Security and Javascript

Werner Koch wk at
Fri Jun 28 10:58:06 UTC 2013

On Fri, 28 Jun 2013 11:18, timo.lindfors at said:

> Well, javascript is run a restricted environment. I don't see how you'd
> be lost by running javascript. Also many universities let their students

To most users the browser is their window to the world and an alias for
the computer.  They don't understand that there is a difference.  And
web designers (or well, the marketing dept) try very hard to convince
them that there is indeed no difference.

A box which automatically downloads all kind of binaries an runs them
after they have passed a so-called virus checker, may also be considered
a restricted environment.  The restriction is in this case controlled by
the virus checker and not the browser.

> There are security issues also in the code that parses this non-active
> content. Javascript is replacing a lot of things that used to be
> separate plugins with poor security track record.

Plugins are installed by the user and not be data to be viewed.  That
makes a big difference:

 - The user is enabled to control the code.
 - The plugin has a well defined behaviour and is not a volatile bunch
   of code.
 - A security audit of the plugin can be done.

Please, I don't want to hear a claim, that the JS code on web sites is
secure because it is signed or distributed via a trusted (https) web
site.  PKIX (the X.509 based infrastructure used by https) is fucked up
beyond all repair.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Discussion mailing list