Security and Javascript

Werner Koch wk at gnupg.org
Fri Jun 28 20:09:54 UTC 2013


On Fri, 28 Jun 2013 13:34, timo.lindfors at iki.fi said:
> btw, no need to Cc: me since I'm on the list.

[ Then please set an MFT header and my MUA will comply.  That discussion
  is > 15 years old and we have since then a working solution.]

> But surely virus checker is a blacklist and javascript isolation is more
> like a whitelist?

It is a blacklist: For example: The code loaded from external source may
not open a file on user's host.  A whitelist would cleary state what the
code is allowed to do.  But then it wouldn't be a useful language
anymore.

>>  - The user is enabled to control the code.
>
> Well in most cases they are not since the plugins are non-free..

We are talking about security and thus free or non-free is just one data
point to evaluate whether it is secure.  Even a non-free plugin may be
considered secure in some organizations.  But right, free software is
much more useful in this regard.

>>  - The plugin has a well defined behaviour and is not a volatile bunch
>>    of code.
>
> Not sure what this would mean, at least oracle java plugin updates try
> to trick users into installing ask toolbar:

That is a feature which needs to be evaluated during the audit.  There
pros and cons for automated updated.  But even such automated updates
are standard in that they have a defined version with the same code at
all sites.  That can't be guaranteed by the usual use of JS which
commonly comes from a whole bunch of sites (and the reason why it is
virtually impossible to not use google).

>>  - A security audit of the plugin can be done.
>
> See the point about non-free plugins :(

That usually makes the audit easy:  We can't audit it thus it shall not
be used.

>> Please, I don't want to hear a claim, that the JS code on web sites is
>> secure because it is signed or distributed via a trusted (https) web
>> site.  PKIX (the X.509 based infrastructure used by https) is fucked up
>> beyond all repair.
>
> I guess you need to define "secure" bit better here.

Here in the sense that it is a well defined set of code which comes with
a signature and can be tracked back to an audit or a trusted source.  it
can't: MitM attack on PKIX are commonplace.  Does anyone really believe
that the NSA has no means to ask another secret service to have one of
their national CAs issue a malicious certificate?  Come on: That system
has been corrupted by the PKI business ever since.  Nobody can expect
that they ever withstood requests from the slouch hats.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.




More information about the Discussion mailing list