On 03-07 19:19, [email protected] wrote: > On Thu, Mar 05, 2020 at 07:32:36AM -0700, Luke A. Call wrote: > > I just leave javascript off for usual browsing, with a tab sitting open > > in chromium or iridium to turn it on for the occasional temporary need, > > or added to the browser's exception list to allow permanently for > > certain sites. This partly because it seems easy, and partly since I > > probably won't know if a browser extension is sold to a malicious entity, or > > otherwise compromised (so, seems a smaller attack surface, but still usually > > convenient.) > As I know many sites without js doesn't work. Anyway I don't understand > how switching off js defend you from 0day browser bug. > Maybe you mean that because many 0day concern javascript ?
Yes, as well as the general category of speculative execution CPU attacks, rowhammer-type attacks, evercookies that use javascript, and/or whatever else I don't know about that is enabled by javascript. It just seems to be required for many attacks that one reads about, over time, and given that trend, probably some future ones, all from downloading unknown code to run locally. For those fewer times when I do enable it, I'm glad for OBSD's various protections, to further lower risk. -- Luke Call My thoughts: http://lukecall.net (updated 2020-02-18)
