FSF Announces 'JShelter' Browser Privacy Extension to Block Fingerprinting, Tracking, and Malware (fsf.org) 40
This week the Free Software Foundation (FSF) announced JShelter, "an anti-malware Web browser extension to mitigate potential threats from JavaScript, including fingerprinting, tracking, and data collection."
The browser add-on — supported by NLnet Foundation's Next Generation Internet (NGI) Zero Privacy & Trust Enhancing Technologies fund — is currently "in development and the first release is available." This browser add-on will limit the potential for JavaScript programs to do harmful actions by restricting default behavior and adding a layer of control... Accessing cookies, performing fingerprinting to track users across multiple sites, revealing the local network address, or capturing the user's input before they submit a form are some examples of JavaScript's capabilities that can be used in harmful ways. JShelter adds a safety layer that allows the user to choose if a certain action should be forbidden on a site, or if it should be allowed with restrictions, such as reducing the accuracy of geolocation to the city area. This layer can also aid as a countermeasure against attacks targeting the browser, operating system, or hardware levels... [The extension] will ask — globally or per site — if specific native functions provided by the JavaScript engine and the Document Object Model (DOM) are allowed by the user. It will also link to an explanatory page for each function, to raise awareness of related threats. Depending on the function being addressed, the user will have the option to allow it, block it, or have it return a custom value...
"Our browsers have become perhaps the most critical of tools we depend on, and yet the browser environment is far from healthy," says Michiel Leenaars, director of strategy at NLnet Foundation and coordinator of NGI Zero. "Dominant corporate behavior from a small amount of actors has been aggressively reshaping the evolution of the Web, and that is starting to wreak havoc. Despite an enormous systemic dependency, we as users have very little control over what browsers allow and share — leading to significant risk as the most powerful tools in the shed are essentially left unprotected for every casual Web site to abuse. JShelter is a great initiative to help empower us all, to help us gain better understanding and to better safeguard ourselves from obvious and otherwise unavoidable harm."
The effort is part of a larger, multi-year campaign from FSF on JavaScript on the Web started in 2013, which among others includes the development of GNU LibreJS and outreach to users and developers about nonfree software inside the browser. The GNU LibreJS extension detects JavaScript web labels and assists users with running only JavaScript distributed under a free software license, according to their ethical convictions and individual preferences.
"JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.
"This is a project I've been looking forward to for years, tired of dealing with all kinds of potential antifeatures in the browsers I use and distribute, and having to figure out some countermeasure for them with configuration changes, patches or extensions. Being able to wrap the JavaScript engine in a layer of protection is a game changer."
The browser add-on — supported by NLnet Foundation's Next Generation Internet (NGI) Zero Privacy & Trust Enhancing Technologies fund — is currently "in development and the first release is available." This browser add-on will limit the potential for JavaScript programs to do harmful actions by restricting default behavior and adding a layer of control... Accessing cookies, performing fingerprinting to track users across multiple sites, revealing the local network address, or capturing the user's input before they submit a form are some examples of JavaScript's capabilities that can be used in harmful ways. JShelter adds a safety layer that allows the user to choose if a certain action should be forbidden on a site, or if it should be allowed with restrictions, such as reducing the accuracy of geolocation to the city area. This layer can also aid as a countermeasure against attacks targeting the browser, operating system, or hardware levels... [The extension] will ask — globally or per site — if specific native functions provided by the JavaScript engine and the Document Object Model (DOM) are allowed by the user. It will also link to an explanatory page for each function, to raise awareness of related threats. Depending on the function being addressed, the user will have the option to allow it, block it, or have it return a custom value...
"Our browsers have become perhaps the most critical of tools we depend on, and yet the browser environment is far from healthy," says Michiel Leenaars, director of strategy at NLnet Foundation and coordinator of NGI Zero. "Dominant corporate behavior from a small amount of actors has been aggressively reshaping the evolution of the Web, and that is starting to wreak havoc. Despite an enormous systemic dependency, we as users have very little control over what browsers allow and share — leading to significant risk as the most powerful tools in the shed are essentially left unprotected for every casual Web site to abuse. JShelter is a great initiative to help empower us all, to help us gain better understanding and to better safeguard ourselves from obvious and otherwise unavoidable harm."
The effort is part of a larger, multi-year campaign from FSF on JavaScript on the Web started in 2013, which among others includes the development of GNU LibreJS and outreach to users and developers about nonfree software inside the browser. The GNU LibreJS extension detects JavaScript web labels and assists users with running only JavaScript distributed under a free software license, according to their ethical convictions and individual preferences.
"JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.
"This is a project I've been looking forward to for years, tired of dealing with all kinds of potential antifeatures in the browsers I use and distribute, and having to figure out some countermeasure for them with configuration changes, patches or extensions. Being able to wrap the JavaScript engine in a layer of protection is a game changer."
What's the name of the extension? (Score:2)
Why isn't the name of the extension in the summary or the article? When I search Mozilla, for "Jshelter," I can't be sure whether I have the correct extension. Clicking on the first link in the summary sends me to a page for the JShelter Home that's in English and has "Install in Firefox" splashed prominently in the middle of the page, but clicking that link sends me to a page that says, "JavaScript Restrictor od Libor Polák."
Re: (Score:2)
Because it's not been written yet.
Re: (Score:3)
The second paragraph of TFS claims "the first release is available", so the extension store is a reasonable place to look for it.
Re: (Score:2)
Perhaps they should call it ... 'Gimme Shelter '?
Re: (Score:2)
There's no point. There are probably 200 malware name-squatters already.
Re: (Score:1, Interesting)
Re: (Score:1)
Linux, which is one of the foundations of the internet and which is one of the key components in modern Windows installs (called WSL), "is not actively monitored for security by Mozilla". In fact, the same is true of both Android, Windows and Apple's operating system iOS. Given your security policy of only using systems which are actively monitored for security by Mozilla I hope you will ensure that you never use any Window, Linux, Android, iOS or other operating system which is not actively monitored by
Re: (Score:3)
You are the first person I've ever seen, who takes this nannying seriously, and doesn't just feel like that nanny is condescending and abusive.
You trust Mozilla with your security?? Seriously? More than the FSF? And more than yourself?
Are you even an individual at this point?
Sanity would be "This software wants to be my nanny, by telling me what I'm allowed to do to be 'safe'?? No Thanks!".
Re: (Score:1)
The name of the extension is 'JShelter' (Score:4, Informative)
But I checked on this, and the extension's official name is "JShelter." If you click on the first link in Slashdot's story, it takes you to the JShelter (extension) page [jshelter.org], which has links for installing it on various browsers.
Again, that page's URL is: JShelter.org
Maybe it's just the word "project" in the first sentence that's confusing people?
This week the Free Software Foundation (FSF) announced the JShelter project [jshelter.org], "an anti-malware Web browser extension..."
Re: (Score:2)
Bug in Chrome? (Score:2)
Re: (Score:2)
I get the same issue on Windows. Someone else has submitted a bug report.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
The advertisement corporation's ad delivery tool "failing" at displaying a tool correctly that lets others trace your behavior?
The same corporation that was caught making YouTube and image search suck in Firefox by deliberately delivering slow and bad code?
What a coincidence!
Right to free. (Score:1)
"JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.
Ah yes non-free [gnu.org].
Re: (Score:2)
"JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.
Ah yes non-free [gnu.org].
While the goal may be laudable I doubt most people care or are even aware of the issues raised in that article. Even with all the data breaches there hasn't been a groundswell demand to change laws. Hell, if you say Javascript most people would think it's a new hipster coffee shop. We have met the enemy and he is us.
Re: (Score:3)
The other reality unfortunately is its hard to imagine this extension won't break a lot web applications. I don't mean in obvious ways either like "duh Google Maps can't give you directions from your current location when you are deliberately obscuring it" but damn some validation logic does not work on page six of some work flow on banks site so you can't click next.
I run a number of privacy extensions in Firefox and they absolutely do cause problems. If you haven't the technical chops to open the develope
Re: (Score:1)
Fighting back against data rape is hard so don't do it?
Re: (Score:1)
The other reality unfortunately is its hard to imagine this extension won't break a lot web applications. I don't mean in obvious ways either like "duh Google Maps can't give you directions from your current location when you are deliberately obscuring it" but damn some validation logic does not work on page six of some work flow on banks site so you can't click next.
I run a number of privacy extensions in Firefox and they absolutely do cause problems. If you haven't the technical chops to open the developer console and read and understand the errors and make a few live 'adjustments' or direct calls to js functions; and/or the patients to turn all that stuff off, close the browser, open a private browsing session, do whatever again, turn it all back on and restart the browser; well using a lot of stuff like this isn't practical day to day.
That's why I like NoScript. If I'm on something like a bank website, I usually just disable all restrictions for that tab, which is two clicks. I figure I'm going to have to trust them anyway ... but then I still have NoScript for just general web browsing. No technical chops required, really (though I have them).
Re: (Score:2)
That's why I like NoScript. If I'm on something like a bank website, I usually just disable all restrictions for that tab, which is two clicks. I figure I'm going to have to trust them anyway ... but then I still have NoScript for just general web browsing. No technical chops required, really (though I have them).
^^^THIS
I run NoScript and AdblockPlus, and that seems to put the kibosh on 99.99% of sneaky shit.
Most ads are served via javascript, so the one-two punch really keeps me from seeing ads and keeps them from screwing with my browser or delivering malware.
And yes, NoScript does break some sites, but it's easy to disable it as needed.
NoScript and AdblockPlus have probably saved me from harm a million times by now. I simply won't run a browser that doesn't have those two extensions.
Re: (Score:1)
Re: (Score:2)
Open-source is indeed not automatically free.
That is why the term "FLOSS", with a highlight on "libre" exists.
Because open-source is very often a corporate virtue signaling attempt at using the benefits of it, while not truly offering others the benefits of it.
This is kinda the point of GNU, you know?
Recently seen - "Disable Ad Blocker" (Score:2)
I've tried to go to many sites and get a message, "Disable your Ad Blocker." I recognize that these sites have to fund themselves, so I have NEVER installed an ad-blocker. If a site has too much advertising I avoid it, but I don't disable ads.
I dug one step deeper and found what they really mean is that they want to track me, and at some point that is exactly what they say. I tried to go to the site's comment page to complain, but they won't even let me there without enabling tracking.
If this extension p
Re: (Score:2)
Most ad blockers have a filter list to block these ad blocker detectors nowadays.
Also, no, these sites don't have to fund themselves with shit like this /at all/.
If they got something valuable, that isn't available elsewhere, they can just ask money for it upfront, and don't need to be dicks about it. By definition, if it as valuable, people will pay.
If nobody is willing to pay, well, then it isn't worth anything and they should stop acting like they are entitled to any money.
And worse: Usually, it *is* alr
Re: (Score:2)
I'm not against Ads that don't track, don't use javascript and don't animate, but that's none of them so I very rarely ever see an ad.
I'd prefer a de-webber. (Score:2)
Something that compiles anything that isn't just documents into a proper application in a fully encapsulated context.
And I don't just mean a disguised browser window, a la Electron.
I mean actually doing away with the HTML5 inner platform entirely.
Replacing webSockets with actual socket, webGL with actual openGL, compiling JS to machine code, and merging the entire HTML5 engine of a browser plus the "webapp" into one thing with complete stream fusion [github.com], throwing away any intermediate layers and unused function
Where to get it: (Score:3)
No idea why they buried the URL but here: https://jshelter.org/ [jshelter.org]
JShelter vs NoScript (Score:2)
Re: JShelter vs NoScript (Score:1)
NoScript is a pretty blunt tool. This looks like it's going to be a lot more nuanced. So, yes, I think it probably will replace NoScript, if it reaches sufficient maturity.
Still need to hide the IP (Score:3, Interesting)
We need a VPN provider like say Mozilla, to offer mixing proxies which combine the traffic from multiple users and originate it from a single IP, just like Apple is doing. The IP is one of the most fundamental fingerprints, needs to be handled with the rest.
Only problem is that when Apple does it, no one is going to block Apple. If Mozilla does it, I don't know what will happen.
Doh! Slashdot (Score:3)
So I installed the extension just to check it out.
I read the rest of the stories on this page, then clicked Next.
slashdot.org is blocked This page has been blocked by an extension
Try disabling your extensions.
ERR_BLOCKED_BY_CLIENT
Doh!
Adv trackable features should be opt-in by site (Score:1)
It's too bad privacy-invasive browser features have to be reversed engineered and disabled by browser extensions. There's only a few websites that I need advanced interactive functionality (eg mouse tracking, battery status, URL click tracking) or notifications turned on for (eg Gmail or Slack) so I'd prefer those features to be opt-in.
Browsers do this for a few features already, like location, microphone/camera, or audio/video autoplay. Browser makers interested in privacy should categorize all new and inv
Still buggy (Score:3)
Filed 2 bug reports (Score:3)
It has issues; too verbose on OSX 10.13 High Sierra (too many popups) and the Settings button does nothing;
And it blocked a "normal" google image search from the URL bar and from google.com -- had to uninstall it