Security and Javascript

Timo Juhani Lindfors timo.lindfors at
Fri Jun 28 11:34:41 UTC 2013

btw, no need to Cc: me since I'm on the list.

Werner Koch <wk at> writes:
> To most users the browser is their window to the world and an alias for
> the computer.  They don't understand that there is a difference.  And
> web designers (or well, the marketing dept) try very hard to convince
> them that there is indeed no difference.


> A box which automatically downloads all kind of binaries an runs them
> after they have passed a so-called virus checker, may also be considered
> a restricted environment.  The restriction is in this case controlled by
> the virus checker and not the browser.

But surely virus checker is a blacklist and javascript isolation is more
like a whitelist?

> Plugins are installed by the user and not be data to be viewed.  That
> makes a big difference:
>  - The user is enabled to control the code.

Well in most cases they are not since the plugins are non-free..

>  - The plugin has a well defined behaviour and is not a volatile bunch
>    of code.

Not sure what this would mean, at least oracle java plugin updates try
to trick users into installing ask toolbar:

>  - A security audit of the plugin can be done.

See the point about non-free plugins :(

> Please, I don't want to hear a claim, that the JS code on web sites is
> secure because it is signed or distributed via a trusted (https) web
> site.  PKIX (the X.509 based infrastructure used by https) is fucked up
> beyond all repair.

I guess you need to define "secure" bit better here.

More information about the Discussion mailing list