Slashdot Mirror
Google Won't Let You Sign In If You Disabled JavaScript In Your Browser (zdnet.com)
An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts.
"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."
"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."
So Google says that only 1 in 10,000 of us have a Google account and disable Javascript?
I feel special.
ENABLE Javascript to increase security.
Now I've seen it all.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Exactly. This goes against everything webdevs were taught to do (DEGRADE GRACEFULLY) for the past 20 years.
This is a pretty transparent attempt to try to make surveillance easier for themselves under the guise of user security
Last I checked, screen-reading tools support major web browsers, which in turn run JavaScript. There are even versions of elinks and w3m that run JavaScript. Karl Groves created "Mother Effing Tool Confuser", a webpage where a script adds sufficient accessibility markup, to demonstrate this fact.
The reason is that Google uses JavaScript to run risk assessment checks on the users
Google is all about tracking people on the net. Anything google does is about tracking people. The reason google needs javascript to be enabled is so that the javascript can help track people. Enabling javascript does not increase security, it decreases security. Javascript is a huge attack surface.
Actually Google has been leading JavaScript adoption for over a decade.
Even back in the early 2000's web/web app developers were slow to use Javascript on their pages (Or limited to input validation). Mostly because they were afraid of people using old browsers that didn't support it. If you did a lot of stuff, you probably didn't get the customer, because you cannot reference an other popular site that needs Javascript.
Then with Googles Autocomplete feature and Google Maps, becoming a popular feature, it opened the door for the rest of us to apply Javascript,Ajax and DHTML to the pages.
I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.
Now Javascript has its issues... However it is used on all major browsers, and if coded well, it makes your pages load and run faster. (if not then we have the suckyness we think of wanting to block Javascript for)
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
If client-side javascript is part of the security check, I don't see how that prevents a crook from forging an authentic-looking HTTP request.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
> and if coded well,
IF
That's a mighty big if as websites pull in JS and images from a dozen different sites ...
My Very Large Defense company employer disables javascript via group policies.
Security reasons.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
So you just backed tracked on your own argument. Please just stop. You do not know what you are fucking talking about.
People block JavaScript for security reasons because of all the malicious stuff it can do. Google forcing you to enable JavaScript is fucking stupid. Hint, they can do what they want without enabling JavaScript. Google is looking for something else.
I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.
Some Slashdot users would claim that web applications written in JavaScript are still inferior to native applications made with Qt or another multi-platform GUI framework and distributed to the public in the form of source code under a free software license. They see the web not as an application platform but as a platform for publishing documents.