Rubénerd!

Why?

You should sit down before reading this.

Despite what seemed like a heartening tide against services like Disqus, they're enjoying a baffling resurgence. I asked myself, why would people voluntarily make their sites slower, more convoluted for security conscious people to use, as well as less accessible, searchable, cohesive, secure and predictable? I did a bit of digging, and discovered something shocking.

Crab people. They taste like crab, talk like people, and they live underground.

Crab people are installing third party comment systems on as many blogs as they can by convincing people they're shiny and awesome. Once installed on a critical mass, they'll be able to control the blogs remotely using an undisclosed back door in the proprietary code and take back the world the Humans so cruelly stole from them.

Crab people! Crab people! Taste like crab! Comment like people!

Somewhat related posts

• 2010.03.09 The greatest CD cover of all time?
• 2009.09.20 Don’t use JavaScript to compose pages
• 2007.08.09 The Adobe Flash of the comments world

Macslocum over at O'Reilly Answers is asking people to submit their favourite browser plugins and extensions. No prizes for guessing which one I chose!

First Macslocum's recommendations:

Firebug (Firefox) -- I can't believe this thing is free. It's hands-down the best HTML/CSS testing tool I've ever used. It's also incredibly handy when I can't remember my own CSS naming conventions.

ClickToFlash (Safari) -- This automatically disables any Flash-based elements. But unlike strict ad blockers, ClickToFlash gives you the option of activating Flash on a piece-by-piece basis. So if you want to watch a movie on a web page but you don't want to see the Flash ads, just click the movie element and that Flash-based part of the page will load.

How about you? Which plugins/extensions do you use?

For what it's worth, I also highly recommend ClickToFlash to all my Mac friends using Safari, it improves performance and reliability so much it's as if you've just shoved an extra few gigs of memory into your system for free.

My predicable answer

Without a doubt it'd have to be NoScript for Firefox. The fact no other browser has such simple blocking and whitelisting for dynamic content and Javascript ensures I won't be switching browsers anytime soon.

Frankly, given all the thousands of exploits using Javascript as a vector I'm surprised (and somewhat dismayed) it's such an unusual extension.

[For some reason text fields on the O'Reilly Network always correct JavaScript as Javascript!]

As I've enumerated here many times, I can't use a browser without NoScript anymore, I feel as though I'm in a car without seat bealts, a war zone without a bulletproof vest or a conference without pants when I don't have it. How people think they can be responsible internet users without such software in 2010 baffles me more than... attending a conference without pants. I suppose some people wear business skirts, just not me, surprising though that may sound. Chuck Peddle wears pants, I can tell you that much. And he invented the 6502 for heaven's sake!

If you have an O'Reilly account, go over there now and voice your opinion. Tim O'Reilly, the good O'Reilly, not the sleazy news guy ;).

Relatedness

If you haven't seen my other posts on this subject, I also talk about my other favourite Firefox plugins in these posts: More Firefox extensions and Firefox extensions. I put way too much effort into those pages! Of all the extensions, most are security related.

As I said with the Ghostery Firefox extension back in May (Ghostery Mozilla Firefox extension review), it bowls me over when I go to some sites to see just how much sneaky crap is going on behind the scenes, and how most people simply have no idea. With NoScript, I'm starting to see the same thing, and it's rapidly getting much worse.

NoScript of course is a simple extension that blocks all JavaScript from executing in your Firefox browser unless you specifically authorise it; in security parlance it's an "opt in" system. Above all others, it is the primary reason I use Firefox.

So many scripts!

The point of this post though is to do with the sheer number of JavaScript snippets that are attempting to run, even compared to a few years ago. When I started using NoScript I was lucky to see half a dozen JavaScript snippets attempting to run, thesedays it seems to be the norm.

Now having a trillion different things trying to run on a page perhaps is to be expected with so many external Web 2.0 services jostling for our attention all over the place now, and the number of scripts attempting to run doesn't necessarily translate to less security and privacy, but I am becoming increasable wary of the direction things seem to be heading.

Why Worry? (apologies to Chet Atkins)

More scripts are a problem. Each script introduces a new potential vector for attack, meaning the more we have the greater the surface area of the target we're wearing on our backs as we browse. Unfortunately as this progresses tools such as NoScript could potentially become less effective for the same reason the Windows Vista UAC system ultimately failed; as we start to drown in the sheer number of scripts, picking out legitimate scripts from sneaky ones is also only going to get harder which means many people will simply give up and allow all scripts again, defeating the purpose. As more pages start to depend on scripts to operate, so too will people's frustration.

I just shudder to think all that nonsense would be running unfettered in my browser if I didn't have an extension like NoScript for Firefox, and it makes me shudder even more that the vast majority of internet users don't use such a utility.

It also makes me wonder just how many of these scripts are really necessary at all and whether they're also systematic of a broken web architecture that's failed to keep up with what we've ended up using it for. As with Flash, will HTML5 help to alleviate some of the need for client side scripting?

Unless the purpose of your site is to be an Ajax application, regardless of whether you're using it to dynamically load in comments on pages from services such as Disqus, or your own comment systems on sites such as Lifehacker, or for some reason static text and images, using JavaScript to compose pages is just a dumb thing to do.

I linked to The Nationals (an Australian political party) for a joke on a previous post and noticed this garbled mess of text and images along with an appropriate image of an irritated kid, presumably because he's just as unimpressed as I am and feels bad being associated with such a page! I shouldn't have to re-enable JavaScript just to read a static web page.

Friends, don't let your web designer friends use JavaScript to compose pages!

Another great reason for using NoScript in Firefox if you didn't think it was useful before is that it blocks embedded media such as Flash unless you specifically choose to unblock it on individual pages (which for me is almost never!). With HTML5 elements like <video> and <audio> now being supported in Firefox 3.5 I was worried I'd be losing this control and that there would be an unguarded vector for attack... not to mention being annoyed and irritated by pages that start playing jingles and animated advertisements!

Suppose Firefox employed an external library to play media which turned out to be vulnerable; it's happened in the past. Any malicious hacker could embed a specially crafted video or audio file into a page and your browser would start playing it automatically when you visited the page. By the time you realised what was going on, it'd be too late.

Well it's time to breath easier again (that sounded like an introduction to a cheap infomercial). I just noticed this evening after updating to version 1.9.8.1 that NoScript now blocks HTML5 media elements on pages that aren't on your NoScript whitelist just like JavaScript, Flash and the like which is fantastic news. I understand selectively enabling JavaScript may be a bit troublesome for some people to cope with, but HTML5 media filtering should be a mandatory part of Firefox in my opinion.

In any event, it's one less thing to make me nervous and to worry about, which for someone always buzzing with social anxiety and caffeine is a good thing :).

Disqus is an external blog commenting system that seems to be all the rage thesedays, so much so that even veteran blogger Dave Winer has just started using it on Scripting News. While the concept seems like a great idea, the implementation leaves a lot to be desired.

Firstly, instead of relying on accessible web forms for users to submit their comments, Disqus uses a JavaScript hook which dynamically loads comments onto the page. I can't begin to describe what a bad idea this is, so perhaps some bullet points will help me out!

It makes page slower

Because you're making two database calls, one to your own blogging system and another to the external Disqus servers, the resulting page takes far longer to load than what a regular commenting form would. It's so bad on some blogs I read that I've simply given up posting comments on them.

It makes pages far less secure

The idea of running JavaScript from a third party on my own site scares the heck out of me, but in this case we're not talking about a potential attack vector to display photos from a Flickr page or something similar, we're talking about critical parts of your blog's infrastructure being loaded by an external server each time a page is loaded. XSS exploits are exploding, as well as any exploit discovered for Disqus with its larger surface area will affect your site. It also means security conscious people like me who use NoScript can't leave comments.

It makes pages less accessible

For people who use audible or visual aids to access content, this approach to comments is just as bad as Flash. It also means certain browsers wont be able to render the comment field at all, such as lower powered computers and mobile phones which increasingly have web browsing capabilities. Disqus provides a link to their website for such people, but it's a lousy compromise when other comment systems can work inline while adhering to web standards and accessibility.

It's a legal pickle

To quote Webby's World in their article on 8 reasons you shouldn't use Disqus: "surely it can’t be good to subject users to another privacy policy with servers in another jurisdiction. Who would be liable for any breaches in data protection?"

Comments are no longer associated with the page

This makes local and search engine per-site querying impossible because the comments are disconnected from the content they were regarding.

Comments are no longer in your database

For some people that may be fine, but I prefer having such critical parts of my blog running locally. If in the future a plugin comes along that can do something really fun or interesting with comments left by people, you're also completely out of luck.

It locks your comments into a silo

The Disqus team seem like honest people, but their service is closed and proprietary, and as of now there's no way to reliably and easily export comments out of it, then import them back into your blog if you change or mind. If they start charging for their services or start embedding ads in the future, you're completely at their mercy.

It makes pages less predictable

Because it uses JavaScript to fetch data after the page has already appeared to finish loading, you may already have started scrolling to a part on the page before everything changes. This is really, REALLY irritating!

Ultimately, it's unnecessary

Twitter integration, threaded comments, better spam blocking, they're all available with existing plugins that don't have any of these problems. In fact Dave Winer needs to use Disqus exactly because his Radio software doesn't include commenting systems or plugins to do these things.

This is why, dear readers, for your benefit and mine (our collective sanity as it were!) I will not be putting Disqus on my own blog here. I suspect it's a fad anyway, and will start disappearing in a few years when the Next Big Thing comes along. Disqus is to comments what Adobe Flash is to web pages, a little extra convenience for the target audience at a grave expense.

That's not to say the existence of services like Disqus is a complete disaster. What developers at WordPress, Movable Type and so on should be taking away from this is that some people aren't happy with existing commenting systems in their blogs, and that they'll implement self destructive plugins like this to get the features they want! I hope this means we see more innovation in the comments space.

UPDATE, 2009: Some good news, it seems the tide is beginning to turn on Disqus and other such dynamically loading comment systems. Matt Mullenwag, the head developer of WordPress, has publicly stated they're a bad idea in a post bluntly titled 6 Ways To Kill Your Community.

I hope this represents a wider trend (from the looks of it, it has) and will encourage others to leave the service for alternatives... though as I stated in the original post, for people who have got hooked to the service this might be impossible or extremely difficult.