when it's actually April. The ultimate April Fools prank! Mwahahaha!

Re:It's 1st of November, not April

[tepples]

But now that Flash is dead and Oracle is doing its best to kill Java with some ridiculous licensing plans, Javascript remains the only sensible vector.

How is it not "sensible" to download, optionally compile, and install a native application and run it in a container?

Re:It's 1st of November, not April

[Impy+the+Impiuos+Imp]

Don't worry about Java hackers. That's impossible. Google will make sure nobody knows what you do except them, their gigantic advertising database putting you into advertsing categories based on automated analysis of every web page you visit even in incognito mode because the site probably tells then anyway, a million companies and advertisers, and the government.

Re:It's 1st of November, not April

[jellomizer]

When companies say "best practices" I hear "This is how we did it, we don't want you to argue with us."

Re:It's 1st of November, not April

[HiThere]

Only if you think they aren't intentionally lying.

Re:It's 1st of November, not April

[Opportunist]

By having a container that's about as tight as the average string bag.

Re:It's 1st of November, not April

If you want your fake click-bot YouTube view experience really secured, ENABLE montreal guy! /sarcasm
--
I browse Slashdot at 0. If your comment is at -1, don't expect me to read it.

Re:It's 1st of November, not April

How is it not "sensible" to download, optionally compile, and install a native application and run it in a container?

How is it not sensible to pick up a revolver with one round loaded, give it a good ole spin, place it against my temple and pull the trigger?

It's not sensible in exactly that way.

Re:It's 1st of November, not April

Likewise the new token-based browser authentication standard they are pushing to "increase security" also requires Javascript in the client.

Re:It's 1st of November, not April

[Chris+Mattern]

Remember, remember the 1st of November...

Re:It's 1st of November, not April

[tepples]

Correct me if I am misunderstanding, but it sounds like you're saying that both native applications and web applications are uselessly unsafe. What should one use instead?

Re:It's 1st of November, not April

running turning-complete instructions from random places on the web is a bad idea
whether that code is written in Javascript, flash, java, or whatever else gets popular is really not important

Re:It's 1st of November, not April

[vtcodger]

Now I've seen it all.

Sadly, I don't think you/we have seen it all. I think this is probably only an early stage of a monumental clusterf**k. Google seems to have convinced themselves that the huddled masses (that'd be us) need help with their computer usage and that Google is just the company to mentor us. In order to help us run our lives, they need to get into our computers and they have three tools with which to do that -- android, chrome and javascript. They presumably will use all three.

The problem is that scripting in general and javascript in particular are completely and utterly incompatible with computer security. Google is not going to change its approach easily and other companies are going to try to emulate it and/or to fit themselves into poorly served niches in the Google Universe. So scripting is going to be everywhere and so probably will malicious attacks on just about every computing device connected to the internet.

This is a recipe for disaster of course. And disaster it is likely going to be.

Mind your backups. You'll probably need them. More than once. .. and prepare to see your financial accounts attacked repeatedly. Doesn't matter that you turn off scripting. The third parties sharing your financial information (banks, credit card companies, merchants, etc) probably won't have it turned off.

Re:It's 1st of November, not April

[ChatHuant]

The stupidity is strong.

It's not stupidity. Say what you want about Google, but they're not stupid, and they don't hire stupid people. They're well aware that enabling Javascript is not going to improve security - and they don't care. Google's goal is to maximize tracking, not to improve security.

What it is is arrogance and complete disdain for their users. Google has no qualms about stating howlers like this one with a straight face, because it knows a majority of users are not very knowledgeable, and won't realize they're being lied to. Those folks will feel reassured by Google's message and open themselves to all the tracking Google (and everybody else) can squeeze in.

Re:It's 1st of November, not April

[gweihir]

Indeed. That is the other explanation, and it seems more and more likely to me.

Re:It's 1st of November, not April

Google has been running banners on their search trying to convince people that creating a Google account will improve their privacy.

Re:It's 1st of November, not April

Google really is slowly taking over. Android is appearing in televisions now. Slowly Android's moving up the value chain into laptops too. Firefox has very little marketshare left outside of desktops.

 

"Javascript a security feature"

I'm inclined to ask what the colour of the sky is in google-world.

Re:"Javascript a security feature"

[PPH]

Brown. And it smells pretty bad too.

This negatively impacts alternative browsers

[xack]

Especially text browsers that don't support javascript often used by people with disabilities.

Re:This negatively impacts alternative browsers

Exactly. This goes against everything webdevs were taught to do (DEGRADE GRACEFULLY) for the past 20 years.

Re:This negatively impacts alternative browsers

Yeah, I wonder how the ADA people are going to cope with this. My university just shut down the entire faculty webserver and migrated people to Wordpress because they didn't want anyone to be able to create any webpage that wasn't "accessible," digital humanities projects and anything in XSL be damned. I wonder if we'll have to dump G-suite because of the new JS login requirement. I really, really hope we do.

Re:This negatively impacts alternative browsers

Said people should update to more modern systems which render the page in full, complete with javascript and everything, and then describe it.

Re:This negatively impacts alternative browsers

They were also taught that the web is for content, not layout, which is better left up to the client, but look where that went.

Re:This negatively impacts alternative browsers

EVERY new development these days does exactly this.

RSS is being taken away because advertisers don't get enough information about our reading habits.

Our privacy and ability to customize our own computer is removed in Windows 10.

Every useless phone app phones home with all our personal information and no one does a thing about it.

We are well past 1984.

Re:This negatively impacts alternative browsers

Especially text browsers that don't support javascript often used by people with disabilities.

Almost no one with disabilities in North America uses text-only browsers any more, and that's been the case for almost 10 years now. With the advent of the W3C WAI-ARIA standard, which requires JavaScript for implementation, websites are more accessible with JavaScript enabled. Most major websites, including the Google application suite, use ARIA.

Re:This negatively impacts alternative browsers

But if they don't want customers, they are free to turn them away. Shops may need my credit card number, they don't need me to run javascript. If they think that is necessary, there are other shops.

Millennials

Boiling like frogs.

Google Doesnt Care About Cripples

They dont even care about the optics of payouts to coverup serial sexual predators in their org. Fuck Goog.

And how do I get my Google account back?

Google locked me out of my account, and won't let me back in. I have the password.

Google keeps asking me for my frequent flyer number, which I never provided to them.

I did provide Google with my phone number a while back, but there doesn't seem to be a way to get Google to call me to verify.

Google accounts are worth what you pay for them...

Re:And how do I get my Google account back?

[tepples]

This reply (Google Product Forums requires JavaScript) implies that Google locks an account in this manner if someone might have compromised it.

Re:And how do I get my Google account back?

In my case Google accepts my password, but it doesn't recognize my device so it won't let me in unless I go through extra hoops to prove ownership.

I want my password to always be sufficient, even if I'm abroad on a different device. What alternative webmail do you guys recommend?

Re: And how do I get my Google account back?

If you get in, you can turn off the advanced security checks (mandatory for imap).

Re:And how do I get my Google account back?

Thanks, I'll give it a try.

Re: And how do I get my Google account back?

Confirmed by this stack exchange thread. I will give it a try, thanks.

Re:And how do I get my Google account back?

Similar thing for me but it's the Yahoo. I never gave them my phone number so I can't get it back. I did make the mistake of providing a dummy "backup e-mail" like a@a.a. I could have put a real one but they didn't let me remove the fake I'd given.

I might be cynical but...

This is a pretty transparent attempt to try to make surveillance easier for themselves under the guise of user security

They need javascript for ads

They need javascript to show you even more annoying ads

In other news...

Google silently starts using their new bot that has hardware accelerated javascript engine.

They aren't doing this for security, they are doing it so they can better track you and to try to make it more difficult for their competition by making a quick change that is tough to immediately adjust for, but that they have probably been working on for months.

"Mother Effing Tool Confuser" by Karl Groves

[tepples]

Last I checked, screen-reading tools support major web browsers, which in turn run JavaScript. There are even versions of elinks and w3m that run JavaScript. Karl Groves created "Mother Effing Tool Confuser", a webpage where a script adds sufficient accessibility markup, to demonstrate this fact.

Re:"Mother Effing Tool Confuser" by Karl Groves

[freeze128]

I wonder how screen reading tools deal with "punch the monkey" type ads.

Re:"Mother Effing Tool Confuser" by Karl Groves

Ads are almost always in iframes so if a page is being read top to bottom, the screen reader will announce the iframe to the user and most users won't go into the iframe because they know it probably contains an ad (iframes should have title attributes that tell you what's in the frame but few do).

Re:"Mother Effing Tool Confuser" by Karl Groves

[apoc.famine]

Screen reading tools identify the areas of the page and allow the user to select what areas they wish to have read to them. Something like "Page contains header, left menu, body, footer, etc." The user then uses hotkeys to select the part they want read to them. The different div sections get called based on the names they are given by the developer.

Re:"Mother Effing Tool Confuser" by Karl Groves

[apoc.famine]

And since it's apparently pre-coffee, images get the image text read. So punch the monkey would depend on what they called the image or div section of the page. "Section advertisement. Image title h23a4890hdoih34lk5.gif".

Then I will only log in from a sandbox

[gweihir]

And I will generally avoid logging in in the first place. Fortunately I need their poisoned "services" only very rarely.

Re:Then I will only log in from a sandbox

For the past 8-9 years I've been using ssh -X to login to Google with a 2nd user account, but now I'm considering using a VM.

p.s. Right now my gmail window has over 3000 blocked items in Adblock Plus.

Re:Then I will only log in from a sandbox

[gweihir]

Google offers ssh login with remote X11? Interesting. Not that I have any use for that, really, but interesting nonetheless.

Re:Then I will only log in from a sandbox

I assumed the technical audience here would understand that when I said "ssh -X to login to Google with a 2nd user account", I really meant "ssh -X to launch a browser process running as a 2nd user account on my local machine so I can login to Google."

Fwiw, I keep that browser process open 24/7 so I can check Gmail and use the calendar, and so I can send addresses to my phone, etc.

Re:Then I will only log in from a sandbox

[gweihir]

There is no way to deduce you meant that. I assumed you meant a 2nd Google account (for whatever purpose). But thanks for the clarification.

It's about tracking...

[QuietLagoon]

The reason is that Google uses JavaScript to run risk assessment checks on the users

Google is all about tracking people on the net. Anything google does is about tracking people. The reason google needs javascript to be enabled is so that the javascript can help track people. Enabling javascript does not increase security, it decreases security. Javascript is a huge attack surface.

Re:It's about tracking...

[110010001000]

That isn't true. They are just a bunch of altruistic guys that like to program stuff.

Re:It's about tracking...

Javascript is a huge attack surface.

When it comes to the modern web, Javascript is all but THE attack surface.

ActiveX used to be another big one, but we got rid of that.

In recent years, virtually every instance of "I went to this web site and now my computer is infected" has been due to javascript. And about 90% of the tracking, and about 100% of the annoyware like popping up boxes over the top of the pages content or disabling right clicks is due to javascript.

It's also what allows the majority (but not all) of panoptoclick style attacks.

Javascript is a cancer on the web. It has occasional, small uses, but its use should be minimized at all costs.

Re:It's about tracking...

[darkmeridian]

Google is requiring Javascript to log into their services. Almost by definition, the users who log in are going to be tracked with or without Javascript because they're, well, logging into Google. Requiring Javascript decreases security from the point of view of a browser being hacked. However, requiring Javascript increases security from the point of view of decreasing the risk of bots randomly trying to login using bruteforce.

Re:It's about tracking...

[cascadingstylesheet]

The reason is that Google uses JavaScript to run risk assessment checks on the users

Google is all about tracking people on the net. Anything google does is about tracking people. The reason google needs javascript to be enabled is so that the javascript can help track people. Enabling javascript does not increase security, it decreases security. Javascript is a huge attack surface.

Sure ... then again, if you are trying to log into Google, I'm pretty sure that they are already tracking that ...

Just sayin', if your goal is to not be tracked by Google, then logging into their services might not be the swiftest move.

Re:It's about tracking...

There's a difference between tracking tempaccount123@gmail.com and using your mouse movement and typing patterns to determine that is also whistleblower@witnessprotection.com

Re:It's about tracking...

[oh_my_080980980]

LMOL ok zippy.

Re:It's about tracking...

Brute force attacks are trivially blocked by an increasing timeout after X number of failed login attempts and a notification to the account owner about the failed logins. Try again.

Re:It's about tracking...

After that comment, you owe me a new keyboard.

That coffee is just not coming out.

The real men would let you

Bring back Damore and Rubin!

Color me dubious.

[hey!]

If client-side javascript is part of the security check, I don't see how that prevents a crook from forging an authentic-looking HTTP request.

Re:Color me dubious.

[Rockoon]

Googles new client-side authentication model shall not be questioned

Re:Color me dubious.

[oh_my_080980980]

THANK YOU!

Re:Color me dubious.

[Forever+Wondering]

You are absolutely correct.

The hacker controlled/malicious browser simply morphs the incoming JS as it comes off the wire (e.g. a filter on the socket data) to do whatever is necessary to bypass any real security check and return the "I am safe" result.

It could (e.g.) simply reverse the sense of:

if (bad_security_here()) ...

Into:

if (! bad_security_here()) ...

Or, do whatever else is necessary to nullify the security check.

Client side security checks are largely meaningless! If you control the browser, you can hack it any way you want, and you control what the JS does/can do.

A native app might be harder to morph, but, ultimately, the same technique can be applied [by patching binary bytes] to nullify the security checks.

They are only useful as a "health checkup" for a legitimate user's browser. But, Google's stated goal was:

The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected.

As I mentioned above, [real] crooks can easily get around this, so this is faux security at best.

At worst [as others have mentioned], foisting Javascript on users that do not want it, opens a gigantic Pandora's box of security holes for other sites that might download malicious javascript code.

I've moved away from Chrome

And onto Firefox. I only use chrome now to use the google products (docs, gmail, etc). I dunno if that's any better, but I figured it would be the next best thing besides just dropping down to links.

I would have to create an account to be affected.

Don't use Google. Google uses you. You don't need Google. Google needs you.

Wait, what?

> The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected.

Hahahaha..... enable arbitrary code to increase security... and it JUST SO HAPPENS this also forces people to enable Google's shitty tracking tech, doesn't it? Oh, and the automatic sign in that's forcing tracking people that's a big point of contention right now has nothing to do with this.

Yeah, no. Google, people have figured out they don't want ads. Deal with it.

Client-side security?

[mcvos]

You'd think Google would know that code running on your attacker's computer is inherently insecure. I admit it won't be easy to effectively subvert the javascript that Google wants to execute in your browser, but it's not impossible. I don't see this stopping a determined and knowledgeable attacker.

Thanks Google

Thanks Google! Each press release you provide makes it one step easier for me to stop using your services.

NO: It's about ADS!

No javascript, NO ADS! I found this out last week. And I am loving every minute of it. Have you tried it? Try it. You will love every minute of it. I guarantee it or my name isn't.... oh, you almost tricked me there but I am too fast for you.

DUH!

[freeze128]

Since google's services like gmail, maps, and docs all REQUIRE javascript anyway, you will need to allow javascript in order for those to even work. If you're logging into another service using your google account, then that's where things become sketchy. Of course you can just allow the google domains required for the login using something like noscript or uMatrix.

I just logged into gmail, and didn't allow gstatic.com and googleusercontent.com and it allowed me to log in. Of course, without gstatic, I couldn't log out. :)

Re:DUH!

Don't worry, even with gstatic you didn't really log out. That type of link is just for show.

Once you log back in, all the data stored from your 'offline' session is linked to your account.

Re:DUH!

I just logged into gmail, and didn't allow gstatic.com and googleusercontent.com and it allowed me to log in. Of course, without gstatic, I couldn't log out. :)

There's a "sign out" link in the top right corner (https://mail.google.com/mail/logout?hl=en).

Aside from occasionally spewing "security" garbage when you try to log in, Gmail hasn't required JavaScript for many years. Of course, for all I know, it may work differently for different people.

Web security is weird...

[Junta]

The reality is that the web began with a certain concept of the domain of a user agent and how sites interconnect and could be merged into one. One web page could freely POST to another domain and that was the security paradigm.

The problem turned out that even as a site 'trusst' the user to be authentic, that user may be under attack by other windows in the same browser, or not even visiting *your* site but a third site is using your cookies to induce the client to do undesirable things. It's not that you don't trust the client, it's that you need to protect the legitimate user of the client from attackers.

Javascript stumbled upon having a more appropriate domain to operate in, and so has become a big player in things like CSRF protection and other such security measures. Yes there are non-javascript ways of CSRF protection, but the javascript strategies for CSRF demonstrate why 'client side' security has a role in the web context when it normally is nonsense.

Of course, a lot of web security practices are obviously more duct taping together accidental behaviors that happen to break in undesirable situations, so there's a lot of ugliness in that realm in general.

Re:Web security is weird...

you need to protect the legitimate user of the client from attackers

But that's the job of the browser and OS, not of the webpage.

Re:Web security is weird...

[Junta]

The problem is that the web security domain is insecure as a matter of design in various ways. For the browser to protect the user without some help from the site operators, it would have to redefine what is and is not allowed for linking/form submissions. Even then it would have to totally break the way the web works, for example a site operator making a monstrosity of 'GET /delete/all/my/data' would succumb to the most trivial 'a' tag from a random site. There is a baseline of stuff the site operators must do to protect users while consuming their services.

It just so happens that the javascript runtime domain is scoped locally enough to do some useful things in a manner that can't 'bleed' into other contexts in the way other web content can. There are mechanisms (like form POST requiring an INPUT that was server side generated in a previous GET), but they are more specific/limited and generally produce additional server load to protect against things the client is in a position to protect against. This is not a matter that moves security from server to client (both cases requires client cooperating, e.g. an otherwise authenticated legitimate user running browser software they trust).

I never sign in so I guess it's Ok

I use Chrome but I never sign into anything Google. Javascript is a security problem or so I was told for years. Is this really about security Google? I have to wonder.

And soon thw whole internet

[Actually,+I+do+RTFA]

First it's "sign into Google accounts". But next it's "not get flagged as a bot by reCaptcha3" that they're rolling out (link to /. from a few days ago is an exercise for the reader). So it becomes "use 90% of the web.

It's pretty clearly on their path in the next year or two (maybe three, however long it takes for reCaptcha3 to roll out).

Re:And soon thw whole internet

[QuietLagoon]

First it's "sign into Google accounts". But next it's "not get flagged as a bot by reCaptcha3"

^^^ This. ^^^ . . . How long before google becomes the effective gatekeeper on the net? How long before you need to allow google to track you (via javascript) in order to log into a website you want to visit?

Re:And soon thw whole internet

How long before google becomes the effective gatekeeper on the net?

If my experience is anything to go by, I'd say about negative 3 years.

Re:And soon thw whole internet

Never. Your wants. Your problem.

I do not "wants" sufficiently to permit your depiction to come to pass (That is, the "wants" to be secure and avoid tracking is greater than the "wants" to log into a website -- not that I ever want to "log in" to a website anyway -- and any that require I do have to pass a REALLY REALLY SUPER HIGH bar in usefulness).

That you "wants" to play with Diddle Morph Flying Jackrabits sufficiently and thus overriding you "wants" to be secure and untracked is YOUR decision and your decision alone.

Do not assume that your priority levels apply to anyone else other than you.

Don't need to login to Google anyway

Hmm. The main thing I use Google for is searching. That doesn't require logging in. Then there's maps, but that doesn't require logging in either.

No, wait.. then there's ads. If I weren't using ad blockers, then failing to log in would mean that I wouldn't get the correct ads.

It's stupid and disappointing to make a website thta requires javascript (it always makes the developer look totally incompetent), but in this case, I can't think of a single reason to give a fuck, from the user's point of view. Gmail users probably care. Analytics users probably care. Me? Not so much.

Re: Don't need to login to Google anyway

YouTube is also a Google product. You're not logging into that either? You're brave or a total caveman.

Yeah sure, for "security"

Disabling java script is for security. Enabling it just opens more holes than anything they can possibly do with their risk assesment.
They just want to make sure people aren't escaping their tracking bullshit and ads.
Either way, mutt will most likely continue to work for the moment, so no big deal.

Dear Google...

[rnturn]

As a human being using a browser, I, too, disable Javascript for performance reasons.

Just keep adding more and more reasons for users to leave you. Eventually your user base will decline. You're already my second choice for a search engine and it's not difficult to transfer bookmarks to another browser.

Re:Dear Google...

[ledow]

99.5% of people have Javascript enabled in their browser.

The rest are almost certainly running selective blockers (i.e. block Javascript on particular sites), etc.

They aren't going to lose any significant number of everyday users at all. In fact, I'll be amazed if they see any significant user movement at all.

what the web look in 2018 without Javascript?

[JcMorin]

Not what the web look in 2018 without Javascript but I hope you enjoy your private and secure experience.

Re:what the web look in 2018 without Javascript?

[Chris+Mattern]

Not what the web look in 2018 without Javascript but I hope you enjoy your private and secure experience.

Care to try again in English?

sandbox

I do my google things in a google-specific-local-user-account in a virtual-machine

They've been doing this on GMail for years

Often the difference between "your device is not recognized, verify your identity to continue" and "welcome back, Dave" is javascript and referrers.

crooks ???

so people who disable javascript are now CROOKS?
no js means no trackers, no spyware, no coin mining ...

Better e-mail service.

[fish_in_the_c]

Does anyone have any suggestions about a better e-mail service that is mostly free ( or for low cost) where I don't have to deal with all this mess. It was fun while it was novel but I've about lost patients now.

I'm a little too lazy / busy to set up my own e-mail server in my own domain on my house network. Nothing secure about xfinity anyway. Oh well, living it a glass house is kinda cool I guess =)

Re:Better e-mail service.

[ledow]

Why don't you use GMail.... and access it via IMAP?

Or you can pay any domain host for a domain with email... they start are literally pence normally.

You don't / can't run email servers from home anyway (you'll be on SpamHaus policy blacklist because the ISP almost certainly list all their dynamic IP's there), you need an secure outside machine that's on 24/7 with a fixed IP and not listed as being a "home" connection via SpamHaus PBL/XBL etc. Don't even get me started on sending email, you need to be SPF'd up too, really, and a proper reverse DNS entry.

You can get a VPS for a pittance a month, and a ten minute tutorial on, say, Postfix will set it up for you and include forwarding / copying all email to something like GMail or any other provider if you ever need it in the future should something go wrong.

Personally I do the latter. And I can collect via GMail (via IMAP) or via my server direct (via IMAP), they both get copies of all emails. But if you're that worried, almost certainly whoever you hold domains with will have free email forwarding and free/pittance webmail access too if you want.

Re:Better e-mail service.

[eaglesrule]

Protonmail seems to be the popular choice. I use it, as well as their VPN service in a bundled deal. So far I've yet to uncover any news or evidence that the promise of privacy is just a marketing ploy.

Re:Better e-mail service.

It was fun while it was novel but I've about lost patients now.

Same. Losing patients every day here.

Re:Better e-mail service.

[Jetstream]

If you use their app or webmail interface, Protonmail is okay, as long as you don't need a large amount of storage. (I believe the free accounts are limited to 500 meg or something like that.) The main downside to Proton for me is that, because of the encryption feature, you can't use 3rd part email clients. My main email these days is with Zoho. They seem to be pretty reliable (other than a 1 day outage not long ago, which has been the exception). And they claim not to read your email. Believe that or not.

Applications vs. documents

[tepples]

I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.

Some Slashdot users would claim that web applications written in JavaScript are still inferior to native applications made with Qt or another multi-platform GUI framework and distributed to the public in the form of source code under a free software license. They see the web not as an application platform but as a platform for publishing documents.

Re:Applications vs. documents

> They see the web not as an application platform but as a platform for publishing documents.

Because it is. All your "app" bullshit is rickety garbage built on spit and bailing wire, and hacked into a document format. It's Adobe's PDF extensions, but a million times more tenuous and risky.

Re:Applications vs. documents

Some Slashdot users would claim that web applications written in JavaScript are still inferior to native applications made with Qt or another multi-platform GUI framework

In my entire life I've never been confronted by a situation where when presented with the possibility of doing a particular task with either a native app or a web app the web app wasn't a roughly 10,000 times shittier experience in every conceivable way.

Re: Applications vs. documents

[organgtool]

You make a very good point and at the same time millions of people buy apps on their iOS or Android devices when most of those are just glorified web apps.

JavaScript required?

Bye bye Google.

More of the evil

[rtkluttz]

Google just keeps on doing things to aggravate users who care about their privacy and security into doing things that cause them to sacrifice it. Google instant was one of the first things. Anyone who is a touch typist (doesn't have to look at the keyboard to type) likely despise the fact that the screen changes and lags as you type. No way to disable it permanently without logging in and confirming your identity. Another example is how hard it has gotten to use Google services without giving them your phone number and a way to tie the account to a real human. The whole goal of using web services for many is a way to have an anonymous identity. If you use project fi for your voice services, then there is no way to keep your phone and email separate. Even if you turn off 2 factor auth through your phone, it still requires it if you use Project Fi. This is just another case of Google disguising actions as security which reduce the level of privacy and security you have. They look at security/privacy as something they provide for you and what they say is best. They refuse to see that there are many of us who refuse to give up our privacy and security to someone else and that it is very likely Google and other corporations who we are trying to protect ourselves from.

Re:More of the evil

Anyone who uses Google "services" has no interest in privacy or security, and this is a given. Therefore the scenarios you describe are completely implausible as no one interested in privacy or security would use a Google instant or Project Fi (whatever the hell they are), nor any other Google Service that required compromising either security or privacy.

Re:It's about tracking... - a suggestion

I don't know if this helps, but at home to prevent any contamination between my normal browsing (no-cookies-allowed, no-js-allowed, no-anything-allowed) and my gmail acct (which needs cookies, and now it seems will need JS) is to have a separate login just for email (with username 'mail', unsurprisingly), where I have a palemoon instance which runs gmail AND NOTHING ELSE.
When I check my email I have to switch accounts. Tracking or any other info cannot leak between accounts.
It takes a few seconds to switch accounts and to switch back, its inconvenient but very worth it for me.
Just a suggestion instead of the endless bitching about how simply awful everything is.
(and yes, it's not a perfect solution, I'm not offering it as one. A possibly even better one is to have a gmail session running in a VM, so no need to switch accounts)

gmail is deathly slow lately...

I wonder if it's some sjw worker deliberately impacting performance out of protest for Google's rape bonuses and new censorship engine, or if it's just total incompetence by a diverse employee. Either way I've started moving off of Google shit. First switch off chrome when they put that stupid "hold cmd + q to quit" shit last month, and now gmail takes 30 seconds to a minute to login.

Google is firing us as customers

Google is firing us as customers. They aren't happy tracking us everywhere and having access to data we provide. They want more.

Live by the cloud, die by the cloud. If there was any question, google is heavy into "cloudy" stuff.

Microsoft did that when they forced "telemetry" and took away control for patching.

Amazon is going to be next, probably. Alexa and TV sticks are making them greedy for our data.

I've blocked most of google's domains for over a decade. Every once in a while, I have to fire up a container with a totally insecure browser to work with other people at other companies, but that happens less and less.

Never forget, live by the cloud, die by the cloud. Don't be surprised when your metadata is used against your wishes.

JS = quicksand

Their "Security" is to simply tax the bot so it's uneconomical to code logins en masse. Now you have to consume cycles running their crap. It works, but it's just crude.

Cloud = bad; self-host and stop making excuses

If you want privacy, freedom, and security you have to stop using products and services that will own you. Google is well known for tracking you and selling advertising. Same with Facebook. But don't think for a moment your Apple shit is safe. They're all a problem.

I make sure host my own social networking and communications tech from Mastodon to email to web hosting to 'cloud-like' calendaring software Nextcloud, to storage/file hosting, to smart phones to routers. The up-keep is a bit of work, but stuff worth doing isn't always the easiest. But it certainly worth doing. I have never had a Facebook account, Gmail, or an unfixed Android phone.

What's next? Everyone should use Chrome?

What's next, Google? Everyone needs to use your shitty browser to authenticate because of extra security?

I wonder how my iOS built in mail app can even authenticate with your super secure servers...

Too Slow

Gmail logins are much slower since they changed this. Bring the old one back.

Please bend over and expose your shiny butts..

Says Google. And the sheeple will comply. Even without the inducement of a wet bar of soap on the floor.

I will not comply.

Executables are platform specific

[tepples]

I've encountered one such situation, involving applications that happen not to be built on a multi-platform framework. Say a particular application is available as a macOS app or a web app. How is the web app "10,000 times shittier" than not being able to use the app at all because it's not made for your platform?

Or if you're a Mac user:
Say a particular application is available as a Windows app or a web app. How is the web app "10,000 times shittier" than not being able to use the app at all because it's not made for your platform?

Would you download and install an app for participating in Slashdot?

Re:Executables are platform specific

How is the web app "10,000 times shittier" than not being able to use the app at all

If there's no native app for it to begin with then clearly I never had the "possibility of doing a particular task" both ways in the first place.

Would you download and install an app for participating in Slashdot?

The zillions who use the facebook app instead of the browser interface might. Websites are designed for browsers and vice versa, and though you can improve the experience for a specific site with a native app quite easily, having an app for every site you ever use would be annoying, and of course writing a general-purpose app would just amount to writing a new web browser. In the same way, trying to shove all native applications onto the web basically amounts to reinventing the operating system inside a browser - a dramatically more confining ecosystem.

Inner platform

[tepples]

If there's no native app for it to begin with then clearly I never had the "possibility of doing a particular task" both ways in the first place.

In theory, you had the possibility of buying a second computer on which to run the application designed for that make of computer.

In the same way, trying to shove all native applications onto the web basically amounts to reinventing the operating system inside a browser - a dramatically more confining ecosystem.

You are correct that Java, Flash, Silverlight, and JavaScript with the HTML DOM all act as an inner platform. The "dramatically more confining ecosystem" exists for privilege separation reasons: the app player attempts to act as a sandbox. It also exists to isolate the application from operating system and instruction set dependencies, so that the application need not be remade for each underlying operating system and instruction set.

Gmail does NOT require JS

[dereference]

Since google's services like gmail, maps, and docs all REQUIRE javascript anyway

That's not true for one of these. Gmail works just fine without any Javascript at all. The pure HTML interface is arguably even better (and certainly faster for most activities) than the normal version. Try it for yourself. Logout completely, then disable all of your Javascript (not just selectively). You can readily login, work with your account, and log out with no problem at all. It's actually my preferred way to interact with the web interface, when I must use it.

All of those 0.01% with javascript disabled

[Tony+Isaac]

...are on slashdot!

what's in a name?

[cas2000]

This is called the "Run our spyware or fuck off" policy.