Security and Javascript

Christian Kalkhoff softmetz at
Fri Jun 28 21:25:53 UTC 2013

Hi Matthias!

Am Freitag, 28. Juni 2013, 10:37:44 schrieb Matthias Kirschner:
> I'd like to have some feedback from you. Do you agree with those points?
> 1) on most computers Javascript is enabled by default

Most stats say so!

> 2) This gives anyone a platform to play with parts of their owners
> equipment.

As already stated in this thread, every document that's opened on a computer, 
uses its resources. It doesn't matter if you open HTML or HTML with JS or an 

> 3) From a security point you are lost as soon as you give an adversary
> the opportunity to control your system.

As I said in 2) its irrelevant, what gets interpreted. I would  further say, 
that JavaScipt is very much in the focus of many people regarding to security. 
Plain HTML or odt or txt or png might not be.

> 4) Only non-active web content can guarantee that you keep control over
> your equipment.

Don't agree. I can create pretty non-active pages that might crash your 
browser just by overusing resources. Most browser act very badly in this case. 
I am not sure if that crash is usable as attack vector, somebody might 

> And the last question: if all above is true, do we want to tell this to
> the public? Does it help? Or would we be seen as being completely
> paranoid.

Not paranoid enough when it comes to tracking [1].

I think there are problems regarding to web applications. Often licensing is 
not done properly, so much code, especially javascript code is put out 
unlicensed although the creator wanted it to be free. Tell them about free 
software licenses [2].

Modern Web applications aren't possible without JavaScript, take that for 
granted. But there is an elephant in the room. Ever thought about who controls 
the infrastructure behind most web services? The backend code? For most 
services there is no competition in hosting, because the backend is not free. 
Further in many services the user is the product. Because of that, the service 
is usable at no charge.

So we should concentrate on alternatives for cloud services that are either 
self hostable and/or at least hosted by more than one provider. Users should 
be made aware of the fact, that hosting of cloud services costs a lot of 
money. They are the product, unless they pay for it with money. Some kind of 
privacy admiring hosting provider charter would be fine too.


Christian Kalkhoff - Softwarebefreier - software liberator
Fellow of FSFE - Support FSFE!
CAcert assurer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Discussion mailing list