> People miss the old, quirky, simple web of their childhood
No, we understand that answering the question "Is this Javascript I received from a unknown remote party safe to run and free of any malicious side effects?" is undecidable. If you want to defend the idea of running potentially hostile Turing complete code, you need to tell us how to answer that question or you are advocating that everybody should regularly accept the risk of running malicious code. I suggest first addressing the simpler question, "Does this Javascript program ever halt?"
> none of which really undermine the premise that computation in the browser has value.
Obviously Javascript - and computation in general - has value. I have never seen anybody suggest otherwise. Lots of things have value. The problem is that running Turing complete code is always going to be a risk, because describing the behavior of any grammar more complex than deterministic context-free is provably undecidable.
> If you want to defend the idea of running potentially hostile Turing complete code, you need to tell us how to answer that question or you are advocating that everybody should regularly accept the risk of running malicious code.
I don't really have to. Javascript has been a part of the web for over twenty years. Almost everyone else already runs it, and has already accepted that risk. You, rather, have to defend the premise that all of those people are wrong for doing so, given that most malicious code on the web comes from email attachments, downloaded binaries, and Internet Explorer.
I submit that blocking scripts will block ads (most of the time) and analytics and make sites (that work at all without it) run faster, but it won't really make you that much safer.
You're already running millions or billions of lines of potentially hostile Turing complete code that can do things javascript couldn't even dream of, and I doubt you've compiled all of it from source, or read all of the source if you have. The risk presented by javascript relative to every other programming language and runtime in existence is minimal.
>I suggest first addressing the simpler question, "Does this Javascript program ever halt?"
Yes. Hit escape, F5 or when the browser tells you a script appears to be hanging, have it kill the script.
I know you're referencing the halting problem there, but in practical terms it's not even an issue. You can, of course, just turn it off.
> Javascript has been a part of the web for over twenty years. Almost everyone else already runs it, and has already accepted that risk.
A lot of people without a CS background believing industry exaggerations and lies about security for many years does not mean they are acting safely. The frequent security issues is proof the risks exist. There were several decades where a lot of people smoked cigarettes, but we finally were able to make decent progress on educating everybody about that risk.
> most malicious code on the web comes from email attachments
The most malicious code in the long term is probably Google Analytics. The only reason it hasn't become a huge problem already is thanks to Google taking security seriously and not leaking everyone's browsing habits. An email virus/trojan at worst probably only ruins your computer and, in extreme cases, your bank account (i.e. with a keylogger). That's bad, but databases of your reading habits (and porn/etc habits) are a blackmail/manipulation risk that never goes away. The recent FB/CA drama should be seen as a warning about what can be done with enough data about you. It will be interesting when someone decides to steal GA (or other browsing history DBs) to sell it to insurance companies (possibly as a "risk evaluation" service so the insurance companies never have stolen data).
I don't expect you will strongly disagree and ignore this type of risk if your income is dependent on spyware continuing to exist.
> and I doubt you've compiled all of it from source
Actually, I have. Some of us do have the required technical background to understand this type of risk; the general public has to rely on someone else's word.
> The risk presented by javascript relative to every other programming language and runtime in existence is minimal.
Even if it was "minimal" (it isn't), you're taking that risk again every time you reload a webpage. I do not need to regularly compile new code simply to use the software I've previously installed.
> Yes. Hit escape,
Obviously, that interrupts the program, which is different from the program stopping (by reaching the end or running halt/exit).
> practical terms it's not even an issue.
Then please, in practical terms, tell me how I can answer the original question: is this random Javascript safe? My point is that this question is provably impossible to answer The halting problem is merely the easiest behavior to analyze; you cannot prove that a program will have any behavior in the general case.
You're fooling yourself if you think that ad networks wouldn't have been built if Javascript didn't exist. The only difference would be that they'd be embedded into native apps.
You only need to look at the Android app ecosystem to see this. Ironically, because adblockers don't really work well on non-rooted phones, using native apps actually exposes me to a great deal more tracking than most of the websites I visit.
I would absolutely rather use Facebook, Twitter, or Reddit as websites than as native apps. And it's a great deal easier for me to block Google Analytics (just blacklist the domain) than it is for me to stop Google Maps, Uber, or Lyft from spying on me.
> Then please, in practical terms, tell me how I can answer the original question: is this random Javascript safe?
The only way to declare random code safe is to sandbox it. The web is one of the better sandboxes out there (although of course it's not perfect yet).
This is (one of) the reasons why we're starting to move towards Wayland in the Linux world - because we've realized that security by curation doesn't work for 99.9% of the population, and putting a sensible permissions model on top of applications is one of the few ways we can actually protect both advanced and average users.
If you're looking for 100% security, it doesn't exist, even for your self-compiled programs where you rigorously audited the source and all of the dependencies. Unless you've also taken steps to mitigate Trusting Trust?
No, we understand that answering the question "Is this Javascript I received from a unknown remote party safe to run and free of any malicious side effects?" is undecidable. If you want to defend the idea of running potentially hostile Turing complete code, you need to tell us how to answer that question or you are advocating that everybody should regularly accept the risk of running malicious code. I suggest first addressing the simpler question, "Does this Javascript program ever halt?"
> none of which really undermine the premise that computation in the browser has value.
Obviously Javascript - and computation in general - has value. I have never seen anybody suggest otherwise. Lots of things have value. The problem is that running Turing complete code is always going to be a risk, because describing the behavior of any grammar more complex than deterministic context-free is provably undecidable.