WhiteWinterWolf Practical IT security, *nix systems & networking

All resources on this website are delivered through HTTPS, using a safe configuration rated A+ (as of December 9, 2017) with both Qualys SSL Labs and Mozilla Observatory tests.

This provides good guaranties that you are indeed talking to my website and that in-transit data will not be alterable or eavesdropable by a third-party.

Some companies encourage webmasters to include some code snippet on their websites, like:

• Advertisement allowing the webmaster to monetize his website.

• Analytics libraries providing the webmaster free tools able to better shape visitor’s activity and optimize their website’s impact and profitability.

• Social networks icons allowing visitors to more easily share a page on their favorite networks (and here again allowing the website to get more impact).

• Bundled videos, allowing the visitor to watch an externally hosted video while keeping him on the current website.

• Common libraries allowing the webmaster to take advantage of always up-to-date and fastly delivered Javascript files to add eye-catchy effects on the website.

• Common fonts usable for free by the webmaster and fastly delivered.

• Content delivery networks, allowing to duplicate website’s static content at several places of the Internet to deliver it faster to the visitor.

None of this comes for free. While these features may be very convenient for the webmaster, and may even directly or indirectly earn him money, they have a price: you, dear visitor.

Considered individually, none of these technologies represent any real threat. But now, imagine that more than 90% of the websites you are visiting, either directly or indirectly (bundled content, etc.), uses at least one of the services mentioned above.

Thanks to these “webmaster’s free services” each website you visit, your activity on these websites, up to your mouse cursor moves and keystrokes (even on non-submitted forms, see this article). At the end, these companies will have recorded your whole on-line activity, from public activity to private including intimate secrets.

Personally, I consider that if you browse my website, you somehow trust me. I would not break this trust by selling you to such practices.

Cookies are not harmful by design, as they are in fact the more secure solution to implement authenticated sessions.

However, they also offer an easy way to uniquely identify and track a visitor to reconstruct its activity and profile him.

Here, as a visitor of this static website, there is no need of sessions, so no need of cookies.

The same way, JavaScript is not harmful by design, as it is the safest way to add relatively advanced interactivity on a webpage (other ways such as Java applets, Flash or Silverlight plugins, etc. all failed in this regards).

However, JavaScript as a programming language can also be used for more dubious purposes, such as opening ranges of alternative ways to track users or, even worse, distribute malware and attempt to take over the visitor’s environment.

Recent versions of HTML and CSS have reduced the use-cases where JavaScript and Flash plugins remained required for a long time. Now videos can be directly embedded in HTML documents, and CSS supports dynamic effects such as animation and transformation.

On this blog a no-JavaScript policy is enforced site-wide. This means that, would some JavaScript code still manage to slip through, the webserver’s configuration will prevent your browser to execute it.