Security and Javascript
Timo Juhani Lindfors
timo.lindfors at iki.fi
Fri Jun 28 11:34:41 UTC 2013
btw, no need to Cc: me since I'm on the list.
Werner Koch <wk at gnupg.org> writes:
> To most users the browser is their window to the world and an alias for
> the computer. They don't understand that there is a difference. And
> web designers (or well, the marketing dept) try very hard to convince
> them that there is indeed no difference.
Agreed.
> A box which automatically downloads all kind of binaries an runs them
> after they have passed a so-called virus checker, may also be considered
> a restricted environment. The restriction is in this case controlled by
> the virus checker and not the browser.
But surely virus checker is a blacklist and javascript isolation is more
like a whitelist?
> Plugins are installed by the user and not be data to be viewed. That
> makes a big difference:
>
> - The user is enabled to control the code.
Well in most cases they are not since the plugins are non-free..
> - The plugin has a well defined behaviour and is not a volatile bunch
> of code.
Not sure what this would mean, at least oracle java plugin updates try
to trick users into installing ask toolbar:
http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/
> - A security audit of the plugin can be done.
See the point about non-free plugins :(
> Please, I don't want to hear a claim, that the JS code on web sites is
> secure because it is signed or distributed via a trusted (https) web
> site. PKIX (the X.509 based infrastructure used by https) is fucked up
> beyond all repair.
I guess you need to define "secure" bit better here.
More information about the Discussion
mailing list