Security and Javascript

Werner Koch wk at
Fri Jun 28 20:09:54 UTC 2013

On Fri, 28 Jun 2013 13:34, timo.lindfors at said:
> btw, no need to Cc: me since I'm on the list.

[ Then please set an MFT header and my MUA will comply.  That discussion
  is > 15 years old and we have since then a working solution.]

> But surely virus checker is a blacklist and javascript isolation is more
> like a whitelist?

It is a blacklist: For example: The code loaded from external source may
not open a file on user's host.  A whitelist would cleary state what the
code is allowed to do.  But then it wouldn't be a useful language

>>  - The user is enabled to control the code.
> Well in most cases they are not since the plugins are non-free..

We are talking about security and thus free or non-free is just one data
point to evaluate whether it is secure.  Even a non-free plugin may be
considered secure in some organizations.  But right, free software is
much more useful in this regard.

>>  - The plugin has a well defined behaviour and is not a volatile bunch
>>    of code.
> Not sure what this would mean, at least oracle java plugin updates try
> to trick users into installing ask toolbar:

That is a feature which needs to be evaluated during the audit.  There
pros and cons for automated updated.  But even such automated updates
are standard in that they have a defined version with the same code at
all sites.  That can't be guaranteed by the usual use of JS which
commonly comes from a whole bunch of sites (and the reason why it is
virtually impossible to not use google).

>>  - A security audit of the plugin can be done.
> See the point about non-free plugins :(

That usually makes the audit easy:  We can't audit it thus it shall not
be used.

>> Please, I don't want to hear a claim, that the JS code on web sites is
>> secure because it is signed or distributed via a trusted (https) web
>> site.  PKIX (the X.509 based infrastructure used by https) is fucked up
>> beyond all repair.
> I guess you need to define "secure" bit better here.

Here in the sense that it is a well defined set of code which comes with
a signature and can be tracked back to an audit or a trusted source.  it
can't: MitM attack on PKIX are commonplace.  Does anyone really believe
that the NSA has no means to ask another secret service to have one of
their national CAs issue a malicious certificate?  Come on: That system
has been corrupted by the PKI business ever since.  Nobody can expect
that they ever withstood requests from the slouch hats.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Discussion mailing list