Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
GNU is Not Unix Open Source The Internet

FSF Announces 'JShelter' Browser Privacy Extension to Block Fingerprinting, Tracking, and Malware (fsf.org) 40

This week the Free Software Foundation (FSF) announced JShelter, "an anti-malware Web browser extension to mitigate potential threats from JavaScript, including fingerprinting, tracking, and data collection."

The browser add-on — supported by NLnet Foundation's Next Generation Internet (NGI) Zero Privacy & Trust Enhancing Technologies fund — is currently "in development and the first release is available." This browser add-on will limit the potential for JavaScript programs to do harmful actions by restricting default behavior and adding a layer of control... Accessing cookies, performing fingerprinting to track users across multiple sites, revealing the local network address, or capturing the user's input before they submit a form are some examples of JavaScript's capabilities that can be used in harmful ways. JShelter adds a safety layer that allows the user to choose if a certain action should be forbidden on a site, or if it should be allowed with restrictions, such as reducing the accuracy of geolocation to the city area. This layer can also aid as a countermeasure against attacks targeting the browser, operating system, or hardware levels... [The extension] will ask — globally or per site — if specific native functions provided by the JavaScript engine and the Document Object Model (DOM) are allowed by the user. It will also link to an explanatory page for each function, to raise awareness of related threats. Depending on the function being addressed, the user will have the option to allow it, block it, or have it return a custom value...

"Our browsers have become perhaps the most critical of tools we depend on, and yet the browser environment is far from healthy," says Michiel Leenaars, director of strategy at NLnet Foundation and coordinator of NGI Zero. "Dominant corporate behavior from a small amount of actors has been aggressively reshaping the evolution of the Web, and that is starting to wreak havoc. Despite an enormous systemic dependency, we as users have very little control over what browsers allow and share — leading to significant risk as the most powerful tools in the shed are essentially left unprotected for every casual Web site to abuse. JShelter is a great initiative to help empower us all, to help us gain better understanding and to better safeguard ourselves from obvious and otherwise unavoidable harm."

The effort is part of a larger, multi-year campaign from FSF on JavaScript on the Web started in 2013, which among others includes the development of GNU LibreJS and outreach to users and developers about nonfree software inside the browser. The GNU LibreJS extension detects JavaScript web labels and assists users with running only JavaScript distributed under a free software license, according to their ethical convictions and individual preferences.

"JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.

"This is a project I've been looking forward to for years, tired of dealing with all kinds of potential antifeatures in the browsers I use and distribute, and having to figure out some countermeasure for them with configuration changes, patches or extensions. Being able to wrap the JavaScript engine in a layer of protection is a game changer."
This discussion has been archived. No new comments can be posted.

FSF Announces 'JShelter' Browser Privacy Extension to Block Fingerprinting, Tracking, and Malware

Comments Filter:
  • Why isn't the name of the extension in the summary or the article? When I search Mozilla, for "Jshelter," I can't be sure whether I have the correct extension. Clicking on the first link in the summary sends me to a page for the JShelter Home that's in English and has "Install in Firefox" splashed prominently in the middle of the page, but clicking that link sends me to a page that says, "JavaScript Restrictor od Libor Polák."

    • Because it's not been written yet.

      • by Entrope ( 68843 )

        The second paragraph of TFS claims "the first release is available", so the extension store is a reasonable place to look for it.

    • Perhaps they should call it ... 'Gimme Shelter '?

    • Yes, I was troubled by this also.
    • by EditorDavid ( 4512125 ) Works for Slashdot on Sunday October 03, 2021 @09:28AM (#61855995)
      Yeah, I noticed that the FSF announcement doesn't actually link to their extension until their fifth paragraph...

      But I checked on this, and the extension's official name is "JShelter." If you click on the first link in Slashdot's story, it takes you to the JShelter (extension) page [jshelter.org], which has links for installing it on various browsers.

      Again, that page's URL is: JShelter.org

      Maybe it's just the word "project" in the first sentence that's confusing people?

      This week the Free Software Foundation (FSF) announced the JShelter project [jshelter.org], "an anti-malware Web browser extension..."
    • The link is correct, from jshelter.org the downloads lead to Javascript Restrictor. It is this: https://github.com/polcak/jsre... [github.com]
  • So on Big Sur in Chrome clicking on the extension icon to get the dropdown only shows the first 2 letters of each line of text. Anyone else get that behavior? I tried reporting a bug but the issue tracker returns "Strange state: failure"
    • by AmiMoJo ( 196126 )

      I get the same issue on Windows. Someone else has submitted a bug report.

    • The advertisement corporation's ad delivery tool "failing" at displaying a tool correctly that lets others trace your behavior?
      The same corporation that was caught making YouTube and image search suck in Firefox by deliberately delivering slow and bad code?
      What a coincidence!

  • "JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.

    Ah yes non-free [gnu.org].

    • "JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.

      Ah yes non-free [gnu.org].

      While the goal may be laudable I doubt most people care or are even aware of the issues raised in that article. Even with all the data breaches there hasn't been a groundswell demand to change laws. Hell, if you say Javascript most people would think it's a new hipster coffee shop. We have met the enemy and he is us.

      • by DarkOx ( 621550 )

        The other reality unfortunately is its hard to imagine this extension won't break a lot web applications. I don't mean in obvious ways either like "duh Google Maps can't give you directions from your current location when you are deliberately obscuring it" but damn some validation logic does not work on page six of some work flow on banks site so you can't click next.

        I run a number of privacy extensions in Firefox and they absolutely do cause problems. If you haven't the technical chops to open the develope

        • Fighting back against data rape is hard so don't do it?

        • The other reality unfortunately is its hard to imagine this extension won't break a lot web applications. I don't mean in obvious ways either like "duh Google Maps can't give you directions from your current location when you are deliberately obscuring it" but damn some validation logic does not work on page six of some work flow on banks site so you can't click next.

          I run a number of privacy extensions in Firefox and they absolutely do cause problems. If you haven't the technical chops to open the developer console and read and understand the errors and make a few live 'adjustments' or direct calls to js functions; and/or the patients to turn all that stuff off, close the browser, open a private browsing session, do whatever again, turn it all back on and restart the browser; well using a lot of stuff like this isn't practical day to day.

          That's why I like NoScript. If I'm on something like a bank website, I usually just disable all restrictions for that tab, which is two clicks. I figure I'm going to have to trust them anyway ... but then I still have NoScript for just general web browsing. No technical chops required, really (though I have them).

          • That's why I like NoScript. If I'm on something like a bank website, I usually just disable all restrictions for that tab, which is two clicks. I figure I'm going to have to trust them anyway ... but then I still have NoScript for just general web browsing. No technical chops required, really (though I have them).

            ^^^THIS

            I run NoScript and AdblockPlus, and that seems to put the kibosh on 99.99% of sneaky shit.

            Most ads are served via javascript, so the one-two punch really keeps me from seeing ads and keeps them from screwing with my browser or delivering malware.

            And yes, NoScript does break some sites, but it's easy to disable it as needed.

            NoScript and AdblockPlus have probably saved me from harm a million times by now. I simply won't run a browser that doesn't have those two extensions.

      • Yes, public perception is an ongoing teaching effort.
    • Open-source is indeed not automatically free.
      That is why the term "FLOSS", with a highlight on "libre" exists.
      Because open-source is very often a corporate virtue signaling attempt at using the benefits of it, while not truly offering others the benefits of it.
      This is kinda the point of GNU, you know?

  • I've tried to go to many sites and get a message, "Disable your Ad Blocker." I recognize that these sites have to fund themselves, so I have NEVER installed an ad-blocker. If a site has too much advertising I avoid it, but I don't disable ads.

    I dug one step deeper and found what they really mean is that they want to track me, and at some point that is exactly what they say. I tried to go to the site's comment page to complain, but they won't even let me there without enabling tracking.

    If this extension p

    • Most ad blockers have a filter list to block these ad blocker detectors nowadays.

      Also, no, these sites don't have to fund themselves with shit like this /at all/.
      If they got something valuable, that isn't available elsewhere, they can just ask money for it upfront, and don't need to be dicks about it. By definition, if it as valuable, people will pay.
      If nobody is willing to pay, well, then it isn't worth anything and they should stop acting like they are entitled to any money.
      And worse: Usually, it *is* alr

      • by MrL0G1C ( 867445 )

        I'm not against Ads that don't track, don't use javascript and don't animate, but that's none of them so I very rarely ever see an ad.

  • Something that compiles anything that isn't just documents into a proper application in a fully encapsulated context.

    And I don't just mean a disguised browser window, a la Electron.

    I mean actually doing away with the HTML5 inner platform entirely.
    Replacing webSockets with actual socket, webGL with actual openGL, compiling JS to machine code, and merging the entire HTML5 engine of a browser plus the "webapp" into one thing with complete stream fusion [github.com], throwing away any intermediate layers and unused function

  • by Gravis Zero ( 934156 ) on Sunday October 03, 2021 @11:06AM (#61856179)

    No idea why they buried the URL but here: https://jshelter.org/ [jshelter.org]

  • My first thought was "I have NoScript already. It sounds like there might be a lot of overlap. Do I want this one in addition to (or instead of)?" Then I googled and discovered that Giorgio Maone (creator of NoScript) is involved in the JShelter project. That doesn't exactly answer my question, but makes me think that JShelter might eventually a NoScript-replacement for me.
  • by Pinky's Brain ( 1158667 ) on Sunday October 03, 2021 @12:37PM (#61856483)

    We need a VPN provider like say Mozilla, to offer mixing proxies which combine the traffic from multiple users and originate it from a single IP, just like Apple is doing. The IP is one of the most fundamental fingerprints, needs to be handled with the rest.

    Only problem is that when Apple does it, no one is going to block Apple. If Mozilla does it, I don't know what will happen.

  • by spudnic ( 32107 ) on Sunday October 03, 2021 @02:29PM (#61856787)

    So I installed the extension just to check it out.

    I read the rest of the stories on this page, then clicked Next.

    slashdot.org is blocked This page has been blocked by an extension
    Try disabling your extensions.
    ERR_BLOCKED_BY_CLIENT

    Doh!

  • It's too bad privacy-invasive browser features have to be reversed engineered and disabled by browser extensions. There's only a few websites that I need advanced interactive functionality (eg mouse tracking, battery status, URL click tracking) or notifications turned on for (eg Gmail or Slack) so I'd prefer those features to be opt-in.

    Browsers do this for a few features already, like location, microphone/camera, or audio/video autoplay. Browser makers interested in privacy should categorize all new and inv

  • by NotEmmanuelGoldstein ( 6423622 ) on Sunday October 03, 2021 @05:50PM (#61857529)
    Doesn't work with LiveDrive.com; even white-listing the domain doesn't work. The JShelter add-on must be disabled to use OneDrive.
  • It has issues; too verbose on OSX 10.13 High Sierra (too many popups) and the Settings button does nothing;
    And it blocked a "normal" google image search from the URL bar and from google.com -- had to uninstall it

Decaffeinated coffee? Just Say No.

Working...