JavaScript Must Be Eradicated From The Web

JavaScript is a programming language that is embedded in web pages and interpreted by popular web browsers like Netscape Navigator, and Microsoft Internet Explorer.

I think that JavaScript is an incredibly insecure and inadvisable technology and should never have been deployed on the Internet in the systems it is most commonly used in. JavaScript should be removed from all web browers, and removed from all web pages throughout the Internet.

Why?

My argument for the apparently extreme position on JavaScript is as follows:

  1. Apple MacOS and Microsoft Windows are both insecure.

    Most of the computers in use on the Internet today are running operating systems that do not protect the system as a whole from any misbehaving application program. System crashes are one manifestation of this problem.

    More insidiously, this insecure OS architecture allows viruses and other malevolent programs free reign once they're running.

  2. Don't take programs from strangers!

    No user should be running any program on a computer that he did not explicitly install himself; to do otherwise invites attack and misuse of the computer by others. Do you know where that JavaScript came from, or what it is supposed to do?

    JavaScript comes over the Internet, embedded in otherwise innocuous HTML documents on the World Wide Web, and is immediately executed by the web browser without prior explicit user permission. This is just wrong.

  3. It is impossible, as a practical matter, to make JavaScript 100% safe.

    The claim is made by Netscape that JavaScript is a "safe" programming language, in that it is not permitted to perform "dangerous" operations. This claim rests on the JavaScript language specification which is open to public inspection, and the implementation of the language interpreters in web browsers by Netscape and Microsoft which are not open to public inspection.

    It is prohibitively expensive for a JavaScript implementor to do a full and complete combinatorical test of all JavaScript functions and operations. Given this, is it unlikely that any JavaScript implementation has been exhaustively tested to prove its correctness, so there are very likely to be very dangerous bugs lurking in the code, waiting for some nefarious person to discover them.

    In short, if any JavaScript implementer makes a mistake, the computers running that JavaScript implementation are vulnerable to attack. Given the state of computer operating systems as noted above, this is an intolerably dangerous situation.

What Does This All Mean?

Take all of this together and you have a situation very like a nuclear power plant: very useful, but the consequences of a failure are very, very dangerous. This is why nuclear power is (supposedly) a very tightly regulated industry.

Unfortunately, there are no such regulators looking over the shoulders of those who implement JavaScript; it's all Caveat Emptor and devil take the hindmost, because there is no legal liability for software bugs.

OK, What Can We Do About It?

  1. Educate everyone about this issue - forewarned is forearmed.

    It is possible for every user to turn off JavaScript support in their web browser; it's a check-box in the Preferences or Properties.

  2. Petition Netscape and Microsoft to remove the JavaScript interpreters from their web browsers.

  3. Petition web site developers not to use JavaScript, or, at minimum, to produce sites that are fully functional when JavaScript is turned off in the user's web browser.

    This is known in the industry as making a site that "gracefully degrades" to match the capabilities of the user's web browser, and when properly done, this design discipline makes the web site's content accessible to the widest audience.

  4. Petition Apple Computer and Microsoft to rewrite their operating systems so that application programs cannot crash the systems they run on.

We have our work cut out for us.

Just To Add Insult To Injury

JavaScript is on its way to becoming an International Standard through the auspices of the European Computer Manufacturer's Association (ECMA) as "ECMAscript."

And If That Weren't Enough...

Microsoft's ActiveX technology is even worse than JavaScript. They don't even claim that it's "safe."


Erik Fair <fair@clock.org>
December 4, 1998

[HOME] [INDEX]