Posted: November 7, 2018 by

Last updated:

Google now requires users to enable JavaScript before logging in for extra security measures. But wait, hasn't JavaScript been used in cyberattacks? We take a look at the impact of Google's decision.

Google users: In news that may sound alarming, it is now a requirement for you to enable JavaScript.

Why? When your username and password are entered on Google’s sign-in page, Google runs a risk assessment and only allows the sign-in if nothing looks suspicious. Recently, Google went about improving this analysis and now requires JavaScript in order to run their assessment. Want to use some of those comprehensive security enhancements for your account? Then JavaScript must be enabled, or you won’t be able to log in. JavaScript is now your forever friend.

What is JavaScript?

If you use websites such as portals or social media platforms, you likely run into JavaScript all the time. It’s a programming language used for all sorts of interactive effects in games and basic operations like logins. It ticks away in the background alongside cascading style sheets and HTML for a solid browsing experience.

It’s now a core slice of the Google login pie, and you will absolutely have to try a slice.

What has changed?

When using the Google sign-in page, you won’t get any further if you have JavaScript disabled. This could be frustrating for some users, given how much important data can be stored in a Google account. Why has the drawbridge come up? In a nutshell, to keep you safe from the many scams and attacks aimed at Google users.

Google accounts have a whole variety of safety measures to keep would-be compromisers out. If someone manages to obtain your password and tries to sign in as you, Google runs some checks. If they flag certain unusual activity, such as logins from another country, they’ll request additional verification.

Google can’t do any of this without JavaScript up and running, so moving forward you’ll have to switch it on.

Is this a problem?

I mean…no, I don’t think it is. JavaScript shows up in a lot of attacks, and we don’t want anybody becoming complacent. It is, however, possible to impede your own preferred browsing behaviour unnecessarily.

There’s one school of security thinking which is a little like security nihilism. Essentially, everything is a threat and we must reduce the attack surface. Okay, fine. The problem is, for some, this turns into a game of “remove absolutely everything from the device.” At what point do we stop and look in wonder at our expensive, utterly non-functional box?

You probably have JavaScript enabled right now, unless you’re highly security-centric or super keen on having the fastest loading times possible. It’s usually one of the most common complaints related to script blocker extensions. “I blocked them, and nothing works. Now what?”

The Sun has the blocker fired directly into its heart, that’s what. If you want to strip out the functionality of browsers, there is always going to be a price to pay. For example, the earliest ad blocker/script blocker tools often made everything nigh on unusable. Thankfully, ad blockers have stepped up their game and are now part of a healthy, balanced cybersecurity hygiene routine.

Good news, the choice is easy

Google estimates the impact of their new JavaScript requirement is likely to be small—supposedly only 0.1 percent of their users have it switched off. At this point, they’re going to have to make a choice.

This isn’t a stark “one thing or the other” decision. There’s absolutely nothing preventing someone from enabling JavaScript purely for logins, then switching off afterwards. Yes, there are JavaScript exploits out there, but there’s an exploit for pretty much everything anyway. You are unlikely to hit any sort of trouble switching it on just to sign in.

As was mentioned on the Daily Swig blog, surfers such as those using TOR are likely to be the most impacted. If you’re on TOR and trying to use Google services, you may have to force yourself to switch. If you still won’t use an alternate browser for Googling, perhaps ultimately, you may have to find another provider.

For everyone else, this is a good thing and will help keep your accounts more secure in the long run.