‘If you’re not wearing a tie, you’re not getting in’
Google’s decision to begin enforcing JavaScript for logins has been met with equanimity by security researchers.
The move – announced by Google on Wednesday and timed to coincide with Halloween and the end of October’s Cybersecurity Awareness Months month – is designed to allow more security checks during the sign-in process.
“We’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment,” the company explained in a blog post.
“Chances are, JavaScript is already enabled in your browser; it helps power lots of the websites people use everyday.”
Professor Alan Woodward, a computer scientist at the University of Surrey, explained that the move is only really likely to affect Tor browser users.
“JavaScript is usually disabled to prevent any client-side processing – cryptojacking and the like – or to prevent the page from gathering more data about the user. That’s why Tor browser disables all scripts. Some browsers have functionality that allow all sorts of other private data to be harvested.”
He added: “Having to have JavaScript enabled will be a bit of a danger, as once you enable it, you enable it. It can be used for good as well as apparently innocent things such as logins. I suspect it’s more about fingerprinting people and preventing incognito mode from hiding too much about you.
“It does mean that anyone using browsers with scripts disabled (Tor browser can have it enabled but as soon as you do that you may as well not bother using Tor).”
“Most users actually complain when scripts are disabled as many of the nice features they like (everything from rollover effects to drawing in third party content) so I doubt it will affect most users but for anyone with privacy concerns or possibly security concerns, they simply won’t log in,” he said.
Security researcher Troy Mursch was even more sanguine about Google’s move to enforce JavaScript for logins, arguing that, if anything, the move might be overdue.
“I’m surprised they didn’t do it sooner, to be honest. Outside of Tor browser users, I not aware of anyone that runs their browser with JavaScript completely off. This will break critical functionality of most sites that require user interaction,” Mursch told The Daily Swig.
“We’ve seen plenty of malicious use cases of JavaScript with recent Magecart campaigns, and before that cryptojacking. It would be nice if Google could help with the security concerns of JavaScript (and WebAssembly) – but that’s unfortunately out of scope for most browser makers,“ he added.
Chris Boyd, a security researcher at Malwarebytes, said that insisting on JavaScript for logins is a rational move for Google and beneficial, at least for mainstream users.
“Keeping JavaScript enabled is a small price to pay for the usefulness the various sign in security tools Google provides,“ Boyd explained. “If someone is really concerned about enabling it in their browser, they can always use it exclusively to sign into their Google account and disable it at all other times.”
“This is only really a problem if we ignore the fact that the browser user is not being stopped from being flexible with their JavaScript use, or anything else for that matter.
He added: “Only incredibly security conscious people are likely to be affected by this due to concerns about general JavaScript exploits, and will have the technical know how to enable/disable as required. Everyone else probably has JavaScript enabled by default anyway, and wouldn’t understand what all the fuss is about,” he concluded.