For our non-javascript users

If you are seeing this, it's probably because you tried to visit iacr.org with a browser that does not run javascript. I'm not going to try and convince you to turn on javascript, but I'm going to explain why I think this risk is overstated, and what IACR is doing about it to mitigate the risks.

The web has a 25-year-old history of security problems, and there is good reason to be skeptical about security when browsing the web. On the other hand, most of the modern web is now built with javascript, and a large amount of effort has gone into making it possible to use javascript safely. Unfortunately much of the use of javascript on the web is designed to facilitate advertising and data collection for the surveillance economy. The result is that this de facto use of javascript has led to a loss of trust in the technology itself.

Same origin policy

Most of the security and privacy problems of javascript are addressed by the same-origin policy implemented by browsers. This policy was formed back in the late 90s, and was the cornerstone of the first web security models.

IACR has recently adopted the policy that all new javascript, css, and images will be hosted directly from iacr.org (with a few exceptions below). We will no longer use content distribution networks, and we will no longer use software from third-party sources if it must be hosted from their site. This policy change is to address two issues:

  1. When a page embeds third-party content that is hosted from another server, the result is that the third party site gets notified about every visitor to the host site because the browser must request the embedded content. This is a privacy leak that some businesses have exploited to boost their business, but provides no direct value to the user.
  2. Third-party javascript that is loaded from a third-party site has the ability to communicate back to that server. By contrast, the same-origin policy implemented by web browsers restricts the access of javascript that is hosted from iacr.org so that it cannot communicate with other sites.

Exceptions to the policy

There are a few exceptions to the policy mentioned above. First, for users who choose to make use of Google Search, the searchbar at the top will by default take you to a page on iacr.org that embeds javascript from Google to fetch search results for iacr.org. There is an alternative search stack that resides on iacr.org and does not require third-party content.

Second, there are a few pages on the site that use javascript to display map information from third parties. These will continue to load javascript and tiles from open maps.

Finally, it will take us a while to completely remove third-party content, but we will start with the most commonly visited pages.

How to use this site

One way to use this site is to create an exception in your browser to allow javascript to run on iacr.org. The method for doing this depends on your browser.

Much of the content on this site can be browsed without javascript. Due to maintainability issues, the navigation header and footer are fetched via javascript ajax requests and inserted into pages on iacr.org. These pages are simple html files themselves, and will allow you to navigate to most pages on iacr.org. You can bookmark them in your browser for a viable home page on iacr.org.