The Javascript Problem
Вставка
- Опубліковано 20 січ 2025
- In this video I discuss the javascript problem
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my UA-cam channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.
Blame the browsers that give javascript so much power, not the language itself. Also all that 'undefined' behavior is clearly defined if you read a javascript book, it's just non-intuitive to programmers from other languages that expect certain things to happen.
I'm sure there should be a browser out there that limit JS.
If website require it , they would work bad then
@@giatu1 there are add-ons/extensions that block it, an example is NoScript
Correct me if I'm wrong, but the requests themselves hold the same info. Blaming JS for this is dumb, when the browser exposes the same info for JS to use.
Eh, I doubt most people actually even know the diff between main (browser) and renderer process, but whatever
JS is not minified automatically by browsers... It's minified in the build process of modern web apps, partially for security via obscurity, but also can use source maps for easier debugging
That was one of the main reasons I decided to forget javascript forever. The browsers must decompress all the assets as well as manage remote modules, instead of shifting this responsibility to scripters.
@@techtutorvideos nice answer, so many letters, but I'm too drank, forget english, sorry
Fun fact: there is a book called “JavaScript: The Good Parts”. There is no book called “PHP: The Good Parts”.
yes PHP dead :(
lol... with very good reason.
PHP is actually quite good nowadays especially with new 8 version
@@MB-up3mh oof
@@MB-up3mh 🤨
Web before modern JavaScript was even worse with Flash and Java Applets
Agreed. Though Javascript has revolutionized the way we build and design applications. And the level of platform compatibility facilitated by the web is mostly in part because of open source standards like ECMA script, HTML5, AND CSS3.
This is true.
Comparing it to the past isn't really the point and that is more of a logical fallacy tbh, just because we're not as bad as we were doesn't mean we're in a good place, and that doesn't address the fact that people still make abusive bloat and abuse of bloat.
Remember JVM? Pepperidge farm remembers.
Flash at least was Chad and people made amazing sites with it (I've seen sites with a futuristic Y2K vibe), I can think of 2advanced studios.
Give a look to webdesignmuseum.org
I think that in the past sites almost looked all the same: the same low quality HTML pages but at least you've got the informations you needed, the cooler ones used Java applets, Flash, Air, MS Silverlight (this sucked, too many plugins)
Today it's all CSS, HTML5 and JS (using a framework that has the average lifespan of a fruit mosquito), and the sites all look the same, with the same minimalistic boring style (probably made using Bootstrap).
".1+.2==.3 is false"
literally every programmer knows about why this doesn't work
It's a js meme now
* should
Yeah that's not js that float arithmetic. Every language does that even at the hardware level
And what is the logic behind this thing not working in your own words? Cause it looks like it focking sucks by design and should be changed.
@@ragnarlothbrok367 it's like this in every language that obeys IEEE 754. In other words, all non-meme languages. You don't like it, feel free to take it up with them. It's a consequence of the way these are represented in binary.
I took web development in school and basically all the fingerprinting you mentioned is done with PHP as well.
I don't really see why everyone sees that a website looks at your screen size and assume that it's spyware, nowadays you don't build separate websites for phones. You look at the device and change the layout automatically based on the size.
Some of the info is found on http headers yes, but others are only available on the client-side and thus require scripting to collect the data and send it to a server via a POST request
Usually fingerprinting is used to identify you to target you in ads and trackers
@M L How do you do that without media queries? Can you point me to a tutorial or documentation? Web dev here
@M L so apparently you can use css grid for some designs and it will resize by itself, but that's not nearly enough to replace media queries entirely
@@rogercruz1547 Such as what? You can't access any browser information other than resolution, DPI and mouse coords, etc. but those pieces of information are volatile, so can't be guaranteed for verifying a fingerprint.
Also, this would require the script to have access through cross origin from the original site. That said, this is not a result of JavaScript, but the browser/web APIs.
Apart from the small parts about javascripts quirky typesystem (which can be eliminated by using a linter or typescript), this is a critique of the Web Plattform as a whole and not javascript.
It would be the same as saying c or c++ is bad because windows is written in it.
Image a program that had some piece of text information on it, and a user perhaps clicked on that piece of text...
That user now got malware, because of security issues like the ones found in the past.
That program is a web browser with javascript connected to the internet, btw.
Why should I let random code run on my computer?
@@Guztav1337 Because no functionality outside of displaying a static page of text is available to you if you don't. Every web page is made up of code. Where's your line that determines what is "random code?" Besides that, please refer to the comment you replied to. This issue is not exclusive or specific to JavaScript as a language, but rather to the web platform as a whole. Every web developer could drop JavaScript tomorrow and replace it with a different scripting language and the problems wouldn't go away.
More generally, everything your computer has ever done is "random code" if you haven't personally written or audited it. Running "random code" is just about everything you've ever done on a computer.
@@Guztav1337 A webpage is a little program you run in a sandbox called web browser. The web browser is just an OS and the webpages are aplications that you download each time you want to use them and then delete.
If you don't trust a website, don't access it as simple as that, the same way if you don't trust an exe, you don't execute it.
@@diablo.the.cheater Exactly
@@Guztav1337 with that mindset you better go ahead and audit the entire Linux kernel by hand, then build your own Linux OS from scratch, and only ever run FOSS that you thoroughly audited. Use a CLI web browser without JS or CSS support, basically just read the HTML directly.
Then you'll be good.
Lmao
please stop making fun of windows or im going to tell my mom
MOOOOMMMMM! HE'S MAKING FUN OF WINDOWS AGAIN!!
@@yeppiidev he said in the video about downloading software from browsers
Does new Apple car has Windows
please don't tell your mom or im gonna tell my mom
Linux is gay
Most of what you said isn't a real problem because:
- The headers which are sent from the browser aren't reliable because they can be tampered, therefore they should never be trusted
- The JS files being minified saves network bandwidth when the client device is caching them, so you're basically saving resources. I will even go further and say: at the time of writing this comment, jquery v3.5.1 unminified version size is exactly 287630 bytes, while the minified version size is exactly 89476 bytes, so it can be safely said that there's nearly 70% saving in bandwidth used to transfer the library. If you look at react v17.0.1, you will see that unminified (development) version size is exactly 111030 bytes, while the production version is 11440 bytes and there's 90% saving in the bandwidth used in the transfer. Why would i send the development version of any library to the user ?, does he even care about the readability of the source code ?
- At 4:20, having JS returning "number" for the expression (typeof NaN) isn't strange, because after all NaN is just a number that cannot be represented, so NaN is a numeric type (see en.wikipedia.org/wiki/NaN)
- 9999999999999999 == 10000000000000000 is true because of rounding error. JS number system implements the IEEE 754 double-precision floating point standard, the standard states that:
-- There's 1 bit for sign
-- There are 11 bits for exponential part
-- There are 52 bits for decimal part
Now when you use a number which size exceeds 53 bits, then it gets rounded down to 2^53, so when you're comparing 9999999999999999 == 10000000000000000 JS rounds both sides down to 2^53 = 9007199254740992, so you're basically comparing 9007199254740992 == 9007199254740992 which of course evaluates to true (see en.wikipedia.org/wiki/Double-precision_floating-point_format and developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger)
@M L yeah mental outlaw is acting like some kinda schizo ngl, most of the things he is saying aren't real problems and javascript knowing your screen size, browser version and os is well known thing.
Can you differenciate between minified jquery and minified jquery with malicious code embedded?
@@Merssedes No, but if i included jQuery from a trusted CDN what are the possibilities of having a malicious code ?
@@EyadMohammedOsama Main word here "i". Because if you're not one creating site or application, it can contain self-hosted copy. It even can be merged with some other modules/frameworks in single js file.
@@Merssedes Now i see your point
Javascript is nice when used in moderation
Drugs and alcohol too, but they do harm people too.
Code responsibly
Playing Minecraft too :v ok no wrong java engine
But the bloated crap is still the base of that modernisation. It only makes you feel modern instead of actually being modern.
@@junsongyang6237 Most of the bloat you encounter in site are mostly due to bad coding practices, unoptimized bundles, and too many ads. JS is neither good or evil, it's just a tool. Keep in mind any language can be used to create malware, JS just gets all the heat because it pretty much dominates the web in terms of front-end development.
JavaScript != Browser features/APIs
exactly
its incredible how many people confuse the two
He's misinformed
JavaScript is indeed not the villain, the modern browser is. Nor is JS somehow magically fault tolerant. Once there is a “Undefined is not an object”, the code won’t be doing anything any more - although the browser won’t crash, of course. Nor is JS particularly easy. It is not exactly Python, or some other high-level language that actually make sense.
!== **
4:05 it's not really an undefined behavior. Undefined behavior is when the specs of a language don't define what to do in a certain situation. Then it's up to e.g. a compiler (implementation of a language) to decide what to do. Which means that the code can run differently, depending on which compiler you used.
These memes show a defined behavior. The thing is, that it's very weirdly defined.
JS is a language with many quirks. It's good to know about them, but modern JS devs prefer to use modern JS, e.g. they use let and const over var, arrow functions instead of the old ones.
Going that way eliminates most of the 'JS is being weird' kind of errors
One sane person, not bashing JS. If you know what you're doing JS is a powerful tool, and you can write terse code with it. And yes it's weakly typed (but that's why we have TypeScript), and has absolutely bonkers specification in places (like the interpreter/JIT is handling semicolons, or the lack of it). And Java and PHP has many quirks and weird behaviour too (Java streams, functional PHP are so weird after using JS, Haskell, and Racket)
This. Also, ECMA script linters help a ton with the "weird parts" of JS. All those examples can easily be avoided and usually only show up when you've designed the code wrong in the first place
web dev losers begone
Have you read the series of books You Don't Know Js Yet?
@@harshmudhar96 no, why?
4:18 Those behaviours may be “surprising” and “counterintuitive”, but they are not “undefined”. They are defined in the language spec.
Actually, a lot of the things in that list make perfect sense. For example, “NaN” may stand for “not a number”, but it is a valid floating-point value according to the IEEE-754 spec. Every modern computer implements floating point according to this spec, and every modern programming language likewise respects this behaviour in its floating-point type.
Waw
Same thing for all of the type conversion. It's literally the best feature of js and you have to be some sort of idiot to actually make an honest attempt of understanding it and not succeed.
@@kibe2134 I disagree. Good languages fail fast. Devs had such a problem with these types of hidden bugs that people had to create typescript to prevent these kind of hidden bugs.
Great video 👍 but I don't completely agree. See any other language can be abused. If browsers used C, hackers and malware would still look for loop holes to inject malicious C. On the fingerprint the same would be so whichever language would be implemented would still be required to avail this. Most of these problems come from the web specifications not the language
Now C can be used in browsers (via wasm) and can access all the same information.
I was gonna comment this. How in the heck is this the language's fault? It's a tool. People and institutions can use it for good and for evil. As with all tools.
Yes, any Turing Complete Language will suffer vulnerabilities from malicious code injection in general. Javascript and of course C are no exceptions. I am not sure if web specifications are to blame compared to bad programming habits.
"If browsers used C"
I wouldnt want to live in that dystopian reality
@@joseaca1010 Too bad, it already exists.. webassembly
c/c++ is a huge problem! It lets windows exist, therefore it has serious flaws.
LMAO
@Nem Gam Boi what about assembly?
Big true
@@MESYETI 1% of the linux kernel is assembly
Image a program that had some piece of text information on it, and a user perhaps clicked on that piece of text...
That user now got malware, because of security issues like the ones found in the past.
That program is a web browser with javascript connected to the internet, btw.
Why should I let random code run on my computer?
Kind of glossing over the main usage of JavaScript there: frontend UI rendering and API interactions.
When you use a framework like React, it does absolutely none of the bad stuff you're talking about. It is a very useful tool that allows you to target the browser in the same you target other platforms. Because you have these powerful UI libraries running in the browser, you can build your entire website as an API endpoint that speaks JSON or protobuf or whatever floats your boat.
This separates business logic from UI, greatly improves testability, makes automation trivial, makes supporting many platforms much easier, and it improves performance when done right (since you're not sending and rendering entire pages for every click).
Sure it can be used for malware, but so can C. All that privacy can just as easily be circumvented with a C binary that you run. In fact, it is way easier. You don't even need to find clever exploits, it's right there in the standard/os libs. The problem is that people are going to random websites without thinking, just like they were downloading random .exe files 20 years ago. There are just a whole lot more people using the internet now, with a lot more sensitive data on their devices, and many more devious entities willing to abuse it. Any capable programming language would've had the same issues simply because it is capable.
Exactly. Modern js with all tooling is great for developing web apps. People complaining about js exploits? When visitng shady websites disable js. Its not like exploits dont exist in ANY OTHER language. I could really see that www would be security hell if websites were written with i.e. c++ and manual memory management. I dont understand why he broughts up browser info is sent to website. You can easily spoof it. Shitting on javascript and feeling supperior without giving a vialable alternative? I have alternative for you: disable js if you hate it that badly.
running arbitrary code would be a exploit but when connecting to a ip address and agree to run their code, it's on you. That may be the default but most people just don't have to care.
Nah it's still shit. There's no excuse for using non-typed dynamic languages for larger projects than press a button and show an alert dialog.
Ahh yess the "let's make the language in 10 days challenge" outcome that we have to deal with now
The privacy problem of JavaScript is unrelated to its design as a programming language. Replace JavaScript with Haskell (or some language that you considered beautiful) and it would still be abused.
@@khai96x True, true, but his criticism is still valid. Javascript is an objectively shitty language.
@@Kodeb8 I dunno, ES 2020 is a pretty decent language. The real issue is that most devs don't use the newer functionality leaving most JS code stuck in 2007.
@@Kodeb8 Java people cry a lot
@@edartpakman There are fundamental issues with JS that can't be resolved without severe breaking changes. At which point what is the point in even calling it Ecma/Java-script? It can be decent for what it was meant for, java applet glue code, but nobody is using it for what it was designed for originally especially as java applets are dead. (Not saying anyone should be using java applets...) I am talking about the language design itself, not its implementation in browsers. Luckily WASM is now adopted in browsers.
The user-agent and IP address are part of the HTTP protocol. They have nothing to do with javascript.
Correct but some websites use "navigator.userAgent" to distinguish between browsers.
Yes. Completely weird to blame Javascript for transferring data about browser/OS in the user-agent and ip-address. Those data are sent to the server by the web browser as part of the HTTP request, regardless of Javascript.
@@pqsk Meaningless comment.
The HTTP headers belongs to the HTTP.
They are called Hyper Text Transfer Protocol Headers because they belong to the Hyper Text Transfer Protocol.
Your comment is ridiculous. You're talking about requests. I'm talking about the HTTP - the standard that web server requests should adhere to. Check out the official specification of the HTTP.
tools.ietf.org/html/rfc2616
There you'll find everything specified in the protocol. Obviously, any form of digital protocol (like multimedia/compression-protocols) will include both mandatory parts and non-mandatory parts. It's like grammar. Just because pronouns aren't mandatory in each and every spoken sentence, it doesn't mean that they don't belong to grammar.
4:35 the language is actually pretty well defined and has well defined outcomes, but the issue is some of the type coercing is unexpected from the pov of new programmers. Also the behavior of loose equals and strict equals, is all well defined, and actually makes sense when you think about it. This is what you get without a strict type system.
type coercing should not exist, at all
Great, now you covered some of the problems. Would you like to provide suggestions for a solution?
Fingerprinting can be done without JS. Here are some examples:
user-agent, IP, window size, just to name a few.
If you don't want to be fingerprinted, let them, and rather blend in the huge crowd. Pretend to be a "normie" among the masses.
To become more anonymous, the crowd needs to be identical, not different.
If this is not for you, then stop using a computer and get outside (remember distance). Learn to enjoy life. It's good for you
As long as we rely on DNS tracking will be done - and DNSSEC or DNS over TLS won't help much... Search CNAME cloacking... It is brillantly evil... And nothing the average user can do about it...
Javascript is a language. All the things you are talking about are what the browser put in an object called window. None of the things you're worried about is embedded in the language. It's not the Javascript problem. It's the Browser Data Security problem. A browser could remove all the things JS could report on and the language would still run.
Yeah, just look at safari. They pick and choose what features they want to implement and sometimes ignore some due to privacy issues/etc.
@@Sergeeeek every browser does that. Google chrome and edge don't want to hurt their ads business so sometimes they leave abomination to run.
javascript (partially by design) just wants to work somehow, regardless of how you write the code. the fundamental problem with that is that beginners feel like they know what they're doing and their errors do not show up because js continuously tries to find a way around it. so it really requires you to know how everything "actually" works under the hood which is why you get so many shitty code out there. I'd argue if that makes javascript itself shitty though. You cannot get as shitty code as js in C for example it just wouldn't work at all. javascript just kinda has to be this way
NoScript for the sites that just use javascript for stupid shit, and all of my hate for the sites that actually require it
@Pedro Abreu Eh, this kind of information gathering is also present in any extension/browser that accepts user choice in what to allow/deny so I can't really escape it, and I would rather cover my ass but leave a small gap than having it exposed with a neon sign pointing to it
Hm
what sites don't require js?
@@pieterwillembotha6719 good ones
You do know that the UA-cam website requires JS
I work as a professional developer, and these days everything I do on the front end uses javascript. Angular and React use javascript to render all html through javascript defined components. It's quite handy. It lends itself to streamlined development, and these front end framework automate caching, among other things. Javascript is a part of modern development, I think what 'concerned citizens' need is a browser that disables invasive JS functionality.
It is completly unnecessary to render html with javascript.
@@SuperFranzs If you had a startup would you want to spend money rendering everything serverside or would rather let your users computers do the work for you? Also these client side js frontend libraries are arguably less vulnerable than serverside equivilents. Running additional rendering servers just gives another angle of attack.
@@SuperFranzs What do you think happens when you click "View 2 replies" ? Do you want to reload the whole video and possibly have to scroll all the way back down here every time you click that?
@@SuperFranzs you have no idea whatsoever what you’re talking about
side note: getting user operating system has nothing to do with javascript. your browser is sending an http header to the server called 'User-Agent' by default, and there is nothing you can do about it even with a browser extension that supposed to change it for you.
plus: redirecting to another site again has nothing to with javascript, you can still do the same stuff just by sending an http header as a response called "Location" or "Refresh"
what i'm trying to express is that javascript is not the main issue of 'privacy' you're still tracked anyway.
Okay, but even with JavaScript disabled, server-side languages can capture a ton of the client’s information through the HTTP request.
This is because Mental Outlaw doesn’t really know what he’s talking about. The browsers themselves send this information in each request. It can easily be seen and tested by running a web server, serving a blank html page, and outputting the request information and you’ll see all this information. Most importantly in the very first request before the page is ever loaded
This is true.
So many people here don't know what they're talking about... If you've tried to design ANY kind of interactive and/or animated content on HTML you will know that JavaScript is indispensable.
Privacy taken too far becomes paranoia.
I agree that tracking users and bloat are bad. However you're hammering too much on JavaScript instead of browser APIs and here's why i think that:
• the memes you showed have nothing to do with undefined behaviour, equality is fully defined
• the web wouldn't be nearly the same without JavaScript, since webpages would not be dynamic otherwise. Imagine all the bandwidth we'd have to spend on sending POST and HTML over and over again just to get something done.
• thanks to projects like Babel and TypeScript, JavaScript development has become much more stable, modern, and less painful
• if you want to get something out on the internet, JavaScript has you fully covered. Desktop, mobile, web... learn once, serve everyone, everywhere. This is very good for fast development.
• if you are making an app that would work well both in the browser and on desktop, the browser is the first choice since people would otherwise have to trust the binaries that you make. They also don't need to download or run anything, lowering the threshold of trying out your site, app or product.
• yes, bundled ("uglified") code is less readable, but so is HTML and CSS. Most browsers actually support formatting the code in the dev view, which allows a developer to read the code much easier than they could when trying to decombile a binary. And if you're making the argument that ASM and debundled JS are the same level of cryptic, then it's kind of the same view point as from a non-dev user that's visiting the site. The JS could be in very good written, unbundled, commented form and they would not understand it. Most users have no idea that "dev tools" in browsers even exist. This is a very, very weak point of yours IMO. Furthermore, whenever you visit a site, JavaScript isn't the only possibly proprietary code that gets executed. Have you considered backend code, like PHP or Node.js? None of their code is proprietary, you don't ever get to look at it (that's the idea of backend code and business logic). If you're that concerned about running "non-FOSS" JavaScript code, you must also be concerned about websites that don't use any JS at all. You wouldn't be able to visit any website that doesn't have it's full stack codebase published online or any website that isn't credible in their claim that they are actually running that public code in production.
All in all this videos sounds like a very 90's-boomer-HTML-CSS-only-days kind of view on the modern web.
If someone was serious about your points and would embrace them without being hypocritical, they would be basically unable to participate in the internet.
This diatribe has so many absurd issues with it, it's hard to know where to begin.
Javascript is ugly and weird sure: it does not have "undefined behavior"
Useragent and public IP are sent automatically by the browser for any http request: they have nothing to do with enabling javascript.
The vast majority of drive by download vulnerabilities historically exploit browser plugins and extensions, not javascript.
Minification is not obfuscation and in no way makes things "less secure"
Basically an entire nonsensical rant.
- u/EricMCornelius
Agreed.
Shhh, Let them seethe at the ultimate programming language
not all of that finguer printing is done with js :P in fact, any thing running php can get this information has well with the exeption of screen size.
PHP is server side...I’m not sure what you mean
dont talk about PHP its dead.
@@aperson1234-t8x most of the information he mentioned for fingerprinting is sent in the http headers which the server has access to
The man doesn't do enough research sometimes.
So the information is in the headers then? Not PHP? Any HTTP server software can see the headers. I still don’t know why we’re talking about PHP.
Most of this stuff isn't inherent to javascript at all. javascript is a bad language but the issues you're raising have nothing to do with javascript itself, but what people are doing with it
The problem is that Javascript not only allows, but enables and often requires you to do those things just to actually use it, it was poorly designed from the start because it wasn't intended to be a permanent solution, it should've been replaced before we conceptualized WASM. That's partly the browser providers' screwing the internet up again, and also the EMCA being made to be stupid.
@@Spartan322 WASM will not fix these problems either. Nor any other language for that matter. Because it's not a language problem, but a plateform problem (browsers) and a protocol problem (no commonly used communication protocol on the internet was designed with privacy built in, be it http, dns records are easily tricked to circumvent any privacy measure you may take)...
@@big-t2060 First off it is a language problem because the privacy and security concerns of the browser spawned as a result of the desire to build a dynamic web without contemplation of what type of exploits that would allow nor any capability to counteract those exploits. Without Javascript on the browser, the exploits to the system are nearly non-existent and you would have nearly no privacy concerns by daily use. WASM can correct a bit of it, but I never said it would fix this problem, I didn't even imply, I just said we should've replaced JS before WASM which you assumed I said something I never did.
This aside its clearly not a platform problem simply because pretty much every exploit being active on the client-side is Javascript specific. (there being very rare browser specific exploits anymore) And the protocol doesn't make a difference here since you could use the most secure protocol and still be exposed with Javascript. This is a Javscript problem before anything else. (also complaining about DNS "exploits" are stupid, your metric for what is relevant as an exploit is dumb, there is no such thing as perfect security nor privacy on the internet, good opsec behavior just calls it good enough, even in the most perfect developments you would never have this, that's called living in a fantasy)
The specific problems you brought up by the way are not relevant to the video, this video talks about exploits in relation to JS, nearly nothing in the video refers to things you can do outside JS, and even then it will commonly be with JS regardless.
Guys....look up user agents...
You don't need JavaScript to get most of the information his claiming that JavaScript is collecting. Besides...a web server will have your IP address if you connect to it.
@@hanro50 An IP address is trivial to hide and fake, if your argument for security resides on IP, you're just being dumb, user agents are developed out of the thinking that comes from Javascript, they did not originally exist, that type of information was not retrievable without a dynamic web, which started in integration with Javascript.
Minification and obfuscation aren't the same thing. Javascript files are minified for faster load times and chrome devtools has a prettier button.
the years i spent using NoScript, i can say it works but a lot of sites are being an ass by having about 80% of it broken if you don't enable at least half the sites it connects to...
So true. It is a nightmare when trying to get any schoolwork done.
@jshowa o don't get me wrong. noscript is great but it is the sites that are not, they are literally the reason noscript is hard to use AND a necessity. no one wants to install Linux on a throwaway machine inside another VM to just browse the normal internet... but Javascript is always used against the users so we have to fight back with tools like noscript or VMs since we never know what they will inject on your PC...
2:23 all of what you've described here besides the screen size is actively advertised by your browser or inherent to network comm (IP address) - fingerprint totally unrelated to javascript.
3:33 wow, imagine being unable to verify, that the binary executable you have downloaded, is safe to run by reading it with your eyes.
It’s not about javascript, it’s about browser api implementation which could be done for any language you could potentially use. Say we use Java instead of JavaScript browser decides what data is able being accessed through browser api. So, security wise JavaScript is not an issue here.
25 years of bloat & bioluminescence
heheh.. because it glows..
Stop using youtube its written in JavaScript.
I understood that reference🙋(I'm new to these stuffs)
@@joefraser855 So you are learning programming?
Then why you using UA-cam,It uses JavaScript
"It's the Windows users that generally tend to download stuff off the internet" ....where else would you download from? Should I be worried?
your terminal
chocolatey
What he means is that Linux distros tend to integrate package managers that will automatically get the software and all its dependencies from known and trusted sources, rather than random websites.
cmd using either winget or 3rd party package managers
Is winget really a package manager? github.com/microsoft/winget-cli/discussions/223
How was it before the JS? Webpages opened faster on my 100MHz pentium with 32MB of RAM then they open on my 6 core cpu and 16gigs of ram now
Come now sir you must be exaggerating a little lol.
@@grail9558 he probably isin’t
Actually there's this surprisingly common piece of malware related to JavaScript scripting and web development tools. It spreads mainly through anonymous forums and it fills your amazon sopping cart and wishlist with colorful socks and other feminine lingerie.
That's an XSS exploit. It may be a vulnerability in Amazon or the browser. It should be patched in less than a month
Privacy problems are more on the browsers than the language. But yeah, Javascript blows as a language too.
find another so crossplatform language
@@DimaNoizinfected Js is pretty good tho. It's fast, resilient and pretty easy to code in.
you can write perfectly fine javascript provided you arent a moron
One could sandbox browsers in VMs but it does only marginally help with privacy... Privacy problems are more a protocol problem (http was not intended to be private, there is even dns tracking now)...
@@MeAMoose I know ;) I'm more JS proponent here
As a developer, I see the concerns brought up about privacy and JS.
But he didn't mention almost any of the amazing benefits that JS brings to the web. Such as WebGL, cross platform services, single page applications, Ajax functionality, CSS expansions, etc.
Beyond the client side, I'd argue that JS has even greater potential on the backend.
Imagine a world where web services are written in C, we'd be 20 years behind where we are now
Javascript is just a programming language. Do not confuse it with browser features and API's. Javascript is just one piece of the modern web puzzle. Just because something can be used with mal-intent, doesn't mean we should ban those things entirely. There are bad people out there, always have been. Just use the internet with caution, dont click on suspicious links, use the tools at your disposal.
All of the fingerprinting you mentioned is available to the server via the headers sent by your browser. Has nothing to do with JavaScript.
That being said; you can do fingerprinting trough feature detection in JavaScript to augment that data.
the Javascript problem: soydevs
sigh
Yeah, Go back to flash and Java applets like real man
@ELTacoBanido real men lead women humbly and respectfully, and only use javascript where it suits best. soydevs use javascript even when it's the least efficient/effective/reasonable tool applied, but i really didn't expect you to know the difference, or how to love a woman.
@Bob Jones guess why? When you're going native, you're gonna need a couple of languages - Swift, Java (Android), Desktop Java (JVM), and you need to write 3 different codebases.
I programmed in Android framework, it wwas great, but I'm certainly to lazy to write 5 apps instead of one, reimplementing same things for different ecosystem. JS is also a reason Linux users can use corporate apps (MS Teams) at all. Also - why would you like to bloat your OS by native Teams? Just open website, run in sandbox. Native apps have higher priviliges
...with MacBooks. On Starbucks.
How criticize browsers while thinking you're criticize JS:
He literally had a section criticising weak typing and other features of JavaScript. Did you not watch the whole thing?
I will never understand why so many Linux users fear JavaScript
We don't fear it, we simply don't prefer it among a lot of other better choices
i don't disagree with you often but this time I'm more than certain that I do.
You are blaming the language for something that is part of common browser integration of the language.
You could blame webassembly the same way even though the root cause is browser vendors not providing proper opt-in permissions.
The problem is tracking and ads and how they use browser features for their gains.
The problem is not javascript.
you are effectively blaming a tool for being used with malicious intend it was clearly not designed for.
as a coder for the last 24 years I think that complaining about the "undefined behavior" of any given programing language or tool or even software is just ridiculous because is your freaking responsibility to know and understand the tools you have to use, sometimes you have no choice, and is so freaking simple to do.
one of the first things I learned is that C has different implementations (compiler) and some stuff is different across the different implementations, so when I learned Javascript I learned about that and about the weird behavior then I made shim and problem solved.
imagine being a hater toward an opensource programming language just because you're a php lover and don't want the new stuff to take over
The issue is not the tool but what peoples do with it. Thanks to JavaScript and it's backward compatibility is very cool.
Modern JavaScript (ES6+) has improved a lot. It’s like any other tool, there is a time and place to use it. Nothing is 100% secure.
I've been enjoyin this channel for a while and I was kind of shocked by this video to the point of asking myself if all other the other ones were as misleading and I didn't realized as i wasn't knowledgeable in those subjects
Alternative title: the JavaScript question
The JSQ.
Die Endlösung der KaffeeSkript-Frage
Another web developer here.
Javascript is not the problem. The new html5 APIs and backwards compatible crap is the source of vulnerabilities, and these are in the browser. There's nothing a web developer can do to protect a user from his own mallware ridden facebook machine or from the transmission protocol.
Disabling javascript will only disable some of a web app's methods to extract information or gain control of your resources, disabling browser features is actually what you want to do.
In addition to the browser vulnerabilities (most of which have legitimate use, and some of which are absolutely key to the modern functioning web beyond a static web page), there are protocol vulnerabilities. Most of the time, you can track, fingerprint and extract user data without using js at all - you just have to wait for the user to make a get/post request to the server (follow a link, click a button and so on). That's how html forms work.
Also, the examples are not "undefined behavior", they're not mistakes, and they are not examples of "sketchy or loose or weak typing", they are defined in the language spec and are (mostly) examples of type coercion where the operand types are insufficiently specified for the result to be useful. It doesn't help the argument that the typeof operator spits out illogical garbage most of the time, though, if you're programming in a way that needs typeof to work better: step away from the keyboard.
ANSI C has weak types (C doesn't care if those 16 bits is a number, a memory address, a pci buss message, a midi event, a string or an array or whatever you want to call it, it's just a bunch of bits). Javascript just has automatic type declaration and rules based type coercion, which is why it needs a strong data type engine and why it has type checking included.
Javascript is a function centric lisp language with reasonably useful types and a generally readable C-like syntax. It's not bad, or evil, it's not a language written in 10 days (it's 20-25? years old, and it has not ever stopped changing), it's just remarkably usable for genius, mediocre and crap programmers alike and it happens to live in the browser, bound by the browser APIs.
You should probably remove the coordinates that are visible in the video.
it points to a river
mental outlaw aquaman confirm?
@@twl148 😂
Is based on the public IP, even the city is 50% chance of being wrong :P
@@twl148 Lol xD 😆
They can be spoofed
how can you avoid using js when most modern sites are built using react & angular.. such as this one
I'm going to disagree with most people here and I'm going to express my opinion as a developer as well. Javascript isn't evil and saying that it was so much better before (Flash and Java applets) is just outright false. Javascript as a language is not spyware or malware! It's a language that adds interactivity to web apps, create single page applications, and since the inception of NodeJS can be used as servers and even cross-platform applications. Most of the bloat people encounter in sites is due to bad coding practices and too much ads. Like any tool, JS is neither inherently good or evil. It's the person that uses it that determines its "morality". Please remember that ANY programming language can be used to create malware and spyware. I understand why people are wary, I am too. People who work in our field are constantly reminded to secure our applications from bad Javascript as much as possible but demonizing the language isn't right.
Couldn't have put it better myself! Great comment!
You said it yourself "adds interactivity to web apps" and thats fine, but javascript has become more than this and thats the biggest problem, it's more than a html prettyfier and showing modals, It was become this big mess, works on everything, but extremely badly.
The whole language is almost never used, since a lot of people only learn the frameworks that totaly change the way you work with it, for example react, jquery, angular. It is also states as a functional language, but has small percentage of OOP elements, it has new keyword, but no inheritance (why?).
Why do you think SQL, java and c# still exist, they do one thing and they do it well. It's a scripting language, it should be used to have cool effects on the html page, but nothing more. Plus is just like flash, there are constants updates by the browser that break stuff.
@@user-dc9zo7ek5j Javascript being bad for becoming more that it was intended is something I have to disagree. That's just how technology works, it advances. JS is incredibly powerful and useful if used correctly but that really goes for any programming language. Javascript does not perform "extremely badly", it really just depends on how and where you use it. If you're using JS for Electron apps then yes, it performs poorly compared to native apps but that's the trade off for cross-platform applications.
Your second paragraph mostly just steems from your dislike of the language and that's fine. Everyone has their own preferences but the statement about the whole language not being used boggles me. It's true that you don't get to use every feature of the language but that's true for other languages as well. You mostly use the common ones anyway unless you're making a complicated project or want to go deeper.
I don't get why your compare sql (a query language for databases), Java (also cross-platform), and C# to JS. They have different specializations. Even Microsoft is pushing C# and .NET into web development space with Blazor. My point is that languages advance and you can't stop that and the unnecessary hate that JS is getting is just due to it being used in the web which is used by billions of people and ends of attracting more bad people too. The thing we can do as users is to be more mindful in how we use the web and as developers, to make sure our apps are safe to use without sacrificing the user experience.
@@mcvgs1780 In general, script languages are always going to perform badly to compiled ones and I get that. For html it's not a problem since everything can be async and defer'ed but for apps that are heavy loaded to use js is just stupid. Take a look at the new facebook and the slow, half working features with its state of the art "react" framework, do you think that big of a company is incompetent to make an app ?
The problem with JS it's so forgiving and it enforces bad practices. TypeScript exists, and also a quadrillion other frameworks that sit on top of js, masking a bad language. "It's true that you don't get to use every feature of the language", if you use a framework you're not, they're shifting everything in totaly different directions, while other languages atleast are ground to the normal synthax.
"I don't get why your compare sql (a query language for databases), Java (also cross-platform), and C# to JS." I wanted to show you that you need to use the right tool for the job, and javascript is used like a swiss knife to build buildings, not impossible but impractical.
This. This should be the pinned comment.
most of your security concern are browser api thing. javascript is merely a language.
it's what those browsers allow you to do and have access to. given that nowadays native apps have those access in order of magnitude more
As much as I hate JavaScript as a language, a lot of this information is not accurate or more of a web browser problem than a JavaScript problem
After ES6, JS is pretty good. People making those memes aren't familiar with the inner workings of JS or they still use old ES4/5 syntax.
I'm an expert JavaScript programmer, and what he is saying is complete bullsh*t.
Just use incognito mode.
“A teacher wouldn’t say school is bad because he works in it.”
Fun fact: the user agent is sent to the web server as an http header (unless your browser removes it) and webrtc works because of insecure NAT (in a secure setup, rtc has to use a TURN (relay) server which slows down the connection
"javascript", while in reality you're talking about browser APIs and browsers allowing for security holes/abuses.
And the argument about "I don't want to run non-free software": aren't you "running" (you're literally invoking a remote procedure) the server side code as well? how's that non-proprietary?
Also good luck finding any non early-2000s website working with JS disabled, might as well opt out of browsing the web entirely.
Around 2:05 you say in the video that it’s mostly Windows users that download their software from the internet. Actually almost everybody downloads their software from the internet nowadays not just windows users.
8:04 If you are wondering what “LibreJS” is: www.gnu.org/software/librejs/index.html
As a webdev for almost a decade, I disagree that most of the issues mentioned are caused by javascript. It's mainly the browser API that is getting more and more intrussive at its core.
JavaScript is the knife that the web was stabbed with before it died.
Now that's just too dramatic
@@enzoqueijao WANT A FUCKING AD IN YO FACE?
Removing whitespace and comments is called minification, and it is conventionally used to make webpages load faster due to lower file sizes. there are also javascript prettifiers for those who want to inspect minified javascript code
Javascript really have a lot of problems and is used in excess, but most of the problems are the browsers that let JS run with no restrictions
7:36 But part of the terms of service for these sites to run code on my machine is that I get to inspect and reverse-engineer the code, and possibly hack it as well. If they don’t like that, they are free not to run code on my machine.
"windows users are the ones downloading their software off the internet". Pardon my ignorance, but where is everyone else getting their software? Cereal boxes?
using the terminal
What modern sites would even work if you blocked js?
lukesmith.xyz
stallman.org
The programming language is fine, *not* the companies.
No, it's horrible.
It's loosely typed, meaning that many errors that should be caught by the compiler simply aren't, making programming in it a real pain.
It's designed in such a way that the programmer oftentimes doesn't really get to choose what data structures his code uses (as that is being determined by the back-end, which doesn't always make the best decisions), which leads to poorly optimized code as the programmer simply doesn't even know how his own code works under the hood.
It's also single-threaded, which in today's day and age, where we are reaching the limits of single-threaded performance and are therefore moving towards multi-core systems, is simply unacceptable.
JS was designed to do very simple things, like checking if username/password fields are empty and maybe showing a message to the user if they are, but now that we are using it to build increasingly advanced software (and for some reason, even desktop applications (God knows why)), it simply doesn't keep up.
@@ThePC007 interesting, can you provide some youtube vids or articles out there so i may learn more about your view point?
@@ThePC007 its a fine language, since types are handled similarly to java, theres just no fixed variable types
@@premier69 Uh, I don't think anything that I wrote about is really in-depth enough to really write an article about but to give a more detailed view of my points:
1. JS is loosely typed. That means that a variable doesn't have a type associated with it and can hold values of all possible types (integers, floats, strings, objects, you name it). This makes it very easy to assign a wrong value to a type (especially when refactoring already existing code) and your compiler won't notice. Errors that are not caught by the compiler will need to be found through actually running the code and debugging it, which is very time-consuming. Additionally, variable types also offer more information for the programmer and therefore make the code easier to read, especially when dealing with code written by other people (or by yourself several months ago).
2. It's been a while since I programmed in JS, but I've heard of a case where somebody has used a map or an array that was used to represent line numbers (meaning it started from index 1). Merely inserting an arbitrary value into the 0-index made the code run 15 times faster, because the underlying engine turned it into an array (while it was some kind of map before). This kind of stuff makes it difficult to reason about the performance of your code.
3. Well, JS is single-threaded. You can't really make it run on more than one thread, meaning you can't use more than one CPU core at a time. There really isn't much to say here.
4. Another performance-related point I'd like to make is how JS makes it very hard to create a proper memory structure. Computer programs generally have a heap and a stack. The stack is where your local variables and function calls go. Since it's constantly being used, the processor places it into the memory cache, thus making it very fast to access. However, objects (I'm using objects in the sense of pieces of data, not in the Object-Oriented sense here) placed on the stack can not grow in size and can also not live past the time where their variable goes out of scope. This means that if you need a data structure that has a dynamic size or you'd like to create an object that still exists after the function has exited, you need to place those on the heap. However, since the heap is large and can have objects placed all over the place, accessing it can be slow. If you need to place your objects on the heap but still want to be able to access them very quickly, you can do so by using arrays of structs, which make sure that the objects are very close to each other and are therefore being cached efficiently.
That brings us to JS. It forces you to place all your objects (safe for primitive types) onto the heap and it doesn't have structs. There may be ways to try and force the underlying engine to try and place your objects close to each other, but things like this should be easy to do for a programmer and not rely on weird hacks. That said, many programming languages, including Dart and Java, suffer from the same problem.
I hope this answers some of your questions. :)
@@tudbut That makes it very much unlike Java, though.
This video undermines your cause.
Focusing on JavaScript makes it seem like it’s the languages fault for being bad, & not the browsers fault. As if all this would be fine if the web were using ANY other programming language.
do your own research folks, this guys java-script is hmmm
It's privacy is not the problem of JavaScript, but the problem of browser that runs JavaScript. Everything JS knows about, already sent in http request.
There are two problems, one with webrtc, and other is the library hell. Every modern website contains code from at least 40 JS libraries. If any of them will push an update with malicious code, a lot of sites and users will be in danger.
Man, I think I'm the only one who finds javascript very difficult to understand. You have to write so much syntax to achieve a small thing. It has so much syntax, too. I understand python, C and C++ much better than javascript. I don't know why.
Same thing here... It took me a long time before I could START to understand the asynchronous nature of this language. And to be honest, the more you learn it, the more you hate it. I used to hate Java before diving into JS, now whenever is possible I run to Typescript, so I can have a code which resembles Java (that makes a lot more sense than plain JS).
This is why it takes so many cycles to translate it into machine language. Cancer.
I can relate to that. The thing that confused me the most was the fact that yhere are so many ways to do the same thing. The new, old and sometimes even the archaic way.
You can use .then or async, await, sometimes you can use Array.from or just use the spread operator.
Also, there are so many variations of the arrow function:
you can omit the parenthesis if there only one argument, you can omit return if the function is a one-liner. You can even omit curly braces, but if you want to return an object you have to wrap it in parenthesis
It took me a while to wrap my head around all of it
@@zevenancio Problem is that u are a slave of java, java is a seriously shitty language. The man who made the video hating javascript is also dumb because it's not the problem of js but if it was any other language then also things will be the same as they are. Since you love and want to understand java only so u use typescript to just get the things done. Typescript is as spooky as js. I think u know how method overloading of typescript is much messier than java. I prefer javascript because it doesn't force u to do everything oops, but go functional programming route, factory functions and different design patterns that are not class based. For me, those who haven't done any functional programming love java because they are just blind slaves of Oracle.
@MartialVidz It's C that is much better than C++ because it C++ also gives u many utilities but C helps to understand what is really going under the hood. Personally for me javascript is one of the most interesting languages. Reason is that I don't want every language to follow oops blindly just to make it similar like java. I can write java but java isn't a perfect language.
this isn’t really a fault of the language though its a fault of the browser allowing access to this information
I mean... isn't JavaScript in a sense always open source?
Trust me I'd rather have JS then java and I'm a developer that primarily uses Java.
JS isn't used just in browsers. And in general, it's not used to fingerprint your device. That can be done server-side without any JS. Optimising the JS code is called minified JS and can be reversed into readable code again (using a "prettifier" or formatter). In general, js alone can't do much in a browser. Fingerprinting and all that requires server-side code and browser js is completely unnecessary for it. And the undefined behaviour... it's not undefined. It makes perfect sense if you're experienced (I am a senior full stack software engineer).
I love this channel and agree with most of the stuff, but here you're almost entirely incorrect. All of these exploits you mentioned I have not heard of before. Bypassing tor I can almost for certain say is impossible with JS (unless perhaps over a decade ago when security was mostly non-existent). Browser JS does not know your IP. It cannot read your local system information (except what the browser provides, which is very, very limited). To find a user's I with JS, you need to make a request to a server that returns it back. This request is made over the Internet the same way as all other requests in your browser (e.g. loading documents and images). The VPN extension bypass I cannot deny as it could be possible, but it seems very unlikely to me (without having done any research).
TDLR; if a company wants to be spooky, js is not a requirement. Js cannot bypass Tor. Js alone cannot fingerprint you and is not a requirement for tracking you. Modern websites that provide more than static read-only content may depend on JS and using JS async calls websites can work faster
none of these are issues with javascript
It's not JavaScript, but the Browser API that use JavaScript.
So parts of that API should be optional to activate or not, and I think it is in some browsers.
Pfff Javascript bashing is so 2016... Read a bit more and you won't hate that much
Minification is not the same as obfuscation. The first, you can easily revert, the other you have to really put in brain power.
A lot of browsers supports(Saw it in chromium(edge)) "beautify js code" function. You can make script readable in one click in "inspect element" section
fairly sure the user agent is reported to the web server, meaning you wouldn't need javascript to detect an OS.
Yep. Javascript can do a better, more accurate job though.
It is fine for backend, but pls dont use React or Angular just because
Just because they are used by soydevs?
@@fernandomota7193 that's just pure hate.
I don't like JavaScript either, but it's pretty impossible to have a "cool looking site" without it.
@@MrKristian252 CoffeeScript, ECMAscript& TypeScript
@@AcidiFy574
- ECMAScript is JavaScript, more specifically it's base standard.
- Coffee Script is translated into JavaScript
- Typescript is pleasant to use JavaScript with types and still is translated to pure JavaScript
One major issue here is that javascript is really the only scripting language used in most browsers, so it doesn't have many valid competitors, and is the most demanded programming language in the world right now. There are competitors, but they have issues. Dart is promising, but it compiles down to js, no browser really supports the Dart vm. Then there's web assembly, which hopefully can break the monopoly js has on the web
Another problem with it is that it's slow and inefficient
I made a program in JavaScript that writes a bunch of one string to a file
But later, I ported it to C#
Here's how long each time:
C#: Under a second
JS: at least 30 seconds
Edit: After some thinking, I made modified versions of the code (Modified to exclude any personal data) I used to do this test and I decided to release the the whole JS code and the compiled C#
Download: drive.google.com/drive/folders/1n1Bt9byo6G4OUCCHvruxFbpDKflCTJbj?usp=sharing
Edit 2: I also didn't time them and running the files I linked won't have the same results I had if you used the same hardware as c# is set to go to 2000000000 due to some testing I was doing and same with us except 1 more (2000000001)
Python is even slower than js, then also people use it
js is so goddamn bloated lmao
Apples and oranges
@@Onkoe For someone who uses C, even Java is bloated
@@anonymoususer5402 well the idea of Java is you compile it once and it runs almost everywhere; with C you have to compile for each Architecture (and OS)
Subbed, quality content, you deserve more subs.
1:28 Please, do not do feature/behaviour selection based on user agents! Use more functional tests instead!
4:10 mental outlaw my dude "setting equality" is not the term we use for what I am pretty sure is called a "conditional equality" - *in both C and javascript*
Everyone here commenting on the video... is using JavaScript.
It's not like you can use youtube at all without it so what's your point?
@@luimu My point is actually that I don't understand the point of the video. I don't understand what actionable thing is being suggested. Is he saying, "don't use JavaScript"?
@Richard Vaughn and it would be bloated even worse bc it would need to refresh the page in order to show a person their new comment successfully written in the page.
@@AkamiChannel The above mostly Java python people even don't know a shit about how js, spa has improved lives.
@@AkamiChannel he is saying JavaScript spy on you... and if only we used another language it wouldn't but he doesn't tell you JavaScript is just accessing what the browser API provides it....
Wait, that information is in the header of each request, I can get it with javascript python or bash I don't see the javascript problem here.
cringe video tbh, half the problems mentioned in the video are either not js' fault or just plain untrue
the remaining arguments are essentially "guns are bad because they enable war"
Yes, because a weapon only used by cowards is ok
What? Who use the user-agent string to decide what general content to serve?
Spooky bro... thats the perfect description.. add webrtc to everything else and you are done...
@yui78 chromium doesn't allow webrtc disable.. seriously???? Wtf.. nearly every browser installed can be pwned with Javascript
How can I, a normal user, know when to enable javascript and is there an extension that automatically detects and enable only the good js while keeping the bad or useless ones disabled?
Thats all defined behavior, none of the examples you showed gave results that would not have been expected
Especially true+true+true makes sense, though some of the others are painful to look at
The problem with JavaScript is instead fixing JavaScripts wonky issues, ECMAScript said to just use “use strict” and follow best practices to prevent bad JavaScript code which avoids the issues with the language.