At 5:35 PM -0800 on 2/12/00, Alain Farmer wrote:
>Alain: The latest incarnation of JavaScript is much
>more security-oriented than all of its predecessors.
>There is tainting and procedure authentification, and
>all of that. With these features taken into
>consideration, are you still insecure about
>JavaScript's secureness?
Insecure is the wrong word. I'm pretty damn sure about its insecurity.
Just read that CERT advisory.
>Is JS the WORST language in
>this regard?
No. I don't allow any code from an unknown or untrusted source to be
run on my computer.
>Anthony: What does the JavaScript do? It activates a
>simple form.
>
>Alain: It is more essential than that. The onLoad
>event of the middle-frame re-adjusts the buttons in
>the top-frame
Not the most essential thing in the world, and nothing that could not
be done by loading a HTML frame.
>produces the default message that is
>displayed in the bottom-frame,
Same -- just load a HTML file.
>and starts a timer.
No reason to need JS to do this.
>Hidden form elements maintain the state of the user.
No need for JS to do this.
>Going to any page stops the timer and transparently
>submits the user's state to the server.
Can be done with submission image.
>bypassing the default form-element
>selection order,
HTML 4 has tags to change the default form-element order.
>Anthony: Some reason why clicking the nagigation
>images can't do that?
>
>Alain: That would mean that each image's link would
>have to be hard-coded with the image tag,
Could submit a form to the server, just like the JS does.
>and the HTML
>of the buttons frame would have to be changed every
>time you change page. That is MUCH slower than
>dynamically changing them
But it works on all 4 of my browsers that way. And if that's the only
problem, well, then I'll do without the top frame. Make it a JS-only
feature.
>
>>Anthony: I've got problems besides just letting
>>unknown parties execute code on my machine.
>
>Alain: 1. Am I an unknown party that you don't trust?
No, but the WWW is in general. And I can't selectivly enable/disable it
by site for any browser I know of.
>Besides a little of tricky spoofing on the web to
>rip-off credit card numbers and other secure
>information from unsuspecting people naive enough to
>consider the Internet secure in the first place,
It should be, with SSL.
>what
>can JavaScript do that is deleterious to the client's
>machine?
With various email clients & browsers, it can send your email address
to a spammer (actually, any HTML-enabled mail reader can). How nice.
Various security holes have allowed the reading of any file on the hard
disk.
Hmmm... search at <http://www.securityfocus.com/> for javascript. Look
especially in bugtraq and the announcements. Here are some interesting
ones:
<http://www.securityfocus.com/templates/archive.pike?list=1&date=1997-07-8&msg=3
[EMAIL PROTECTED]>
<http://www.securityfocus.com/templates/advisory.html?id=1793>
<http://www.securityfocus.com/templates/advisory.html?id=1159> (VBScript)
<http://www.cert.org/vul_notes/VN-98.06.ms_jscript.html>
Search at <http://www.rootshell.org/>. Search at any security-related site.
>The browsers that I do
>NOT support are the primitive ones that don't support
>frames, tables and/or even graphics.
Of the three that don't support javascript, two support frames and
tables well, one supports images.
>Alain: That frame was intentionally left empty because
>it will eventually serve a purpose. Actually, it will
>serve several purposes:
Could you at leats make it smaller?
