Security and Javascript
Christian Kalkhoff
softmetz at fsfe.org
Fri Jun 28 21:25:53 UTC 2013
Hi Matthias!
Am Freitag, 28. Juni 2013, 10:37:44 schrieb Matthias Kirschner:
> I'd like to have some feedback from you. Do you agree with those points?
>
> 1) on most computers Javascript is enabled by default
Most stats say so!
>
> 2) This gives anyone a platform to play with parts of their owners
> equipment.
As already stated in this thread, every document that's opened on a computer,
uses its resources. It doesn't matter if you open HTML or HTML with JS or an
ODT.
>
> 3) From a security point you are lost as soon as you give an adversary
> the opportunity to control your system.
As I said in 2) its irrelevant, what gets interpreted. I would further say,
that JavaScipt is very much in the focus of many people regarding to security.
Plain HTML or odt or txt or png might not be.
>
> 4) Only non-active web content can guarantee that you keep control over
> your equipment.
Don't agree. I can create pretty non-active pages that might crash your
browser just by overusing resources. Most browser act very badly in this case.
I am not sure if that crash is usable as attack vector, somebody might
analyze.
>
> And the last question: if all above is true, do we want to tell this to
> the public? Does it help? Or would we be seen as being completely
> paranoid.
>
Not paranoid enough when it comes to tracking [1].
I think there are problems regarding to web applications. Often licensing is
not done properly, so much code, especially javascript code is put out
unlicensed although the creator wanted it to be free. Tell them about free
software licenses [2].
Modern Web applications aren't possible without JavaScript, take that for
granted. But there is an elephant in the room. Ever thought about who controls
the infrastructure behind most web services? The backend code? For most
services there is no competition in hosting, because the backend is not free.
Further in many services the user is the product. Because of that, the service
is usable at no charge.
So we should concentrate on alternatives for cloud services that are either
self hostable and/or at least hosted by more than one provider. Users should
be made aware of the fact, that hosting of cloud services costs a lot of
money. They are the product, unless they pay for it with money. Some kind of
privacy admiring hosting provider charter would be fine too.
Best!
Christian
[1] https://panopticlick.eff.org/
[2] http://www.theregister.co.uk/2013/04/18/github_licensing_study/
--
Christian Kalkhoff - Softwarebefreier - software liberator
Fellow of FSFE - Support FSFE! http://fsfe.org/support/?softmetz
CAcert assurer
http://softmetz.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20130628/ed42c78d/attachment.sig>
More information about the Discussion
mailing list