Security and Javascript

• Previous message (by thread): Security and Javascript
• Next message (by thread): Security and Javascript
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

btw, no need to Cc: me since I'm on the list.

Werner Koch <wk at gnupg.org> writes:
> To most users the browser is their window to the world and an alias for
> the computer.  They don't understand that there is a difference.  And
> web designers (or well, the marketing dept) try very hard to convince
> them that there is indeed no difference.

Agreed.

> A box which automatically downloads all kind of binaries an runs them
> after they have passed a so-called virus checker, may also be considered
> a restricted environment.  The restriction is in this case controlled by
> the virus checker and not the browser.

But surely virus checker is a blacklist and javascript isolation is more
like a whitelist?

> Plugins are installed by the user and not be data to be viewed.  That
> makes a big difference:
>
>  - The user is enabled to control the code.

Well in most cases they are not since the plugins are non-free..

>  - The plugin has a well defined behaviour and is not a volatile bunch
>    of code.

Not sure what this would mean, at least oracle java plugin updates try
to trick users into installing ask toolbar:

http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/

>  - A security audit of the plugin can be done.

See the point about non-free plugins :(

> Please, I don't want to hear a claim, that the JS code on web sites is
> secure because it is signed or distributed via a trusted (https) web
> site.  PKIX (the X.509 based infrastructure used by https) is fucked up
> beyond all repair.

I guess you need to define "secure" bit better here.

• Previous message (by thread): Security and Javascript
• Next message (by thread): Security and Javascript
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]