[Gllug] Javascript (was UK Radioplayer)

John Edwards john at cornerstonelinux.co.uk
Sun Apr 3 19:01:02 UTC 2011 

On Sat, Apr 02, 2011 at 08:04:24PM +0100, Christopher Hunter wrote:
> On Sat, 2011-04-02 at 16:08 +0100, John Edwards wrote:
> 
>>> What is your objection to Javascript? 
>> 
>> Execution of untrusted foreign code on your computer, often from
>> third party sites you don't even know you are accessing.
> 
> There's huge amounts of code that running in your machine that you have
> no sight of

On Debian?

There are closed source kernel firmware, but they are moving those to
separate packages.

I do have to use the Sun Java VM for an IPMI tool that is rather picky
about JREs. But that is my choice and very different from trusting
code from every web site in the world.


> and unless you're going to pick apart every application you
> run, you're just going to have to trust that this code is not malicious
> or poorly written. 

There is a difference between trusting code from known sources and
code from unknown sources.

I do trust code from Debian, Linus and co.

I do not trust code from unknown web sites.

A web site can include JavaScript code from any other web server in
the world, servers over which the original web site author has no
control and which the end user does not even know they are using.

Would you blindly run a program from an unknown web server?


<snip>
>> Cross-site scripting and buffer overflow attacks in browser and plugins.
> 
> There are many, much worse security holes that you should consider
> first.  There are vulnerabilities in the Linux kernel that have remained
> hidden and unaddressed for years. 

Any evidence for that statement?


Anyway, kernel vulnerabilities is usually only used after the initial
attack for privilege escalation (see the Debian FTP server compromise
of a few years back).

Of course for most Windows desktops this is not need the user has
already been given the rights to modify the system.


> Just about the last thing you should
> worry about if you're seeking a "secure" computing experience is Java,
> Javascript, and poorly written websites.

You seem to be at odds with the rest of the computing world here.

For desktop machines behind firewalls, the web browser is the #1
avenue of attack and much easier to automate than social attacks:
	http://en.wikipedia.org/wiki/Cross-site_scripting

Email used to be more common, but is now regularly scanned by most
organisations for malicious code. It is much harder to do that for
web sites, because there is more traffic, more variation in attacks,
and the end user is more sensitive to delays.

Web browsers are a lot more complex than email clients (excluding
Outlook), handle a lot more information, much of which is more
sensitive than is commonly used in email.


Also Java is not Javascript. They are different languages with very
different ways of interacting with a web browser:
	http://en.wikipedia.org/wiki/Javascript#JavaScript_and_Java


<snip>
>> For a good compromise you can use the Firefox NoScript, and in two
>> clicks you can enable it from sites you trust if you need the extra
>> functional.
> 
> Have you seen all the additional traffic generated by Firefox - all the
> stuff you didn't sanction?  All the "statistics" data sent to Google
> every time you visit?  If you actually analysed all that's really going
> on, you'd think that the "risks" involved with Javascript are entirely
> insignificant.

I assume you are talking about cookies here. Which you can also turn
on and off in Firefox. Cookies in themselves are not a security risk
to the browser and machine of the end user, but the poor use of them
by web sites can lead to information leaks and session hijacking.


And back to the original point - why do you need Javascript for a
hypertext link?


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 205 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20110403/e1a8ac03/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list