Google Sign-In Page Requires JavaScript Be Turned on for Security

cageymaru

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
22,080
A recent post on the Google Security Blog says that the internet giant will require that users enable JavaScript to use the Google sign-in page. This will allow Google to run a risk assessment and only allow a sign-in if nothing looks suspicious. The blog post also discusses new Google account data sharing features where the user is notified of when an app is granted access to their Google account. If your account is compromised, Google has a new step-by-step process that they will trigger if they detect potential unauthorized activity.

It's Halloween and the last day of Cybersecurity Awareness Month, so we're celebrating these occasions with security improvements across your account journey: before you sign in, as soon as you've entered your account, when you share information with other apps and sites, and the rare event in which your account is compromised.
 
XsUtdIeJ0MWMo.gif
 
So for their system to check my account credentials, they have to run crap on my machine? Wonder which mysterious 3rd party domains these scripts will try to load from? And how much data do they send back to that great data vacuum known as Google?

How long before someone manages to duplicate the script and send back wrong but seemingly valid answers?
 
any time I sign in with my vpn, google thinks it's compromised and forces me to do this baloney sign in BS. guess no more work email when I travel HAHAHA.

and turn on javascript? HAHAHAHA
 
Dead Parrot said:
So for their system to check my account credentials, they have to run crap on my machine? Wonder which mysterious 3rd party domains these scripts will try to load from? And how much data do they send back to that great data vacuum known as Google?

How long before someone manages to duplicate the script and send back wrong but seemingly valid answers?
Click to expand...

It's not just doing auth anymore. Now it's analyzing your mouse movement/speed on the page to check if you're a bot. Hell, they may even have enough of that data for each of their user at this point to know which users it is based on that alone.

But sure, force us to turn on one of the most insecure pieces of software on the web to 'log in'.... What could go wrong.....
 
They want you to activate Java so they can scan your computer of everything and upload it to their AI overlords.
 
I used to use noscript everywhere, but I found it broke way too much shit. These days I just leave it on.

I'm not happy about it, but there is little choice if you want shit to work.
 
Zarathustra[H] said:
I used to use noscript everywhere, but I found it broke way too much shit. These days I just leave it on.

I'm not happy about it, but there is little choice if you want shit to work.
Click to expand...
My opinion is that if a website is broken by NoScript enough to not be usable, then it wasn't worth my time to visit in the first place.
 
Armenius said:
My opinion is that if a website is broken by NoScript enough to not be usable, then it wasn't worth my time to visit in the first place.
Click to expand...

I usually agree, but it got to the point where it was getting ridiculous, with a majority of sites having serious problems.
 
Zarathustra[H] said:
I used to use noscript everywhere, but I found it broke way too much shit. These days I just leave it on.

I'm not happy about it, but there is little choice if you want shit to work.
Click to expand...

Need something at your edge to do the filtering. I installed pfblockerng and set it up with a few community lists and it blocks most ads/malware JS before your request even leaves the network. Works really well and I have been able to turn off noscript, which was causing me a ton of problems as well.
 
Biznatch said:
Need something at your edge to do the filtering. I installed pfblockerng and set it up with a few community lists and it blocks most ads/malware JS before your request even leaves the network. Works really well and I have been able to turn off noscript, which was causing me a ton of problems as well.
Click to expand...

Nice. I wonder how tricky it is to add this to my pfSense router.
 
Armenius said:
My opinion is that if a website is broken by NoScript enough to not be usable, then it wasn't worth my time to visit in the first place.
Click to expand...

Agree 100%, I have changed banks that have crappy WEB sites requiring Flash or Java to work correctly.

Too many sites are badly designed and poorly implemented.
 
BSmith said:
Agree 100%, I have changed banks that have crappy WEB sites requiring Flash or Java to work correctly.

Too many sites are badly designed and poorly implemented.
Click to expand...

My bank's web site has Google, FB, Yandex and a few other third parties in some places where they absolutely do not belong. Not critical enough to sue them, though
 
When using an up-to-date instance of Firefox on the newest Ubuntu LTS, Bank of America will say the browser is outdated and not supported.

dgz said:
My bank's web site has Google, FB, Yandex and a few other third parties in some places where they absolutely do not belong. Not critical enough to sue them, though
Click to expand...
 
Zarathustra[H] said:
Yandex :nailbiting:

Where are you?
Click to expand...

Yeah, I was surprised to see them among the usual suspects. Using the Bulgarian branch of UniCredit. It's not even on their Russian site.

Are they any worse than FB and Google at selling data?
 
the_servicer said:
When using an up-to-date instance of Firefox on the newest Ubuntu LTS, Bank of America will say the browser is outdated and not supported.
Click to expand...

First sign of a badly designed WEB site. Well,...first among many. If you can't design a site using HTML standards, then you have no business putting it on the Internet.
 
masquap said:
I found my pfSense VM became SUPER slow and used huge amounts of CPU when I enabled pfblockerng. Ended up having to disable it again because it would cause long stalls in name resolutions and sometimes even time out. Ever had that issue?
Click to expand...

I have not. CPU is typically around 5-15% on average, but it's using 82% of my 4GB ram. But my pfsense box is running as a VM on my dual v2 Xeon server, so it has more resources available than most peoples installls.
 
Dead Parrot said:
How long before someone manages to duplicate the script and send back wrong but seemingly valid answers?
Click to expand...

It would take me a few days, but someone who knows their shit, a couple hours, give or take how much caffeine is in their system?
 
I started going through a Google detox a few weeks ago. I am happy that I did.

The last thing I have to find a locally hosted solution for is Hangouts. That's what I'll work on during the weekend, and after that, buh-bye.
 
  • Like
Reactions: dgz
like this
cdr_74_premium said:
I started going through a Google detox a few weeks ago. I am happy that I did.

The last thing I have to find a locally hosted solution for is Hangouts. That's what I'll work on during the weekend, and after that, buh-bye.
Click to expand...

I got rid of Alphabet and its subsidiaries about six months ago. I feel so much cleaner now. :)
 
Armenius said:
My opinion is that if a website is broken by NoScript enough to not be usable, then it wasn't worth my time to visit in the first place.
Click to expand...
Some of the worst culprits I've come across are small/local US news agencies that require temporarily allowing several sites to get their videos to play.:meh:
 
  • Like
Reactions: N4CR
like this
This is the new trend - Node and ajax is everywhere. Yeah, its odd for javascript to be needed for something simple like a sign-in page - but for so much other functionality, there is either no way to avoid it or the alternatives are simply not practical.

Its just a tool - my web apps use it for all sorts of stuff. Its just that when you don't pay for your products (and don't read the fine print) - you become the product.
 
You must log in or register to reply here.
Back
Top