How to Surf Anonymously & Hide Your PC: Part 4 – Controlling Javascript



authentication keys image

If you want to be anonymous in real life, buy a big coat. Online, and for your PC, it’s more complex. Why do it? To shore up your identity, safeguard data, secure eCommerce and give peace of mind.

Better Anonymity with wpCop.com

UPDATE: Feb 2013

This guide is old. The theory is good but the practise is worn.

For up-to-date advice please check out my new site wpCop which, while niche targetting WordPress security, also covers the bases for PC, web and server security.

Particularly:-

Guvnr, BTW, has relaunched to front as the blog for both wpCop and, shortly, my server installation guide vpsBible.

If you’ve got any security-related questions, pop by the the wpCop forums.

Hope that helps.

guv

This guvGuide helps you find the level of anonymity to suit you, to take control of your identity, to enjoy faster, safer surfing and, in Part 4…

…to control javascript, disabling risk while retaining functionality.

A comprehensive guide, spread over 5 posts:-

Setup Unmanaged VPS (4 Noobs!) ... with vpsBible
Secure WordPress. Properly. ... with wpCop, the platform's dedicated security website
Olly 'the_guv' Connelly's vpsBible.com site and 'WordPress 3 Ultimate Security' book.

I’ve endeavoured to make this guide as comprehensive as possible; detailed, yet bulleted. But hey, if there’s something missing, you’ve got a suggestion, or a disagreement, please leave a comment below, and we’ll improve the guide. Tx.

Javascript Uncovered

“What’s javascript,” you may ask? Others thinking, “Just disable it.” And others, “Gotta love it.”

Modern javascript sure is cool, arguably the rum in the punch, and important for user experience with many sites, including mine. Then again, it can present a security vulnerability, so it pays to know how to avoid problems.

As with cookies, as we turn our attention to measures that can help with anonymous surfing, we must each consider our online habits, our level of online experience and the degree of user experience – or interaction – that we require. This is because, if we wanted total security and no risk, we would be left with a bland, yet perhaps still fulfilling experience. On the other hand, if we threw caution to the wind, risking all, we may have an improved experience, but perhaps with dashed anonymity and, if we haven’t follows the steps in Part One, a box full of viruses.

For most, there needs to be a balance somewhere between risk and interactivity. Hopefully this guide will help you to find your balance.

What is javascript?

First up, javascript has nothing to do with java, another language, (and a coffee.) Totally different things. Let’s get that straight.

Javascript is a language widely used to help build websites. Some variation of javascript is used in most modern sites because it’s super-good at doing certain things that other languages can’t, else it does them better.

Most commonly, it is employed to assist user experience, by adding user-page interaction. For instance, on Guvnr.com, it is employed:-

  • to clarify website navigation; for example, highlighting the menu above as you cursor from tab to tab
  • to present content in more readable chunks; for example, with the “accordion” style sections of content that you can browse between on various sections of this site
  • to save you time; for example, so that when you type a phrase into the search box, there is an instant dropdown of search results, rather than you having to await a fresh page to load
  • to save you time; for example, loading a panel, instantly populated by content, when you click on the “tags & categories” button in this site’s blog section, rather than you having to await a fresh page to load
  • to save you time; for example, loading panels, instantly populated by content, when you click on any of the homepage links on this site, rather than you having to await a fresh page to load

Javascript is used for many, many more things, besides, that add to user experience, helping us to wade through complicated web pages such as online shops and banks, far more easily. And they can also do a huge amount of stuff behind the scenes.

Sounds cool. So what’s the risk?

Internet Explorer.

What?

Internet Explorer.

The single biggest security threat, the main concern with javascript, isn’t javascript at all. It’s Internet Explorer, which is the most vulnerable browser. That’s because:-

  • overall, it’s the most popular browser and is related to the most popular OS, Windows
  • it’s the easiest to hack

It’s easy to see why popularity is a problem, a bit like pickpockets flocking to crowds. But that javascript-related security flaw? If you really want to know what that is, yawn, insert techy stuff…

Microsoft has this technology called ActiveX and, to make that more effective, IE has a few added file system commands which other browsers don’t use. These file system commands can be manipulated by an unscrupulous web developer, in rare cases, with unsavoury results. I could go on, but we’d be here all day. However, let me just say, there have been two major scares with IE7 in the last 6 months. Or was it 3? Well, it was at least more than any other browser had.

So all the other browsers are safe?

No.

You’re having me on.

Look. Here’s the deal. This is what you have to read…

Any web browser can be exploited, potentially. Internet Explorer is widely considered, amongst the web security industry, to be the most vulnerable, for the reasons above. It’s still a difficult hit, these days, for very frequently updated browsers. And in reality, an actual attack more generally relies on the web user doing one of the following:-

  • surfing for porn
  • surfing for warez
  • online gambling

So really, it’s about user discretion, common sense.

If you are a pirate, spin the dice and can’t keep it in your pants, then turn off javascript for dodgy sites.

If you prefer to surf CNN, Barclays Bank and the Church of England, you’ll most likely be fine.

If you want to be really safe – sorry Bill – bin Internet Explorer and surf safer with an alternative browser. The safest of all is Firefox, for the simple reason that there is an add-on that can be used, called…

The NoScript Firefox Add-on

NoScript is an add-on, a plugin, that you set up to allow or disable javascript globally, or on individual sites.

A lot of people have downloaded it. In fact, 37,884,458 people. (I just looked.)

I’ve just downloaded and installed it myself. Here’s some detail…

Ha! I tried it out on my site, guvnr.com, because I know exactly what scripts there are. It ran none. Damn! My site was rendered a non-javascript puny raw-html of a thing. Most upsetting. So look. Here’s the deal. If you use NoScript as a result of this review, you must allow scripts on my site. Only fair.

OK…seriously.

It’s good. But it’s tedious to use on the catch-all scripts setting, especially if like me you surf a diverse range of sites, because most modern sites are javascript-rich. I lasted ten minutes with that setting, before changing to allow javascripts globally which means, basically, it’s useless. Then again, I can always turn it back on, easily enough, so that’s flexible. And if you’re unsure about a site, you can easily activate it for the one site.

NoScript's preferences browser options

NoScript is easy to configure. At the bottom of my browser window, there’s a little icon which, when clicked, allows me to quickly enable scripting for the particular page. There’s an options box too, detailing, for example:-

  • allow sites opened through bookmarks (favorites)
  • forbid Flash (which can be damn annoying, not that it’s a threat)
  • a whitelist edit box (sites to allow)
  • lots more

I’m impressed. I’ll put together a guvUtorial about this plugin, but don’t wait up.

Disabling javascript

With the exception of NoScript, there is no halfway house. If you want to disable javascript, here’s what you do:-

Firefox

  • Tools > Options > Content > [uncheck] Enable javascript
  • Tools > Options > Content > Advanced to change some other settings that I wouldn’t really bother changing

Internet Explorer 7

  • Tools > Internet Options > Security > Custom level > Scripting > Active scripting > [check] Disable
  • … or you can [check] Prompt to be asked to allow scripts per site

Internet Explorer 6 – if you’re using that browser, you should go to Windows Update and upgrade to IE7 (or bin it altogether for Opera or Firefox!)

Opera

  • Tools > Preferences > Advanced > Content > [uncheck] Enable Javascript
  • In the same panel are Javascript Options, but generally I wouldn’t bother with these

Chrome

  • For Windows XP, with the browser closed, Start > Run > type “C:Documents and Settings%username%Local SettingsApplication DataGoogleChrome” -disable-javascript
  • For Vista, with the browser closed, Start > Run > type C:Users%username%AppDataLocalGoogleChromeApplicationchrome.exe -disable-javascript
  • Using the same method, you can also use the parameters: -disable-images, -disable-java, -disable-plugins, -disable-popup-blocking, -start-maximized

Safari

  • Edit > Preferences > Security > [uncheck] Enable Javascript

To ENABLE javascript, reverse the procedure. For Chrome, replace ‘disable’ with ‘enable’.

the_guv Recommends

Best advice? Run NoScript. Set it to allow scripts on sites you trust, like the bank. And surf safe. You’ll have to install Firefox and scrap IE… so no loss there. For random surfers, particularly those with less experience of the web, I would recommend it highly. For those navigating the web’s extremities, else for those wanting absolute security of their data, it’s a must. But all that said, with the settings set to allow javascripts, my copy may as well not be installed at all. But I won’t delete it. It may be useful sometime. And there’s some insurance there. Orthodox surfers will agree.

And if NoScript wasn’t available?

For the record, my advice would be:-

  • swap IE for Opera, Firefox or Chrome, which are smaller security risks
  • keep javascript enabled
  • remember what Kevin Mitnick said in The Art of Deception, “…the gravest security risk of all [is] human nature.”

Nearly there! Tomorrow, in Part 5, we’ll carry out the single most important task to attain web anonymity, by setting up the proxy server. Join me for that, with a special guvUtorial video, so you can see just how easy it is to do.

Jump to another section of the anonymity guide:-

9


About the Author:

Olly Connelly (yeah, that's me) blogs at guvnr.com, polices WordPress security at wpCop.com and helps noobs build web servers at vpsBible.com, so if you've got sleeping problems you know where to come.

Discussion

  1. BWHS  March 10, 2011

    Seems like php is better for security.

  2. the_guv  August 23, 2009

    @koshala .. well, I could but then I’d have to … ;)

  3. koshala  August 20, 2009

    can you tell me how to hack a web page

  4. the_guv  January 29, 2009

    @E>T>V firefox does use a lot of memory. You can tweak it though…there are lots of guides on youtube. I use firefox for most stuff, and chrome as a side browser to help speed things up.

  5. E>T>V  January 29, 2009

    noscript is good as, but firefox is slow

  6. the_guv  January 28, 2009

    @E>T>V I agree

  7. E>T>V  January 28, 2009

    the web don’t work without javascript

Add a Comment