WingNews logo WingNews
top | item 9083895

(no title)

majika | 11 years ago

I use NoScript and Policeman on Firefox, with conservative settings (disallow all active content (scripts, fonts, WebGL), whitelist-only cross-site requests). I've also configured Firefox to block cookies by default; only permitted sites can store cookies for the session, and just a handful I allow permanent cookies.

Web pages load much quicker, Firefox uses less resources, my browsing is significantly more secure (see [1] for risk of loading arbitrary fonts), and I can browse the web without Google/Facebook/AdvertizingCorp (and thus the Five Eyes) building a profile of everything I do. It's a nice feeling.

This set up also blocks ads served from third parties, which I feel is an agreeable compromise on web advertising. If I send a request to your website, and you send me a document with embedded images stored on your website, I'll download them and view them alongside the page. However, if you try to tell me "go send 5 unsecure requests to each of these three companies you've never heard of, and execute their 20KB of code, to get flashing ads alongside this page" - I'll ignore you.

Sites loading resources from external domains (usually Google) is nothing new. I've been browsing this way for two years now, and I've developed a healthy level of contempt for 95% of web developers. The vast majority of them just don't care for their users; campaigning to get the developers to change their habits is a broken model. Ultimately, you have to take control, and decide for yourself what you want to run on your computer.

I don't know why more people don't browse this way; some actually ridicule this approach ("get with the times"). It boggles the mind.

[1]: https://hackademix.net/2010/03/24/why-noscript-blocks-web-fo...

discuss

order

MichaelGG|11 years ago

The real quote there being:

" It really worries me that the FreeType font library is now being made to accept untrusted content from the web.

The library probably wasn't written under the assumption that it would be fed much more than local fonts from trusted vendors who are already installing arbitrary executable on a computer, and it's already had a handful of vulnerabilities found in it shortly after it first saw use in Firefox.

It is a very large library that actually includes a virtual machine that has been rewritten from pascal to single-threaded non-reentrant C to reentrant C... The code is extremely hairy and hard to review, especially for the VM.

"

FreeType's news page http://www.freetype.org/index.html#news - has something very curious. Two fixes for the same CVE, but the second fix 9 months later. A look at the CVEs[1] for it is also interesting that they're all memory safety issues (at least, from a quick glance). So in 2014, it's still difficult to read fonts without exposing yourself to code execution vulnerabilities, eh? I'd imagine better languages would help here.

1: http://web.nvd.nist.gov/view/vuln/search-results?adv_search=...