Security and Javascript

• Previous message (by thread): Security and Javascript
• Next message (by thread): Security and Javascript
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 28 Jun 2013 11:18, timo.lindfors at iki.fi said:

> Well, javascript is run a restricted environment. I don't see how you'd
> be lost by running javascript. Also many universities let their students

To most users the browser is their window to the world and an alias for
the computer.  They don't understand that there is a difference.  And
web designers (or well, the marketing dept) try very hard to convince
them that there is indeed no difference.

A box which automatically downloads all kind of binaries an runs them
after they have passed a so-called virus checker, may also be considered
a restricted environment.  The restriction is in this case controlled by
the virus checker and not the browser.

> There are security issues also in the code that parses this non-active
> content. Javascript is replacing a lot of things that used to be
> separate plugins with poor security track record.

Plugins are installed by the user and not be data to be viewed.  That
makes a big difference:

 - The user is enabled to control the code.
 - The plugin has a well defined behaviour and is not a volatile bunch
   of code.
 - A security audit of the plugin can be done.

Please, I don't want to hear a claim, that the JS code on web sites is
secure because it is signed or distributed via a trusted (https) web
site.  PKIX (the X.509 based infrastructure used by https) is fucked up
beyond all repair.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

• Previous message (by thread): Security and Javascript
• Next message (by thread): Security and Javascript
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]