Security and Javascript

Alessandro Rubini rubini at
Fri Jun 28 09:18:05 UTC 2013

> 1) on most computers Javascript is enabled by default

I doubt more than a handful people disable it.

> 2) This gives anyone a platform to play with parts of their owners
> equipment. 

This is not clearly expressed. Who is anyone and who is owner
and what is equipment? The owner of a cellphone is the
manufacturer (you, Matthias, told us), so the sentence is unclear.

[ok, that's what I wanted to say, the rest is irrelevant, but
I already wrote it]

> 3) From a security point you are lost as soon as you give an adversary
> the opportunity to control your system.

I can't evaluate, I don't know javescript. I used to run Tcl, and the
"safe" environment in there is well designed. I *hope* all technology
is designed as well as Tcl was (recent versions are worse, imho).

But even if it is safe, it can use your processing power at will,
for sure.
> 4) Only non-active web content can guarantee that you keep control over
> your equipment. 

Lapalisse. Data is data, and code is code. If you think to access data
and you are unexpectedly executing code, you have a problem. At least
*I* have a problem. And a few losers like me. However, malware mostly
exists because expectedly-data is executed instead ("do not *open*
untrusted email" is the solution, they say).
> And the last question: if all above is true, do we want to tell this
> to the public? Does it help? Or would we be seen as being completely
> paranoid.

It is true (modulo my ignorance of javascript), we don't want to tell,
because it would be seen as paranoid.  The tech world is way beyond
this. Pursuing a loosing attitude, like I find myself doing every
day, is, well... loosing.


More information about the Discussion mailing list