Closed emanruse closed 4 years ago
wchen342
commented
4 years ago I feel against this. My reasoning is the same as the Tor project: for now it is more important to get more people to use a browser that is relatively safe rather than trying to make an very safe but hard to use solution. Most users will simply revert the setting or change to a different browser if they cannot use a lot of the websites out there.
emanruse
commented
4 years ago I feel against this.
Alright, maybe we should argue a little bit.
My reasoning is the same as the Tor project: for now it is more important to get more people to use a browser that is relatively safe rather than trying to make an very safe but hard to use solution.
That "more people" sounds a bit like a marketing campaign. :)
Please let's think:
A. How "hard to use" is it actually to have JS disabled?
The fact is most sites actually load fine and their content is readable. Also with JS disabled sites load much faster. I agree - some look "broken" but this comes with a benefit: the user is safe out of the box and that safety does not need the additional softening clarification "relatively".
B. The argument that convenience should prevail over security is not well based.
Basis for the convenience argument: one just likes it that way (of course) because one has certain expectations and (usually quite wrong) habits.
Basis for the security argument: the severity of the particular issue is quite big. This security flaw allows a random website running JS to read parts of your RAM - which can contain very sensitive data. Would you sacrifice the credentials to your bank account (for example) just for the convenience to have Instagram show up nicely on first run? Or the personal details of your child? Are you ready to sacrifice similar important things just for the sake of seeing (say) Instagram load exactly as you expect it out of the box?
C. Most nowadays browser security issues are related to JS.
D. Most sites which don't work without JS are privacy abusive. Very often even the site owners don't realize how bad it is for their visitors to be subject to Google Analytics, Hotjar, social widgets etc. With JS off by default - you are safe from all that too. (Yes, we know about uMatrix etc. etc. Suppose though I am a child who doesn't)
E.
Most users will simply revert the setting or change to a different browser if they cannot use a lot of the websites out there.
Not necessarily.
We don't have factual stats to make such claims. My observation is that this project actually attracts people who are more advanced than the average user + are cautious about their privacy and security. So it is unlikely that they would throw it away by default. Otherwise they would simply stay with Googled Chrome.
It is possible to develop a warning which shows up on first run, explaining shortly why and how this browser is different from the others (in case one doesn't know it already). That warning can explain what the </> sign means and how one can enable JS per site.
"they cannot use a lot of the websites" seems also a big generalization. I have been browsing the web with JS disabled for years (see A. above). I enable it only for websites I (unfortunately have to) trust.
Some sites look broken indeed. I found replacements for them which don't require JS. YouTube -> Invidio.us, Twitter -> Nitter, m.facebook.com etc.
In any case - one can enable JS for a specific site with 2 clicks. But if one is warned initially, then one will be safe + one will think twice before doing it. Then the "relatively safe" false sense of security will not encourage the bad habits of mindless browsing.
Please note: I have nothing to win or loose personally from this suggestion. I have my own settings anyway. Still if this project aims to protect the user better from malicious parties, it can take the additional step to do what no other browser does.
Sorry for the long post :)
wchen342
commented
4 years ago Sorry for the long post
I think it is a good writing. We have few serious discussions these days. Now let me explain my opinion:
I believe the fundamental differences between us is the point of view: you are talking in the position of an fairly advanced user with a security/privacy-centric way of living; but I am standing at the point of an average user, with some level of concern about their privacy (maybe learned from news like the facebook scandal) but little knowledge about what is going on under the hood, and do not want to disturb their daily lives too much. Quoting README:
ungoogled-chromium retains the default Chromium experience as closely as possible...is essentially a drop-in replacement for Chromium."
I believe the goal of this project is to help improving the privacy of the people at large to a certain extent, not to build an bullet-proof, maximum security browser like Tor. IMO this project is a middle ground between Tor/heavily customized Firefox variants and Chrome: you want a certain level of security but also retain the convenience with using Chromium.
How "hard to use" is it actually to have JS disabled? The fact is most sites actually load fine and their content is readable.
A lot of, if not all, commonly used commercial sites will be broken. You can argue that we can find alternatives, and that is partially true but (1) the usability and availability of them are unacceptable to common users (2) I tried the sites you mentioned below and I found them pretty basic and lacking certain useful functions (3) they are not well-known to common users (4) there are information exists exclusively on certain sites; (5) not everybody uses cryptocurrency to pay.
one just likes it that way (of course) because one has certain expectations and (usually quite wrong) habits.
There is more than that. The way the Internet is built nowadays: the large companies like Google which creates the standards has made the Internet very hard to use without JS. Now I know this is not the right tendency, but you cannot just ask everyone to give up their daily lives without providing a reasonably good solution.
Would you sacrifice the credentials to your bank account (for example) just for the convenience to have Instagram show up nicely on first run? Or the personal details of your child?
Again this is out of context. Online banking will not work in the first place without JS. I just tested the site of top 10 banks here but none of them worked.
C. Most nowadays browser security issues are related to JS. D. Most sites which don't work without JS are privacy abusive. (Yes, we know about uMatrix etc. etc. Suppose though I am a child who doesn't)
These are true. However, fine-grained control is way better than an one-for-all solution. I will use my own experience as an example: I needed to read an article that explains a certain concept in a paper. The article only exists on Medium and I searched for some time but that was the only piece of article out there. I have a Firefox with strict security settings and I tried to open the site but it didn't work. Then I opened NoScript setting and temporarily enabled some of the scripts and now most of the contents loaded. However some of the images still didn't load, that is when I switched to ungoogled-chromium as a secondary option when I need to view something that I have to read but didn't work with the most strict settings. If ungoogled-chromium disables JS I will in that case need to either (1) enable JS, which kind of compromises the objective because if you just keep enabling JS on every site then that is not actually beneficial or (2) find a new solution.
So it is unlikely that they would throw it away by default. Otherwise they would simply stay with Googled Chrome.
That is kind of over simplification. It depends on the threaten model: if you are facing state-sponsored, active attacks than this project is unlikely to be any helpful; if you are concerned about small-scale, organized attacks than disabling JS can help, but that alone should not create a false illusion of safety because there are many other attack surfaces in modern browsers (for example, among the three Vulnerabilities .122 fixed, two are non-JS); if you are a non-technical person only wish to stop big companies from harvesting your data, there are better alternatives that do not sacrifice usability in exchange of privacy, like using uBlock Origin.
It is possible to develop a warning which shows up on first run, explaining shortly why and how this browser is different from the others (in case one doesn't know it already). That warning can explain what the </> sign means and how one can enable JS per site.
That will be a good thing to do in general.
the "relatively safe" false sense of security will not encourage the bad habits of mindless browsing.
Usability and security does not have to be exclusive. And there are researches show bad usability hurt security or the other way around: https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten_html/index.html, https://www.nspw.org/2009/proceedings/1996/nspw1996-zurko.pdf, https://www.cc.gatech.edu/~keith/pubs/ieee-intro-usable-security.pdf, https://link.springer.com/article/10.1007/s10207-019-00429-y
Please note: I have nothing to win or loose personally from this suggestion. I have my own settings anyway. Still if this project aims to protect the user better from malicious parties, it can take the additional step to do what no other browser does.
Me too :) But I believe this project is there for a vast group of people who want to use something as convenient as Chrome but without Google harvesting there data (hence the ungoogled), rather than a small group of people that want to take precautions to extreme (because they know what they are doing and they can always do so by themselves, but it will not work the other way around).
emanruse
commented
4 years ago you are talking in the position of an fairly advanced user with a security/privacy-centric way of living; but I am standing at the point of an average user, with some level of concern about their privacy (maybe learned from news like the facebook scandal) but little knowledge about what is going on under the hood, and do not want to disturb their daily lives too much.
Are you saying that the knowledge and the suggestions of experts (who write the white papers) has less importance than the comfort of the average user and therefore if an advanced user shares those suggestions, they should rather be ignored by default (which really means forever)?
I believe the goal of this project is to help improving the privacy of the people at large to a certain extent, not to build an bullet-proof, maximum security browser like Tor.
Tor [Browser] is neither bullet-proof nor maximum security. It is simply focused on anonymity of web browsing. ungoogled-chromium can be used with Tor proxy too. It also seems relevant to say:
Privacy: not sharing (usually personal) data
Anonymity: not sharing who you are (which doesn't mean an anonymous entity cannot share data, i.e. not have good privacy)
Security: protection of data in general (personal as well as anonymous)
So as far as privacy is what you point out: you are sharing data when a script reads your fonts, your screen size, locale etc. So having JS enabled is against the same privacy you accent on. To put it differently: Just because you are not connected to Google through the browser the whole time (like in Google Chrome) but you have JS enabled (and no uBO or uM protections) doesn't mean you are in a much more private situation with ungoogled-chromium because the majority of the websites track you through JS. Even if you use a Tor proxy with JS you are still easy to fingerprint and then your IP address doesn't really matter - the remote entity knows who you are. So if the concern is really privacy: JS should obviously be off by default. And in relation to this issue it will have the additional benefit of security.
IMO this project is a middle ground between Tor/heavily customized Firefox variants and Chrome: you want a certain level of security but also retain the convenience with using Chromium.
Perhaps it is good to clarify what you mean by "certain extent" (of privacy) and "certain level" (of security). So far it is not certain at all.
Also please note that the current issue has nothing to do with comparing to other browsers. It really applies to all browser in general (as shown by the researchers). Remember that just because many think/expect something doesn't necessarily mean they are ultimately right just because they are many or because they get nervous if their expectations conflict something else.
A lot of, if not all, commonly used commercial sites will be broken.
Commonly used commercial sites don't care about your privacy. So you cannot have both privacy (which you accented on as a goal of this project) and at the same time enjoy the JS rich commercial sites.
Also how do you define "broken"? And what is "a lot"? Pretty vague. As I said: it is still possible to access content on most "broken" sites. Yes, the UI may be ugly with out JS but the content is there.
You can argue that we can find alternatives, and that is partially true but (1) the usability and availability of them are unacceptable to common users
Forgive me to point out: You repeatedly seem to speak for others in an attempt to defend the righteousness of what you say. Remember (from above) - majority vs expertise. When you make an important decision who do you learn from? - From the uneducated majority who looks for comfort or from the experts who went into depths of a matter?
(2) I tried the sites you mentioned below and I found them pretty basic and lacking certain useful functions
Are you saying that because of "certain useful functions" (whatever those are) you are ready to:
(3) they are not well-known to common users
Of course. The common commercial sites you speak of invest a lot for that. But this particular issue has nothing to do with solving the problem of popularity of one site or another. It is mainly about security (which obviously includes privacy).
(4) there are information exists exclusively on certain sites
No idea what this means.
(5) not everybody uses cryptocurrency to pay.
I have never used cryptocurrency myself. This has nothing to do with the current issue.
The way the Internet is built nowadays: the large companies like Google which creates the standards has made the Internet very hard to use without JS.
Go figure why :)
Now I know this is not the right tendency, but you cannot just ask everyone to give up their daily lives without providing a reasonably good solution.
I am not asking anyone to give up their lives. Please don't twist my words. The reasonably good solution is right there as I explained in my previous reply.
Would you sacrifice the credentials to your bank account (for example) just for the convenience to have Instagram show up nicely on first run? Or the personal details of your child?
Again this is out of context.
When you say "again" this implies I am speaking out of context repeatedly. The fact is I am simply replying to your thoughts. In any case: see above about privacy and security and you will notice it is in context.
Online banking will not work in the first place without JS. I just tested the site of top 10 banks here but none of them worked.
Perhaps you misunderstood. I am not saying you can use bank sites without JS. What I am saying is that (based on the white papers): through JS it is seems possible some site (not that of your bank) to read the contents of your RAM in which sensitive info (such as your bank credentials) reside.
However, fine-grained control is way better than an one-for-all solution.
Yes. There is nothing fine-grained in having JS enabled for all sites. Fine grained is: enable JS per-site, only when needed.
Me too :) But I believe this project is there for a vast group of people who want to use something as convenient as Chrome but without Google harvesting there data (hence the
ungoogled), rather than a small group of people that want to take precautions to extreme (because they know what they are doing and they can always do so by themselves, but it will not work the other way around).
Google is still tracking you with JS enabled: through Google Analytics, Maps, Google hosted jQuery and other JS APIs etc. - and those exist on many sites, even on non-commercial ones. So again: if your concern is privacy, then the current suggestion will only benefit you, even if you don't have uMatrix and uBO.
wchen342
commented
4 years ago Are you saying that the knowledge and the suggestions of experts (who write the white papers) has less importance than the comfort of the average user?
First, that is not what I was saying. Yes, experts have more knowedge on the topic and they have a solution, but it is not an one-fit-all one. And by ignoring the feeling of average users you are pushing them away. Now let me ask you: do you think average users doesn't deserve a better browser? Do you think they do not deserve to be protected because they do not have the necessary knowledge, or not well-informed?
So if the concern is really privacy: JS should obviously be off by default. And in relation to this issue it will have the additional benefit of security.
I understand the concepts you are talking about, just bad wording there (forgive me for being non-native speaker). And I agree disabling JS gives you a huge benefit on privacy. But it is only in your situation. Not everyone needs total anonymity. What about people who only want pseudonymity? What about people who doesn't care that much but only wish to use something that is not related to Google?
it is still possible to access content on most "broken" sites.
Try to buy something on Amazon without JS.
When you make an important decision who do you learn from? - From the uneducated majority who looks for comfort or from the experts who went into depths of a matter?
Important desicison for whom? Just because you understand things better automatically means you have the privileges to make decisions for others and ignore their feelings and needs? That sounds terribly elitism and wrong.
(4) there are information exists exclusively on certain sites No idea what this means.
There are a lot of articles, pictures, videos that exists only on one site. If you don't know that or don't care, then fine.
The reasonably good solution is right there as I explained in my previous reply.
Explain to me why educating people on using NoScript is not a better solution.
Perhaps you misunderstood. I am not saying you can use bank sites without JS. What I am saying is that (based on the white papers): through JS it is seems possible some site (not that of your bank) to read the contents of your RAM in which sensitive info (such as your bank credentials) reside.
Is disabling JS at all really the best solution here?
There is nothing fine-grained in having JS enabled for all sites.
Disabling JS globally is not fine-grained too.
Google is still tracking you with JS enabled
I know that. But the problem is still: is disabling JS globally the best solution? It seems you are trying to use disabling JS as a universal solution to all problems, but why ignoring the extensions? incognito mode? clearing of cookies?
emanruse
commented
4 years ago First, that is not what I was saying. Yes, experts have more knowedge on the topic and they have a solution, but it is not an one-fit-all one.
You may have not been saying what you are saying now but... you are saying it now.
And by ignoring the feeling of average users you are pushing them away.
You are assigning to me your interpretation of the issue.
The current suggestion is based entirely on actual, verifiable facts found and shared by experts along with recommendations. From the very first sentence you oppose that with feelings ("I feel against this") and you keep talking as if you yourself are speaking for everyone.
An argument in which measurable, verifiable things are opposed with feelings hardly makes any sense, so I cannot continue in that direction.
do you think average users doesn't deserve a better browser?
The current suggestion does not make the browser better or worse, neither it limits the freedom of anyone to fine tune it.
Do you think they do not deserve to be protected because they do not have the necessary knowledge, or not well-informed?
I think by default everyone should be protected. Hence the current issue. I also explained it is easy to inform the uninformed on first run.
And I agree disabling JS gives you a huge benefit on privacy. But it is only in your situation.
No, it is not. It was you who started to talk about privacy in regards to the goal of the current project. I simply explained that my suggestion aligns with that goal (which is your goal too IIUC).
Not everyone needs total anonymity.
The current issue has nothing to do with anonymity.
What about people who only want pseudonymity?
Same reply.
What about people who doesn't care that much but only wish to use something that is not related to Google?
Please, I already answered that in my previous reply.
it is still possible to access content on most "broken" sites.
Try to buy something on Amazon without JS.
Can you make a difference between "accessing content" (like seeing text and images) and "buying something" (active interaction, submitting personal data etc)? I wonder if you deliberately misunderstand what I am saying.
In any case: Good luck with your "privacy" on Amazon.
Just because you understand things better automatically means you have the privileges to make decisions for others and ignore their feelings and needs? That sounds terribly elitism and wrong.
You are exaggerating and dramatizing. You also seem to look at this in a limited way.
Look at this:
Currently you are using default settings created by a party which you dislike (Google), whose actions you dislike (privacy abuse) and who have been programming your "feelings" for years. Someone shows up and says: look, there are facts which prove this is a wrong approach, so let's take the right one - you will still have the same freedom of options. You tell that person he is a terrible elitarian and defend the "feelings" (default settings) programmed in your mind by the "don't be evil" company. I don't have much to say if you don't see the absurdity of this.
Explain to me why educating people on using NoScript is not a better solution.
I am afraid we are getting too often in various off-topics. I will try to be as short as possible as this is already taking too much of my time:
I think NoScript is far more limited than uMatrix. Plus (unlike Firefox) Chrome has built-in per-site JS toggle which makes NoScript even less useful. If I would educate anyone to use an extension, I would teach them to use uMatrix.
Is disabling JS at all really the best solution here?
Ask yourself which is safer:
or
Disabling JS globally is not fine-grained too.
Again ask yourself which of the above is more fine-grained.
But the problem is still: is disabling JS globally the best solution?
The best solution to which problem? It is a way to provide a safer default environment for the user. The user still has the freedom to customize it further.
It seems you are trying to use disabling JS as a universal solution to all problems,
Where exactly did you read "I propose the best solution to all problems"?
but why ignoring the extensions?
Extensions are also 3rd party code. If the browser has built-in function to control JS per site, this doesn't need an extension.
And no, I am not ignoring extensions. I use uMatrix and uBO for additional fine grained control. But that is off-topic.
incognito mode? clearing of cookies?
These are also off-topic feelings :)
wchen342
commented
4 years ago I was trying to analyze the potential impact this change will have on users and you just keep saying they are unrelated. I don't think we are going to persuade each other here so I will leave the decision to @Eloston.
emanruse
commented
4 years ago I was trying to analyze the potential impact this change will have on users and you just keep saying they are unrelated.
The only 2 unrelated things I didn't comment on were incognito mode and cookies. I think answered all your other questions and concerns, even the off-topic ones. If I missed something - please correct me.
9Morello
commented
4 years ago I'm against this. I can't see any advantage in practice:
So, from a privacy point of view, disabling JS might make more people less secure; nontechnical people might turn to a proprietary browser that works with the websites they visit out of the box, while technical users wouldn't be affected at all (because they're either blocking all JS, or enabling it on sites they trust).
emanruse
commented
4 years ago I can't see any advantage in practice:
The advantage has already been explained.
- Users who aren't technical enough will just give up and try another browser, leaving them unprotected
Just because the browser is not sending data to Google through browser's background process doesn't mean the browser is not communicating with Google through Analytics, Maps and what not through the majority of websites' front-ends.
If your concern is keeping users protected from that, you are not protecting their privacy with JS enabled by default.
- Users who are technical will probably choose their own methods for dealing with JS, often through extensions like uBlock Origin and uMatrix.
Are you suggesting that security is only for the experts? Or that the experts should not care to protect others but leave them exposed by default prioritizing convenience? How is that different from what Google does?
So, from a privacy point of view, disabling JS might make more people less secure;
Just read carefully what you just wrote :)
nontechnical people might turn to a proprietary browser that works with the websites they visit out of the box, while technical users wouldn't be affected at all (because they're either blocking all JS, or enabling it on sites they trust).
Without actual data "might" = "might not".
All the anti-arguments given here seem based on the concept that lots of people just find UC because they understand nothing, also most of them are laymen and want to remain laymen at any cost. However nobody is showing actual stats like:
How many use UC
Why they use it (what are their actual concerns)
Would they be ready to sacrifice security and privacy for convenience (after they are told what enabled JS may lead to)
Has any of you actual answers to those? If not - then the whole "democratic" defense of convenience is simply based on nothing but suppositions.
The suggestion of having JS disabled by default with a start-up note (telling the user why and that he can control it in a granular way at his own risk) is based on actual facts and actual improvement of security and privacy.
Example for such note may be:
"Ungoogled Chromium is different from other browsers. It protects your privacy and security by default, so the default setting is to disable JavaScript for all sites. You can still re-enable it for each site at your own risk by clicking the </> sign in the address bar. For improving your privacy and security even further you can use the extensions uMatrix and uBlockOrigin. You can also find privacy respecting alternatives to popular sites like YouTube, Twitter etc on this page: ... ".
It is that simple. No need for a professorial degree or drama. The note can display e.g. on the about:blank page or in some other way. Not only this will improve privacy and security but it will also encourage the users to learn a little bit and to use non-abusive sites.
Eloston
commented
4 years ago Alright, let's conclude this discussion.
If we only consider the objectives of this project, then I think this change would deviate too drastically from regular Chromium. I stand by this rule because I don't want a browser that is progressive by redefining the browsing experience.
In addition, I don't believe this argument is well supported for several reasons.
As an aside, we have avoided these difficult discussions before because:
So basically @emanruse, I don't think your request fits with ungoogled-chromium. If you disagree, then I am open to discussing why.
emanruse
commented
4 years ago So basically @emanruse, I don't think your request fits with ungoogled-chromium. If you disagree, then I am open to discussing why.
I already explained more than once the reasons (which are not only those pointed out in the white paper), so I hope you don't mind - I won't repeat. If you feel something is not clear - I can clarify.
It is quite unfortunate that you easily sweep away everything factual here with a seemingly "scientific" approach - some mathematical probability which nobody could possibly calculate. However if you look carefully: science is about facts, not about scientific-like language. And the fact is: this same probability with my suggestion is guaranteed 0%.
If you find that insignificant and the suggestion that a welcome notice with by-default-security is something repulsive, there is hardly any point to discuss anything further. As I said above: accepting or rejecting this suggestion does not affect me personally. It is for the good of everyone.
Even if you reject all this, I would still hope that you consider at least a welcome message explaining that JS is enabled by default and that may be dangerous with a toggle to disable it. Then the user can enable it per-site as explained and this whole pro/against will be in the hands of the informed user, not of us wondering about what "a user" is :)
Eloston
commented
4 years ago I already explained more than once the reasons (which are not only those pointed out in the white paper), so I hope you don't mind - I won't repeat. If you feel something is not clear - I can clarify.
I should be more clear. I am asking why you believe your feature aligns with all the main objectives and does not conflict with any of them. I am not asking whether this feature has privacy or security merit. I think it's fine if you just address the points I made in https://github.com/Eloston/ungoogled-chromium/issues/960#issuecomment-601505674.
It is quite unfortunate that you easily sweep away everything factual here with a seemingly "scientific" approach - some mathematical probability which nobody could possibly calculate. However if you look carefully: science is about facts, not about scientific-like language. And the fact is: this same probability with my suggestion is guaranteed 0%.
You are correct that it is very difficult to calculate that probability. I actually don't need something that precise; just a comprehensive assessment of the trade-offs for making this change. However, it does not change the fact that we must be more rigorous and we must reach a common understanding to have a productive argument. I did not see you and @wchen342 reach that common understanding.
If you find that insignificant and the suggestion that a welcome notice with by-default-security is something repulsive, there is hardly any point to discuss anything further. As I said above: accepting or rejecting this suggestion does not affect me personally. It is for the good of everyone.
Even if you reject all this, I would still hope that you consider at least a welcome message explaining that JS is enabled by default and that may be dangerous with a toggle to disable it. Then the user can enable it per-site as explained and this whole pro/against will be in the hands of the informed user, not of us wondering about what "a user" is :)
Please, we should not continue making vague assumptions here, especially about each other. I am only asking for this level of rigor because it's the best way for everyone to reach a common understanding.
emanruse
commented
4 years ago I should be more clear. I am asking why you believe your feature aligns with all the main objectives and does not conflict with any of them. I am not asking whether this feature has privacy or security merit. I think it's fine if you just address the points I made in https://github.com/Eloston/ungoogled-chromium/issues/960#issuecomment-601505674.
Alright.
- The quote is from Section VII, Countermeasures, which is not the main contribution of that paper. That quote specifically is more of a side remark by the authors.
You are trying to belittle the conclusion of a whole section of the paper by calling it "a side remark" ignoring the fact that the actual title and subject of the whole paper is about remote JS attacks and the subtitle of that section is about how to prevent these attacks.
- The paper is from five years ago, and Google has made many security enhancements to the browser since then, including side-channel attacks in general.
Rowhammer is a hardware vulnerability and Google cannot fix it by improving their browser. The security enhancements Google makes are about other things.
- Most importantly, I do not see any concrete assessment of risk here.
With the (lack of) data we have the only possible assesment is:
JS off: Risk = 0 JS on: Risk > 0
For example, what is the probability that a user will be exploited by a JavaScript attack?
To calculate that you have to continuously scrape all the websites in the world, analyze the JS code of each one, gather data about each user and his hardware and software set-up.
But before we can answer that, we need to agree on what exactly "a user" entails.
A person who uses something (e.g. a browser).
We need to be rigorous here, which is difficult and time-consuming.
I agree.
Otherwise, we would have failed to establish one of the most fundamental requirements of debate: common understanding.
To have common understanding one must look at facts, not at feelings.
Regarding the objective of the project:
The README says:
"A lightweight approach to removing Google web service dependency"
The suggestion to have JS disabled by default does not conflict that.
"ungoogled-chromium is Google Chromium, sans dependency on Google web services."
The suggestion does not conflict that.
"It also features some tweaks to enhance privacy, control, and transparency (almost all of which require manual activation or enabling)."
privacy: disabled JS improves it
control:
JS enabled = control is in the hands of the one who wrote the scripts for the opened page
JS disabled (and enabled selectively) = the user who decides what remote code to run or not.
=> The suggestion does not conflict that.
=> The suggestion does not conflict that.
Additionally: a UI element explaining that to the user improves transparency and user awareness even further.
"(almost all of which require manual activation or enabling)"
Again - aligns.
From section "Motivation and Philosophy":
"Without signing in to a Google Account, Chromium does pretty well in terms of security and privacy."
Unrelated to current suggestion.
"In addition, Google designed Chromium to be easy and intuitive for users, which means they compromise on transparency and control of inner operations."
So far the opponents of my suggestion defend the same which Google does: to be easy and intuitive with a compromise on transparency and control of inner operations. So my again the current suggestion is an improvement to that.
"1-3 [...]"
Unrelated.
"4. Disable features that inhibit control and transparency, and add or modify features that promote them (these changes will almost always require manual activation or enabling)."
Again: enabling JS inhibits control and transparency. Requiring manual activation aligns with this objective too.
You are correct that it is very difficult to calculate that probability. I actually don't need something that precise; just a comprehensive assessment of the trade-offs for making this change. However, it does not change the fact that we must be more rigorous and we must reach a common understanding to have a productive argument. I did not see you and @wchen342 reach that common understanding.
I hope that by common understanding you don't expect merely accepting that privacy and control (the goals of this project) are only for the experts and the layman should care only about convenience - what seems to be the claim of the opponents.
It is impossible to assess comprehensively without actual stats as explained above. Psychologically every new thing meets certain resistance. Also consider the fact that Google (and others) have invested years and billions into programming the human mind that the web should look and feel in a particular way, then to legitimize that in standards and to dictate things further.
Regarding trade-offs: I am not suggesting something terribly anti-user. It is simply:
It can be like the effect of chrome://flags/#improved-cookie-controls which shows the "Block third-party cookies" message with info in incognito mode.
I am only asking for this level of rigor because it's the best way for everyone to reach a common understanding.
To have understanding one must look at the actual: Yes, computers are made to make life easier and people are attached to comfort and not to understanding. Unfortunately after years of indulging into the comfort of the consumer big companies made computers and the Internet less and less secure, more and more proprietary and privacy invasive, down to the hardware.
Eloston
commented
4 years ago You have been thorough to explicitly address all of the objectives, including the Motivation and Philosophy section. However, you did not address this objective:
ungoogled-chromium retains the default Chromium experience as closely as possible. Unlike other Chromium forks that have their own visions of a web browser, ungoogled-chromium is essentially a drop-in replacement for Chromium.
I believe this main objective conflicts with your suggestion, but I would like to hear your interpretation.
emanruse
commented
4 years ago You have been thorough to explicitly address all of the objectives, including the Motivation and Philosophy section. However, you did not address this objective:
"as closely as possible" != identical
Let's not ignore that you also change other things which make UC a bit different from Google Chromium. Just two things which come to my mind (I could probably show more but I won't):
One needs to install extensions manually: this is a much larger effort and complication for the average user than clicking </> to enable JS. Still it doesn't make UC bad and obviously this difficulty does not push away people. I actually find it good not to have to connect to Google's service for this.
Not having a working spell checker is bad UX. This is yet another limitation and it doesn't even give control to the user as there is no switch to enable it again. Still this doesn't reduce the number of users.
a drop-in replacement for Chromium
Same as above.
Also if I may say: a fixed objective doesn't mean it is an ultimately correct one. It is your project and I am not willing to sound as if I am trying to redefine your goals. But if you really want to be objective (look at all the facts I talked about) I am sure you will understand that my suggestion has both instant and long term benefits.
qvint
commented
4 years ago
- One needs to install extensions manually <…>
- Not having a working spell checker <…>
These are unintentional side effects of removing Google URLs from the source code. Google URLs are removed intentionally because that's the idea of the whole project —— to ungoogle the source code.
And disabling JS is not a side effect of ungoogling. But more than that, your suggestion is an intentional move away from the default Chromium experience, hence it contradicts the main objective of the project.
Eloston
commented
4 years ago What @qvint said is correct. Both of those side-effects are bugs. In an ideal scenario,
Also if I may say: a fixed objective doesn't mean it is an ultimately correct one. It is your project and I am not willing to sound as if I am trying to redefine your goals. But if you really want to be objective (look at all the facts I talked about) I am sure you will understand that my suggestion has both instant and long term benefits.
In that case, I reject this suggestion because of the conflict. I think the next best course of action for you is to propose this idea to another project that is more progressive. Otherwise if we're lucky to continue growing in development manpower, we could create a derivative project to experiment with ideas like this one.
emanruse
commented
4 years ago @Eloston you asked for rigor with the idea of reaching common understanding.
@qvint:
These are unintentional side effects of removing Google URLs from the source code. [...]
And disabling JS is not a side effect of ungoogling.
your suggestion is an intentional move away from the default Chromium experience, hence it contradicts the main objective of the project.
@Eloston:
What @qvint said is correct.
He is arguing that one UX dissimilarity (extension handling) is insignificant because it can be justified through a verbal explanation ("unintentional side effect"). Then he accents that this same explanation is inapplicable to the suggestion, he makes the conclusion that the suggestion contradicts the project objective.
This is a typical example of abductive reasoning - the way to fallacy:
Objective: We want sweet fruits Premise 1: Bananas are yellow and sweet Premise 2: Dates are sweet but not yellow Conclusion: Therefore dates conflict the objective
Back to rigor:
In the context of UX differing from Chromium:
The average user (whose UX the opponents here seem to defend) does not magically become an expert in downloading, installing and keeping extensions up to date just by being told "this is an unintentional side effect". In fact he is not even told that when he starts the browser for the first time. So this burden is somehow ignored and it is assumed that the user will not run away to another browser (and indeed - he does not run away). Yet when someone suggests to improve security and privacy by disabling JS by default and adding 2 sentences to tell the user why and how to selectively enable it with 1 click - it becomes such a huge problem, anti-user, anti-project's objective etc. IOW it is assumed that the user is clever enough to handle something more complex and at the same time it is assumed that he is not clever enough to click once.
In the context of what is intentional or not:
All the "Enhancing Features" in the README are intentional, unrelated to ungoogling and make UX (more or less) different from that of Chromium. But that is implicitly ignored. How can we have common understanding if we look at things in such limited ways, favoring one biased presumption and brushing away discussed facts?
Both of those side-effects are bugs.
A bug is when something doesn't work the way it is made to work. There should be no expectation that a Google-dependent function should work when it is ungoogled. If there is such expectation: this means the expectation is wrong, not that the software is buggy. Also the fact that a similar functionality can be implemented does not make the expectation less wrong. If the user does not understand that - obviously education is necessary and it is already available.
So far:
there are facts that the suggestion aligns with or is neutral to the various components of the goal
there are facts about the benefits of the suggestions
nobody showed facts proving the potential negative effect of the suggestion. Opponents simply assume that the users are (simply) stupid (yet strangely I was the one accused of "elitism") and therefore do not deserve to have a more secure default setting.
Based on that you make a conclusion that the whole suggestion conflicts the objective.
PF4Public
commented
4 years ago Not having a working spell checker
Yoo mught beee kiddddin mea, rait?
or to convert dictionaries into Google's format
That's true! Anyone not aware, look here: https://github.com/Eloston/ungoogled-chromium/issues/188#issuecomment-514855506
Ideally, there should be a way set this up easily or automatically.
For Gentoo ebuild, it is already automatic: L247, L806, L852-L855
Eloston
commented
4 years ago @emanruse
There are multiple objectives, and they are ordered by priority. "ungoogling" is the foremost objective, and retaining the default Chromium experience is secondary. I have been informally referring to both of these objectives as "main objectives" because they both have high priority over other objectives.
The broken spellchecker and partially broken extension installer are bugs. They are bugs because they do not contribute to any of the objectives, and they are a regression from ungoogling; i.e. they were not explicitly broken. Disabling JavaScript by default, however, would be a delibrate and explicit change that does not align with our objectives (specifically to retain the default Chromium experience).
While this differentiation makes no difference to the end-user's experience right now, it tells us developers what we should or should not change in the future. In practice, these bugs may take a long time or never get fixed because us developers are really just a collection of anonymous volunteers; each of us have our own goals and priorities, and none of us have an obligation or responsibility to ungoogled-chromium.
If you have issues with Enhancing Features, we should discuss each problematic feature in their own issue. Each one has their own history and context that are independent from the rest.
emanruse
commented
4 years ago @Eloston
I wonder how you define experience and deliberation.
Just look at this:
Ungoogling Chromium is deliberate. The reason for this deliberate action is improving user privacy. The discussed effects of it are not in the control of the user (which conflicts the objective) and create burden for the user. But they are considered acceptable through the words "unintentional side effect" and "bugs".
Disabling JS is deliberate. The reason for this deliberate action is improving user security and privacy (same). The effect of it will be completely in control of the user (aligns with the objective) and is easy to handle. It will not be a bug. Strangely - this is unacceptable.
More UX burden - acceptable. Less UX burden - unacceptable.
:)
Eloston
commented
4 years ago But they are considered acceptable through the words "unintentional side effect" and "bugs".
We have to be careful with how we use "acceptable". Software bugs have not and will never be considered "acceptable" in the sense that they should be fixed. However, as I described in https://github.com/Eloston/ungoogled-chromium/issues/960#issuecomment-603495958, developers are free to choose what they want to do, so they may not choose to fix certain software bugs; for them, that is "acceptable" by their own goals and priorities. As a result, we will never fully align with our own objectives at any one point of time; but over time, we should not diverge from those objectives either. And again, someone (e.g. leader) or some people (e.g. anyone who contributes) has to enforce that, which means the enforcers has to decide how much divergence is considered "acceptable".
From this, we can restate your two issues:
On a tangential thought, do you think it would help to document the priorities of our objectives?
PF4Public
commented
4 years ago On a tangential thought, do you think it would help to document the priorities of our objectives?
This actually makes perfect sense to me. With this documented up front in readme, anyone, willing to use ungoogled-chromium, would immediately know, what to expect, what to not expect, what to tweak for a personal taste after the installation.
This could also potentially address some of the points made in this discussion by both sides. For a person from the future.
emanruse
commented
4 years ago We have to be careful with how we use "acceptable". Software bugs have not and will never be considered "acceptable" in the sense that they should be fixed.
In general yes but here we are discussing a specific context: the comparison of what UX burden the suggestion and the "bugs" cause. The "bugs" are obviously acceptable because they have been accepted and exist for a long time (as you yourself confirm) regardless of the burden they create.
And again, someone (e.g. leader) or some people (e.g. anyone who contributes) has to enforce that, which means the enforcers has to decide how much divergence is considered "acceptable".
Is that not elitism? :P To put it differently: are you saying that a non-contributor lacks the mental capacity to suggest something meaningful just because he is a non-contributor?
From this, we can restate your two issues:
A small correction: these are not "my two issues". These were merely 2 examples I gave in the context of UX divergence.
No one else has submitted a fix yet, so either they also think it's acceptable, or they're working on it.
Exactly. It is assumed and accepted that it is OK the UX to be different from Chromium for a very long time. Logically this conflicts the objective regardless of who has decided it. You just keep proving that this is so.
- Disabling JavaScript would be an explicit divergence from the objectives (i.e. a conflict with the objectives).
No. I explained why. Please read previous replies - you asked for them, now you are simply ignoring them. The suggestion aligns with the objectives and is neutral to some of them.
More specifically, giving users more control has lower priority over ungoogling and retaining the default Chromium experience.
That is not listed in the objectives. One cannot possibly know for sure. However considering the root reason on which the high priority objective is based (improving privacy) - once again: the suggestion aligns with that.
On a tangential thought, do you think it would help to document the priorities of our objectives?
It may be give additional clarity for discussions like this one. However for the general user it may not matter much (I suppose).
You see - the big logical conflict here is not whether the user will suffer from UX difference. The logical contradiction is: why the user is considered clever enough to handle something more complex (extensions) but is considered so stupid that he is unable to click </>. That is something you are still not answering.
mbakke
commented
4 years ago You see - the big logical conflict here is not whether the user will suffer from UX difference. The logical contradiction is: why the user is considered clever enough to handle something more complex (extensions) but is considered so stupid that he is unable to click </>. That is something you are still not answering.
That is not a fair comparison. Access to the Chrome Web Store is disabled by necessity (and ease of extension installation is a bug caused by it), whereas disabling JavaScript by default would be a voluntary UGC specific change.
It is clear that @Eloston is not going to change their mind on this matter, so can you please agree to disagree and move on.
emanruse
commented
4 years ago That is not a fair comparison. Access to the Chrome Web Store is disabled by necessity (and ease of extension installation is a bug caused by it), whereas disabling JavaScript by default would be a voluntary UGC specific change.
You are also mixing two different contexts:
I already showed that the reasons for the suggestion align with or are neutral to the project objectives. I also explained that the second context does not influence the first one - the user still has to face the difference and he is obviously OK with the more difficult one.
So the comparison is completely fair my question is logical and based on facts.
It is clear that @Eloston is not going to change their mind on this matter, so can you please agree to disagree and move on.
Common understanding is not "ignore facts and logic, shut up and move on". @Eloston asked me things and I answered. Now I am asking him something and I believe it is OK to wait for his answer too.
mbakke
commented
4 years ago You are also mixing two different contexts:
- How much difficult is each UX difference to the user
- The reasons for each UX difference
I already showed that the reasons for the suggestion align with or are neutral to the project objectives. I also explained that the second context does not influence the first one - the user still has to face the difference and he is obviously OK with the more difficult one. So the comparison is completely fair my question is logical and based on facts.
The point is that UGC (and thus the user) has no choice when it comes to extension installation. We do have a choice to disable JavaScript by default or not, and @Eloston chose not to.
Difficulty does not factor into it.
emanruse
commented
4 years ago The point is that UGC (and thus the user) has no choice when it comes to extension installation. We do have a choice to disable JavaScript by default or not, and @Eloston chose not to.
I am asking something and you keep not answering it but continue derailing the discussion into other things which have already been clarified at length, namely:
I have said enough on these from the beginning of the discussion. If you have something new to add please mind the context.
Difficulty does not factor into it.
Difficulty has been the main argument raised against the suggestion. Please read the whole discussion.
mbakke
commented
4 years ago @emanruse Can you restate your question as clearly as you can, so that it is understandable for people who have not read the entire discussion?
I did read it, but obviously I've missed something.
emanruse
commented
4 years ago @emanruse Can you restate your question as clearly as you can, so that it is understandable for people who have not read the entire discussion?
I did read it, but obviously I've missed something.
OK here is a summary and I will rephrase the question.
It was shown with facts that the suggestion:
A. aligns with or is neutral to the objectives of the project
B. has security and privacy benefits
C. does not take away control from the user but actually improves it
D. would result in better awareness which the user currently may not have (due to the current too permissive default setting)
E. would create less UX and learning burden than that of handling extensions manually (which users currently do without problem or complaints).
Summary of arguments against the suggestion provided so far:
Better security and privacy is only for the experts. Non-experts can use less secure default settings because usability is more important than security.
Non-experts are expected to face UX discrepancy which does not align with the project goal, then read the wiki and handle manual installation of extensions. They have no choice or control over that. They have learned how and been doing it since the project beginning.
These same non-experts are unable to read 2 sentences (once) and click </> (once per site, if needed). If they have to face this their feelings will be hurt, they will massively drop this browser and run away to a proprietary one.
Because something is a "bug" its long term big effect on the UX is negligible. (someone may fix it in distant future but there is no guarantee)
A long term existing UX discrepancy is not a problem for the objective of the project because there is an explanation for it. A new one would be against project objective.
The intention to ungoogle Chromium (for improving privacy) is a valid one but the intention for disabling JS by default (for improving privacy + security) conflicts the project ideology.
The other intentional differences which don't align the main objective are OK. The current suggestion is not.
The question:
Why is the decision biased to accept 1-8 and ignores A-E?
Eloston
commented
4 years ago @emanruse I have added a new Objectives section to the top of the README. If you find something that's unclear, please let me know. Now, back to the discussion:
You see - the big logical conflict here is not whether the user will suffer from UX difference. The logical contradiction is: why the user is considered clever enough to handle something more complex (extensions) but is considered so stupid that he is unable to click </>. That is something you are still not answering.
Okay, I think I'm starting to understand your perspective. If we consider only the effort for a user to configure the browser, then I agree that toggling a switch to enable JavaScript by default is much easier than the procedure to install extensions right now.
However, user experience (i.e. ease of use, intuitiveness) is not a high priority based on this project's objectives. The specific reasoning is described in https://github.com/Eloston/ungoogled-chromium/issues/960#issuecomment-603544521.
This has been my justification of why I think this suggestion conflicts with the objectives. I don't think I can get much clearer than this, so I think we should end this discussion.
Before I finish, I also want to share my motivations for this project to shed some light on my decisions:
In short, I am not working on this project because I want to fight for a greater cause, or reach some lofty goal. Sometimes I work on this project because helping others is nice, something piques my interest, or some other personal incentive. Sometimes I work on other things because they're more interesting or important to me. Whichever happens depends on circumstance.
Anyway, that's all I have to say here. Hopefully this clarifies what to expect from me on ungoogled-chromium.
emanruse
commented
4 years ago @emanruse I have added a new Objectives section to the top of the README.
"3." changes things a lot as it weights the discussion towards the "new" (clarified) objective.
If you find something that's unclear, please let me know.
Considering the new text:
"However, almost almost all of these features must be manually activated or enabled."
it would be good to describe also:
However, user experience (i.e. ease of use, intuitiveness) is not a high priority based on this project's objectives.
Then everyone who pointed out ease of use as an argument against the suggestion has contradicted that. :)
Anyway, that's all I have to say here. Hopefully this clarifies what to expect from me on ungoogled-chromium.
It does. Thanks.
Please consider having JS disabled by default (and everyone can enable it per site/need case).
Reasons:
Academics showed how a Rowhammer attack could be carried out via JavaScript, via the web, and not necessarily by having access to a PC, physically, or via local malware:
From the white paper:
"Even when the system is most likely resistant, the user should explicitly agree to activate JavaScript when opening a website."
Add to all that the other side-channel vulnerabilities which are mitigated but impossible to actually and completely fix because a real fix would require new hardware. Even mitigations don't exists for many systems (especially older ones). These can also be exploited through JS.
Disclaimer: yes, I know we can opt-out (and I have always done that). The point of this suggestion is to rather need to opt-in as experts advise which is much safer, i.e. security>convenience by default. ungoogled-chromium users are already clever enough to know the importance of that as well as how to enable JS.