Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Java Security Google The Internet

Google Won't Let You Sign In If You Disabled JavaScript In Your Browser (zdnet.com) 172

An anonymous reader quotes a report from ZDNet: Google announced today four new security features for securing Google accounts. These four updates are meant to bolster protections before and after users sign into accounts, but also in the case of recovering after a hack. According to Google's Jonathan Skelker, the first of these protections that Google has rolled out today comes into effect even before users start typing their username and password. In the coming future, Skelker says that Google won't allow users to sign into accounts if they disabled JavaScript in their browser. The reason is that Google uses JavaScript to run risk assessment checks on the users accessing the login page, and if JavaScript is disabled, this allows crooks to pass through those checks undetected. This change is likely to impact only a very small number of users -- around 0.01 percent according to Google's data -- but it will likely impact bots harder, as many of them run through headless browsers where this feature is turned off for performance reasons. Google also plans to pull data from Google Play Protect and list all malicious apps that are still installed on a user's Android smartphone. Google's Jonathan Skelker says they will be notifying you "whenever you share any data from your Google Account," expanding on the notifications it sends when you've granted access to sensitive information, like Gmail data or your Google Contacts.

"Last but not least is a security feature that Google plans to use after an account hack," reports ZDNet. "This feature is already live and is a new set of procedures for regaining access and re-securing compromised profiles. The procedure is detailed in this Google support page, and besides just helping users regain access to accounts, it will also help them check financial activity related to Google Pay accounts, review new files added to Gmail or Drive, and secure other accounts at other services that are tied to the main Google account."
This discussion has been archived. No new comments can be posted.

Google Won't Let You Sign In If You Disabled JavaScript In Your Browser

Comments Filter:
  • Good (Score:4, Funny)

    by Anonymous Coward on Thursday November 01, 2018 @08:05AM (#57573449)
    Maybe this javascript thing will finally take off
    • Re:Good (Score:5, Insightful)

      by jellomizer ( 103300 ) on Thursday November 01, 2018 @08:38AM (#57573629)

      Actually Google has been leading JavaScript adoption for over a decade.
      Even back in the early 2000's web/web app developers were slow to use Javascript on their pages (Or limited to input validation). Mostly because they were afraid of people using old browsers that didn't support it. If you did a lot of stuff, you probably didn't get the customer, because you cannot reference an other popular site that needs Javascript.
      Then with Googles Autocomplete feature and Google Maps, becoming a popular feature, it opened the door for the rest of us to apply Javascript,Ajax and DHTML to the pages.
      I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.

      Now Javascript has its issues... However it is used on all major browsers, and if coded well, it makes your pages load and run faster. (if not then we have the suckyness we think of wanting to block Javascript for)

      • Re:Good (Score:4, Insightful)

        by UnknownSoldier ( 67820 ) on Thursday November 01, 2018 @09:48AM (#57574059)

        > and if coded well,

        IF

        That's a mighty big if as websites pull in JS and images from a dozen different sites ...

        • But how well it is coded, applies to all software.
          Companies always try to hire non-programmers to make their stuff. Thinking this guy can write code so he is good enough. They figure they are saving money. They are not they are just making crap that is hard to maintain, and the end users just hate.

          • Re:Good (Score:5, Insightful)

            by oh_my_080980980 ( 773867 ) on Thursday November 01, 2018 @10:37AM (#57574341)
            So you just backed tracked on your own argument. Please just stop. You do not know what you are fucking talking about.

            People block JavaScript for security reasons because of all the malicious stuff it can do. Google forcing you to enable JavaScript is fucking stupid. Hint, they can do what they want without enabling JavaScript. Google is looking for something else.
            • by Anonymous Coward

              Indeed. JS allows them to monitor you computer for software installed: fonts, cookie, css history, referer, screen resolution, CPU arch, you name it. No website has a right to know any of this, so I block it all. FastMail doesn't do this to you, and I switched years ago when Google, et al began their spying and tracking in earnest. All of this can be blocked easily with Firefox (about:config and add-ons), Pi-hole, and using services which respect your privacy.

            • Re: (Score:2, Interesting)

              by Anonymous Coward

              Google is looking for something else.

              Hits the nail on the head. Yes, it's about security. And privacy. And for Google it's about collecting more data, regardless of the risks to you.

              The push toward JS overkill is rejecting the golden rule of web design: Make sure your page degrades gracefully and don't tell visitors that your site is "best viewed in last week's version of Chrome or Firefox".

              I actually see an increasing number of pages that pull in a dozen external scripts to add pizzazz, then also use noscript tags. But they're only using the

        • by Anonymous Coward

          I allow javascript, but not third-party anything. No third-party js - does away with a lot of trackers and "analytics" that I don't need.
          Also no third-party images/buttons - does away with facebook tracking (via like-buttons and logos)

          Of course some sites break when their menu navigation system try to pull in a third-party crappy library - but there are more sites than I need out there anyway. As they say, if you depend on too much, then you don't get the customer. Shops in particular would do well to serve

      • by jythie ( 914043 )
        And of course javascript based solutions just happening to be the easiest type for search and ad systems to troll is just a fringe benefit.
      • Re:Good (Score:5, Insightful)

        by sycodon ( 149926 ) on Thursday November 01, 2018 @10:20AM (#57574253)

        My Very Large Defense company employer disables javascript via group policies.

        Security reasons.

        • by phorm ( 591458 )

          Would your very large defense company employer actually let you sign into Google services?
          I'd imagine that stuff like gmail/drive/etc are probably considered a liability.

      • Are you fucking kidding me? Web developers weren't using JavaScript back in 2000? What planet were you on? Seriously stop sucking Google's dick.
      • by tepples ( 727027 ) <.tepples. .at. .gmail.com.> on Thursday November 01, 2018 @11:05AM (#57574517) Homepage Journal

        I know, Booo Javascript sucks! However Javascript is better then Sliverlight, Flash, Active X, Java Applets, in terms of keeping the web platform open, while offering the features most people wanted.

        Some Slashdot users would claim that web applications written in JavaScript are still inferior to native applications made with Qt or another multi-platform GUI framework and distributed to the public in the form of source code under a free software license. They see the web not as an application platform but as a platform for publishing documents.

        • You make a very good point and at the same time millions of people buy apps on their iOS or Android devices when most of those are just glorified web apps.
  • Only .01%? (Score:5, Insightful)

    by PuddleBoy ( 544111 ) on Thursday November 01, 2018 @08:07AM (#57573469)

    So Google says that only 1 in 10,000 of us have a Google account and disable Javascript?

    I feel special.

    • Re:Only .01%? (Score:5, Interesting)

      by Anonymous Coward on Thursday November 01, 2018 @08:10AM (#57573499)

      Probably because anyone paranoid (rightfully) about JS is even more skeptical of intentionally storing information with Google.

      • Re:Only .01%? (Score:5, Interesting)

        by jellomizer ( 103300 ) on Thursday November 01, 2018 @08:41AM (#57573641)

        You can only really trust Javascript as much as you trust the page creators.

        Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised, and you are just missing out on features which may make your browsing a bit easier.

        • by AmiMoJo ( 196126 )

          I disabled Javascript for my bank's web site. Whatever scripts they run make entering my details very, very slow. Probably some kind of key-logging prevention.

          I use YesScript, Javascript is enabled unless I disable it for a site. uBlock Origin blocks third party scripts by default. I find that's a good compromise between breakage and blocking.

          • by Anonymous Coward
            Check out uMatrix from the same author, if you haven't. Think noScript, but with a much nicer GUI and the ability to block different types of resources (ie block XHR and scripts from ads.domain.com, allow media and scripts from cdn.domain.com, etc.)
        • Re:Only .01%? (Score:5, Interesting)

          by lgw ( 121541 ) on Thursday November 01, 2018 @09:48AM (#57574057) Journal

          Sure turn off Javascript for your random browsing, but if you are going to a site, where your personal info and needs to log into with... Then you might as well have it enabled. Because your data is already compromised,

          Fun fact: web sites often contain content originating from more than one company. You might trust the people you're giving your info to, but is there an ad anywhere on their web site? Heck, even banks run web content from "partners" these days.

        • Ok so you're a Google Troll. Please fuck off.

          Legitimate sites get hacked ass-hole.
    • You should. I would wager that most of us NoScript-using folks don't have Google accounts.

    • Not what the web look in 2018 without Javascript but I hope you enjoy your private and secure experience.
      • Not what the web look in 2018 without Javascript but I hope you enjoy your private and secure experience.

        Care to try again in English?

    • by HiThere ( 15173 )

      Well, I've got an account with them, but I'm OK with never logging into it again.

  • by Opportunist ( 166417 ) on Thursday November 01, 2018 @08:08AM (#57573473)

    ENABLE Javascript to increase security.

    Now I've seen it all.

    • by gweihir ( 88907 )

      Indeed. Truly staggering. Something seems to be badly broken in the brains of the people behind this.

      • by Anonymous Coward on Thursday November 01, 2018 @08:54AM (#57573723)

        Something seems to be badly broken in the brains of the people behind this.

        Not when you realize that Javascript is primarily about user-tracking, not functionality or "safety". Those are the ways to sell it to the dumb masses. Google's is a mass surveillance company, and javascript allows much better tracking of people as they use and move around the web.

        Requiring it is completely consistent with Google's business goals of knowing everything about everybody.

      • by HiThere ( 15173 )

        Only if you think they aren't intentionally lying.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      So much this.

      What fraction of all the web-foisted security vulnerabilities use Javascript as an attack vector? Thinking back to the last 10 or 15 years of reporting, I'd say it's in excess of 90%.

      Anyone who wants security on the web keeps javascript disabled.

      The stupidity is strong.

      • Comment removed (Score:4, Interesting)

        by account_deleted ( 4530225 ) on Thursday November 01, 2018 @09:24AM (#57573921)
        Comment removed based on user account deletion
        • by lgw ( 121541 )

          You're about 5 years out of date, I think. Flash is mostly dead, IE is mostly dead, ActiveX is long dead (outside of corporate intranets, where it may linger). It's all about the browser and JS exploits now.

          Of course, XSS is big too, and technically you don't need JS for that, so I'm with you there. There have only been a handful of media exploits (and mostly from the Snowden leaks - they're quite valuable).

      • The stupidity is strong.

        It's not stupidity. Say what you want about Google, but they're not stupid, and they don't hire stupid people. They're well aware that enabling Javascript is not going to improve security - and they don't care. Google's goal is to maximize tracking, not to improve security.

        What it is is arrogance and complete disdain for their users. Google has no qualms about stating howlers like this one with a straight face, because it knows a majority of users are not very knowledgeable, and won't realize they're being

    • Re: (Score:2, Interesting)

      by jellomizer ( 103300 )

      I commonly use Javascript to Ajax Call and get a new session key a few times a minute. I do this so if someone did a screen/varable/back button capture of the page, they wouldn't be able to use that data without authentication. If it tries to renew an expired key, it brings you back to the login screen, and additional data will not be read or saved with an invalid key.
      Is it fool proof, no, is this all I am doing for security No. but it is putting an extra layer of security that wasn't there before. It is

    • by bentcd ( 690786 ) <bcd@pvv.org> on Thursday November 01, 2018 @09:12AM (#57573827) Homepage

      Enable javascript to improve security for Google, not for yourself.

      To improve security for yourself, don't have a Google account.

    • by vbdasc ( 146051 )

      Indeed. Requiring client-side JS won't stop the crooks, IMHO, simply because they can tamper with their browsers/web clients and modify the behaviors of their JS engines as they see fit. OTOH, it will make life harder for the power users that disable JS for security reasons. Bottom line - bad, user-hostile idea from Google.

    • Don't worry about Java hackers. That's impossible. Google will make sure nobody knows what you do except them, their gigantic advertising database putting you into advertsing categories based on automated analysis of every web page you visit even in incognito mode because the site probably tells then anyway, a million companies and advertisers, and the government.

    • Remember, remember the 1st of November...

    • Now I've seen it all.

      Sadly, I don't think you/we have seen it all. I think this is probably only an early stage of a monumental clusterf**k. Google seems to have convinced themselves that the huddled masses (that'd be us) need help with their computer usage and that Google is just the company to mentor us. In order to help us run our lives, they need to get into our computers and they have three tools with which to do that -- android, chrome and javascript. They presumably will use all three.

      The problem

  • by xack ( 5304745 ) on Thursday November 01, 2018 @08:09AM (#57573485)
    Especially text browsers that don't support javascript often used by people with disabilities.
    • by Anonymous Coward on Thursday November 01, 2018 @08:17AM (#57573529)

      Exactly. This goes against everything webdevs were taught to do (DEGRADE GRACEFULLY) for the past 20 years.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        EVERY new development these days does exactly this.

        RSS is being taken away because advertisers don't get enough information about our reading habits.

        Our privacy and ability to customize our own computer is removed in Windows 10.

        Every useless phone app phones home with all our personal information and no one does a thing about it.

        We are well past 1984.

    • Last I checked, screen-reading tools support major web browsers, which in turn run JavaScript. There are even versions of elinks and w3m that run JavaScript. Karl Groves created "Mother Effing Tool Confuser" [mothereffi...nfuser.com], a webpage where a script adds sufficient accessibility markup, to demonstrate this fact.

      • I wonder how screen reading tools deal with "punch the monkey" type ads.
        • Screen reading tools identify the areas of the page and allow the user to select what areas they wish to have read to them. Something like "Page contains header, left menu, body, footer, etc." The user then uses hotkeys to select the part they want read to them. The different div sections get called based on the names they are given by the developer.

          • And since it's apparently pre-coffee, images get the image text read. So punch the monkey would depend on what they called the image or div section of the page. "Section advertisement. Image title h23a4890hdoih34lk5.gif".

    • by Anonymous Coward

      Yeah, I wonder how the ADA people are going to cope with this. My university just shut down the entire faculty webserver and migrated people to Wordpress because they didn't want anyone to be able to create any webpage that wasn't "accessible," digital humanities projects and anything in XSL be damned. I wonder if we'll have to dump G-suite because of the new JS login requirement. I really, really hope we do.

  • by Anonymous Coward

    Boiling like frogs.

  • by Anonymous Coward on Thursday November 01, 2018 @08:18AM (#57573531)

    This is a pretty transparent attempt to try to make surveillance easier for themselves under the guise of user security

  • And I will generally avoid logging in in the first place. Fortunately I need their poisoned "services" only very rarely.

    • by Anonymous Coward

      For the past 8-9 years I've been using ssh -X to login to Google with a 2nd user account, but now I'm considering using a VM.

      p.s. Right now my gmail window has over 3000 blocked items in Adblock Plus.

      • by gweihir ( 88907 )

        Google offers ssh login with remote X11? Interesting. Not that I have any use for that, really, but interesting nonetheless.

  • by QuietLagoon ( 813062 ) on Thursday November 01, 2018 @08:28AM (#57573579)

    The reason is that Google uses JavaScript to run risk assessment checks on the users

    Google is all about tracking people on the net. Anything google does is about tracking people. The reason google needs javascript to be enabled is so that the javascript can help track people. Enabling javascript does not increase security, it decreases security. Javascript is a huge attack surface.

    • by 110010001000 ( 697113 ) on Thursday November 01, 2018 @08:41AM (#57573643) Homepage Journal
      That isn't true. They are just a bunch of altruistic guys that like to program stuff.
    • by Anonymous Coward on Thursday November 01, 2018 @08:44AM (#57573663)

      Javascript is a huge attack surface.

      When it comes to the modern web, Javascript is all but THE attack surface.

      ActiveX used to be another big one, but we got rid of that.

      In recent years, virtually every instance of "I went to this web site and now my computer is infected" has been due to javascript. And about 90% of the tracking, and about 100% of the annoyware like popping up boxes over the top of the pages content or disabling right clicks is due to javascript.

      It's also what allows the majority (but not all) of panoptoclick style attacks.

      Javascript is a cancer on the web. It has occasional, small uses, but its use should be minimized at all costs.

    • Google is requiring Javascript to log into their services. Almost by definition, the users who log in are going to be tracked with or without Javascript because they're, well, logging into Google. Requiring Javascript decreases security from the point of view of a browser being hacked. However, requiring Javascript increases security from the point of view of decreasing the risk of bots randomly trying to login using bruteforce.

    • The reason is that Google uses JavaScript to run risk assessment checks on the users

      Google is all about tracking people on the net. Anything google does is about tracking people. The reason google needs javascript to be enabled is so that the javascript can help track people. Enabling javascript does not increase security, it decreases security. Javascript is a huge attack surface.

      Sure ... then again, if you are trying to log into Google, I'm pretty sure that they are already tracking that ...

      Just sayin', if your goal is to not be tracked by Google, then logging into their services might not be the swiftest move.

  • Color me dubious. (Score:4, Insightful)

    by hey! ( 33014 ) on Thursday November 01, 2018 @08:47AM (#57573671) Homepage Journal

    If client-side javascript is part of the security check, I don't see how that prevents a crook from forging an authentic-looking HTTP request.

    • Googles new client-side authentication model shall not be questioned
    • THANK YOU!
    • You are absolutely correct.

      The hacker controlled/malicious browser simply morphs the incoming JS as it comes off the wire (e.g. a filter on the socket data) to do whatever is necessary to bypass any real security check and return the "I am safe" result.

      It could (e.g.) simply reverse the sense of:

      if (bad_security_here()) ...

      Into:

      if (! bad_security_here()) ...

      Or, do whatever else is necessary to nullify the security check.

      Client side security checks are largely meaningless! If you control the browser, you c

  • You'd think Google would know that code running on your attacker's computer is inherently insecure. I admit it won't be easy to effectively subvert the javascript that Google wants to execute in your browser, but it's not impossible. I don't see this stopping a determined and knowledgeable attacker.

    • The reality is that the web began with a certain concept of the domain of a user agent and how sites interconnect and could be merged into one. One web page could freely POST to another domain and that was the security paradigm.

      The problem turned out that even as a site 'trusst' the user to be authentic, that user may be under attack by other windows in the same browser, or not even visiting *your* site but a third site is using your cookies to induce the client to do undesirable things. It's not that you

  • DUH! (Score:5, Interesting)

    by freeze128 ( 544774 ) on Thursday November 01, 2018 @09:15AM (#57573849)
    Since google's services like gmail, maps, and docs all REQUIRE javascript anyway, you will need to allow javascript in order for those to even work. If you're logging into another service using your google account, then that's where things become sketchy. Of course you can just allow the google domains required for the login using something like noscript or uMatrix.

    I just logged into gmail, and didn't allow gstatic.com and googleusercontent.com and it allowed me to log in. Of course, without gstatic, I couldn't log out. :)
    • Since google's services like gmail, maps, and docs all REQUIRE javascript anyway

      That's not true for one of these. Gmail works just fine without any Javascript at all. The pure HTML interface is arguably even better (and certainly faster for most activities) than the normal version. Try it for yourself. Logout completely, then disable all of your Javascript (not just selectively). You can readily login, work with your account, and log out with no problem at all. It's actually my preferred way to interact with the web interface, when I must use it.

  • First it's "sign into Google accounts". But next it's "not get flagged as a bot by reCaptcha3" that they're rolling out (link to /. from a few days ago is an exercise for the reader). So it becomes "use 90% of the web.

    It's pretty clearly on their path in the next year or two (maybe three, however long it takes for reCaptcha3 to roll out).

    • First it's "sign into Google accounts". But next it's "not get flagged as a bot by reCaptcha3"

      ^^^ This. ^^^ . . . How long before google becomes the effective gatekeeper on the net? How long before you need to allow google to track you (via javascript) in order to log into a website you want to visit?

  • As a human being using a browser, I, too, disable Javascript for performance reasons.

    Just keep adding more and more reasons for users to leave you. Eventually your user base will decline. You're already my second choice for a search engine and it's not difficult to transfer bookmarks to another browser.

    • by ledow ( 319597 )

      99.5% of people have Javascript enabled in their browser.

      The rest are almost certainly running selective blockers (i.e. block Javascript on particular sites), etc.

      They aren't going to lose any significant number of everyday users at all. In fact, I'll be amazed if they see any significant user movement at all.

  • Does anyone have any suggestions about a better e-mail service that is mostly free ( or for low cost) where I don't have to deal with all this mess. It was fun while it was novel but I've about lost patients now.

    I'm a little too lazy / busy to set up my own e-mail server in my own domain on my house network. Nothing secure about xfinity anyway. Oh well, living it a glass house is kinda cool I guess =)

    • by ledow ( 319597 )

      Why don't you use GMail.... and access it via IMAP?

      Or you can pay any domain host for a domain with email... they start are literally pence normally.

      You don't / can't run email servers from home anyway (you'll be on SpamHaus policy blacklist because the ISP almost certainly list all their dynamic IP's there), you need an secure outside machine that's on 24/7 with a fixed IP and not listed as being a "home" connection via SpamHaus PBL/XBL etc. Don't even get me started on sending email, you need to be SPF'd

    • Protonmail seems to be the popular choice. I use it, as well as their VPN service in a bundled deal. So far I've yet to uncover any news or evidence that the promise of privacy is just a marketing ploy.
      • If you use their app or webmail interface, Protonmail is okay, as long as you don't need a large amount of storage. (I believe the free accounts are limited to 500 meg or something like that.) The main downside to Proton for me is that, because of the encryption feature, you can't use 3rd part email clients. My main email these days is with Zoho. They seem to be pretty reliable (other than a 1 day outage not long ago, which has been the exception). And they claim not to read your email. Believe that or
  • Google just keeps on doing things to aggravate users who care about their privacy and security into doing things that cause them to sacrifice it. Google instant was one of the first things. Anyone who is a touch typist (doesn't have to look at the keyboard to type) likely despise the fact that the screen changes and lags as you type. No way to disable it permanently without logging in and confirming your identity. Another example is how hard it has gotten to use Google services without giving them your phon

  • This is called the "Run our spyware or fuck off" policy.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...