Re: JavaScript is only a tool

[Sergey Matveev]

*** Lorenzo L. Ancora [2021-07-20 19:34]:
>global e-commerce would be negatively affected and users would start
>clicking "Accept" on every single popup, which is really dangerous!
>[...]
>From this you can deduce that the execution of JavaScript must be trusted
>until proven otherwise, to avoid serious economic repercussions. GNU doesn't
>take the economy into consideration, but I think it's very important to
>understand it, because everything depends on money: if something is
>uneconomical it will never spread. Harsh reality.

Agreed. But are we talking about ecommerce, or about the fact, that
someone starts to push me applications (JS scripts) instead of documents
(the WWW, as it was born). Let's completely separate those worlds,
having completely different tasks and nothing in common. JavaScript and
all that beauty rendering things are only intended, useful and aimed for
ecommerce.

>A script is interpreted and subject to indirect execution. The sandbox is
>just an addition to this process, which improves its already high security.

Hardly a many-million-LOC software (modern browsers) can be ever
considered anyhow, but secure. They are much larger than the whole
operating system, with something like ZFS, full featured network daemons
and LaTeX. For example Theo truly noted that people hardly can secure
even "basic" virtualization technologies, so how can be talk seriously
about sandboxing in much more bloated software?
https://marc.info/?l=openbsd-misc&m=119318909016582

>After all, you can't have interactivity without running some code, either
>explicitly or explicitly.

1) I do not want to. Give me the WWW, the Web, distributed network of
documents, not the network of applications. 2) You can have interactivity
just by using something like VNC/telnet/X11 remote input/output sharing.

>JS is used because it is necessary

I assume that Microsoft Windows is used because it is necessary too?
Billions of users can not be wrong? If their needs and tasks are
ecommercing and running Windows-compatible-only videogames, then yes, it
is necessary for them. Web/WWW and web-browsers are about
documents/knowledge sharing. I do not use Windows, have never own
smartphones, do not use bank card -- how can I live without them if they
are necessary? ZFS for me is necessary without any doubts. Do not put
completely various tasks in one basket.

>The reason JavaScript can be totally disabled on some browsers is that
>certain systems cannot be updated frequently and have very specific
>purposes.

That is completely silly and lame thing to do: why update the system if
everything already pretty good solved your task? Are any of more modern
browsers version better? Maybe faster, more accessible? Solène's
challenge demonstrates us that web is just becoming inaccessible more
and more. Literally if I have not updated my browser for half a year:
there will be web-sites (application-sites actually) that won't work at
all (won't display anything).
https://dataswamp.org/~solene/2021-07-07-old-computer-challenge.html
https://dataswamp.org/~solene/2021-07-12-old-computer-challenge-day3.html
https://dataswamp.org/~solene/2021-07-16-old-computer-challenge-day7.html

And one of reasons to disable JavaScript: security. Untrusted
unauthenticated code can compromise, because of known hardware attack
vectors, everything. It is literally an opened backdoor.

>Sergey, no system can be secure by definition. Linux is so complex it will
>always contain a vulnerability; the same goes for your CPU or the driver of
>your hard drive.

This is not the reason to leave widely open known backdoor.
(and that is why I do not use "Linux" :-))

>XML is by itself dangerous, as any complex formats... and HTML is just a
>superset of XML. So, you don't actually need JavaScript for a webpage to be
>dangerous. Especially if the webpage can include other resources, like
>images, other webpages, animations, style sheets and so on. You will never
>be secure, even if you disable JavaScript.

Do not mix format's complexity, leading to complicated software, leading
to bugs appearing and intentional opened ability to run arbitrary full
featured program on you computer. That is true that some formats can be
also Turing-complete and this is the problem, this is danger and we have
to be aware of it and be able to protect ourselves.
https://www.gwern.net/Turing-complete
Bugs in complex software (because of complex formats) is orthogonal
problem to running autodownloaded malware in the most complex software
on your computer.

>Simple, the "bad guys" (black hat hackers/crackers/lamers/criminals/...)
>would immediately search and find vulnerabilities elsewhere in the formats

That thoughts are complete mess, in my opinion. "Finding bugs in format
parsers/protocols" vs "arbitrary software execution"?

>This is the reason JS will not disappear: e-commerce, banks,
>governments, webmasters, ... all have interest in supporting and enhancing
>JS because it is convenient to do so.

I am glad ecommerce will disappear, honestly. I loved FidoNet, where all
commerce was consolidated only and only in specialized echoareas and you
literally can be forbidden to access that network if you will advertise
anything in other areas. Banks could be fully satisfied with TLS/IPsec
secured ordinary HTML forms, BBS/telnet/VNC/whatever remote sessions.
Neither banks, nor governments need to run arbitrary closed software on
my computer.

>You are totally right, but I'd add that, as long as proprietary firmware
>exists, we will not be really in control of our computers.

So... if you do not control firmware of your hard drive, that hardly can
influence/prohibit/control much of the things you do on computer, then
you say "damn it! I am not in full control! well, okay, let everyone can
do literally anything on my computer, I allow every Web-server to send
me arbitrary code for execution".

>What will happen, as has always happened, is that the systems will become
>more and more complex and therefore they will run even more and more
>software.

Nope. When I moved from Makefiles to redo -- everything became more
simple. When I moved to daemontools+ucspi-tcp, everything became more
simple. When I moved to (for example, that did not happen) OpenBSD,
everything became more simple. And more secure. Experienced users tend
to throw away enormous complex bloated desktop environments and use tily
tiling window managers. Word -> LaTeX. And so on, and so on.

>In general, my recommendation is: if you don't trust whoever has
>published a web page, don't visit it;

Well, it is okay to read some plaintext or HTML. I really believe that
neither NSA, nor Russian FSB can create such documents, that will
exploit some bug in my less/lynx/whatever.

>if you need strong online security, use a secure DNS which filters unsafe 
>domains;

Someone decides if *I* should visit exact domains? Nah, I do not think so.

>if you don't trust the author of a local program, don't make it executable.

Exactly that is what I do! No trustworthy author will try to push his
program for execution on my computer, like modern Web-sites tend to do
all the time.

>It's uneconomical, because colorful, animated web pages help sell products,

Agreed. That is why most people hate advertisements and tries hardly not
to see those annoying animated web pages. I remind that beauty colorful
products selling in completely irrelevant task/need for free software
people, for people in need of sharing information, not selling the
products. Modern Web browsers, JS, CSS: for selling products -- agreed.

>From the point of view of security then, since HTTP is stateless and the
>telnet/ssh sessions are statefull

Actually that is complete hypocrisy. Because all modern Web-browsers,
HTTP/2 and HTTP/3 are very hardly try to *exactly* leave session
long-lived as much as they can. Literally keeping TLS resumption tickets
for days. telnet/ssh sessions in practice will last only when you work
with the remote side. TCP can be stateless, but not the cookies and
JS storages.

>The only answer is: the world does what is simple and sells well. According
>to commercial logic, an FTP server does not help sales, a professional
>interactive web page does.

That is true. Because FTP/WWW were not created in selling and money
gathering in mind. They solve another tasks. Modern Web browsers solve
another tasks: controlling the user's computer by pulling pushed
applications on it, to sell, and earn the money.

>So if you ask me "Can we win against JavaScript and the entire world that
>uses it?", my answer is "No pals, you can't."; if you ask me "Can we make
>people aware of how JavaScript is implemented?" my answer is "Yes and you
>should do it". ;-)

Can we win against ecommerce? Of course not! Impossible. Agreed.
But I critiqued only the fact, that you think that ecommerce-related
technologies are needed for completely unrelated tasks like WWW,
distributed documents network. It is literally like saying that Unity
(game engine, as far as I heard) is totally necessary! Maybe yes... for
game designers. However I believe that one can quickly create very
beautiful and interactive, VR-friendly "pages" for even more selling.

You are very right with the subject "JavaScript is only a tool".
It is just missing "for ecommerce" suffix.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF

signature.asc
Description: PGP signature