[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
JavaScript is only a tool
|
From: |
Lorenzo L. Ancora |
|
Subject: |
JavaScript is only a tool |
|
Date: |
Tue, 20 Jul 2021 19:34:40 +0000 |
|
User-agent: |
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 |
I think we should rename the topic as requested. I'm doing it now (sorry
David, I have no fantasy), but don't expect me to actively participate
in a potentially "flammable" discussion. :-)
JavaScript is literally downloading of the program, that is
transparently executed somehow. No current web-browser allows you
controlling of that process: does anyone stores the hash of the
downloaded script and warns you that it is changed, shows you the diff,
asks for confirmation? It is just silly to blindly trust auto-executing
downloaded programs.
A script is interpreted and subject to indirect execution. The sandbox
is just an addition to this process, which improves its already high
security.
After all, you can't have interactivity without running some code,
either explicitly or explicitly. The ability to execute code is a
prerequisite for making web pages interactive. Maybe in 10 years they
will invent the web 9.0 and it will all be different, but for now the
reality is that you have to run hundreds of small scripts just to shop
online or access your bank.
JS is used because it is necessary, nobody likes to waste time.
I understand your point of view, but it is irrational.
I'll prove it to you.
Let's assume that what you say applies to all users in the world. Out of
the blue all users of the world are notified for every script run by
their web browser and for any changes to previously accepted scripts.
Within a month, global e-commerce would be negatively affected and users
would start clicking "Accept" on every single popup, which is really
dangerous!
From this you can deduce that the execution of JavaScript must be
trusted until proven otherwise, to avoid serious economic repercussions.
GNU doesn't take the economy into consideration, but I think it's very
important to understand it, because everything depends on money: if
something is uneconomical it will never spread. Harsh reality.
The reason JavaScript can be totally disabled on some browsers is that
certain systems cannot be updated frequently and have very specific
purposes.
Modern Web-ecosystem is so complicated, that it is just impossible to
write web-engine from the ground: [...]
That complexity guarantees that it can not be secure by definition.
Sergey, no system can be secure by definition. Linux is so complex it
will always contain a vulnerability; the same goes for your CPU or the
driver of your hard drive.
XML is by itself dangerous, as any complex formats... and HTML is just a
superset of XML. So, you don't actually need JavaScript for a webpage to
be dangerous. Especially if the webpage can include other resources,
like images, other webpages, animations, style sheets and so on. You
will never be secure, even if you disable JavaScript.
So, let's redo the "what if..." trick. What if all users of the world
would at once stop supporting JavaScript?
Simple, the "bad guys" (black hat hackers/crackers/lamers/criminals/...)
would immediately search and find vulnerabilities elsewhere in the
formats and in the new parts of the protocols and formats created to
supply to the absence of JavaScript. At the end, JavaScript would simply
return into another, even more complex, form and we could also risk an
economic recession. This is the reason JS will not disappear:
e-commerce, banks, governments, webmasters, ... all have interest in
supporting and enhancing JS because it is convenient to do so.
No sandboxing protects you from from attacks on hardware like rowhammer,
Meltdown, Spectre and many similar: [...]
You hardly can defence yourself even by running sandboxed JavaScript
inside virtual machine on another OS inside. Nothing will protect you
from the harmful software. The whole modern web-ecosystem is targeted
on running third-party downloaded software on each connection. You
literally loose control on you computer that way.
You are totally right, but I'd add that, as long as proprietary firmware
exists, we will not be really in control of our computers.
However, a little reflection here: running less software only works when
your computer has very limited tasks and is therefore not a
general-purpose computer. Specialized computers are not used for
internet browsing. If you need to do a very specific task you'd better
use a very specific hardware and then a very tight hardware firewall.
What will happen, as has always happened, is that the systems will
become more and more complex and therefore they will run even more and
more software. In general, my recommendation is: if you don't trust
whoever has published a web page, don't visit it; if you need strong
online security, use a secure DNS which filters unsafe domains; if you
don't trust the author of a local program, don't make it executable.
If someone wants to take everything from my hands and allow only to use
provided application (JavaScript script), then one can just give me the
VNC/X11/whatever remote graphical connection: it will be completely the
same for my computer. If I need to fill the complex dynamic input form,
or something far from being satisfied with already existing HTML forms,
then give me the telnet access, BBS like -- it is completely safe for
me and my computer, does not require any many-million-line-of-code
software, that you have to *very* regularly update because of constantly
changing and progressing JavaScript/DOM/CSS/whatever features. And the
form/site/application owner is happy too: no bothering about possible
source code obfuscation and compatibility problems.
It's uneconomical, because colorful, animated web pages help sell
products, effectively convey information in an accessible way and don't
require technical expertise from end users. Unfortunately terminals lack
these qualities and on the server side no one is happy to open ports in
the firewall and run more daemons.
From the point of view of security then, since HTTP is stateless and
the telnet/ssh sessions are statefull, there would be a serious increase
in attack surface and a quite unpredictable increase in the required
computing resources. In addition, making these protocols anonymous is
problematic, so a privacy problem would arise.
Btw, I really would love to see a new WWW made of BBSs.
People had to stop writing software/application they want me to execute
on my computer, when they just can share me the document they want to
show (HTML, images, PDFs, whatever). I already have transmission
protocols and document viewers available -- why should I download yet
another program I have to trust each time? If you use JavaScript, then
you do something completely wrong (or at least strange) from the
security and user's freedom point of view.
The only answer is: the world does what is simple and sells well.
According to commercial logic, an FTP server does not help sales, a
professional interactive web page does. It's weird, we hope for a better
future where people think less about money.
In the meantime, however, make sure you collect donations on an elegant
and interactive web page (and JS is needed to process money
transactions), otherwise you will be unfairly underestimated by the
majority of end users who do not yet know you! :-P
So if you ask me "Can we win against JavaScript and the entire world
that uses it?", my answer is "No pals, you can't."; if you ask me "Can
we make people aware of how JavaScript is implemented?" my answer is
"Yes and you should do it". ;-)
Il 20/07/21 16:13, Sergey Matveev ha scritto:
*** Lorenzo L. Ancora via [2021-07-20 13:56]:
The solution is not to convince people that "JavaScript is bad" but to
educate them on the correct client-side implementation.
JavaScript is literally downloading of the program, that is
transparently executed somehow. No current web-browser allows you
controlling of that process: does anyone stores the hash of the
downloaded script and warns you that it is changed, shows you the diff,
asks for confirmation? It is just silly to blindly trust auto-executing
downloaded programs.
Modern Web-ecosystem is so complicated, that it is just impossible to
write web-engine from the ground:
https://drewdevault.com/2020/03/18/Reckless-limitless-scope.html
That complexity guarantees that it can not be secure by definition.
No sandboxing protects you from from attacks on hardware like rowhammer,
Meltdown, Spectre and many similar:
https://en.wikipedia.org/wiki/Row_hammer
https://www.vusec.net/projects/flip-feng-shui/
https://www.vusec.net/projects/drammer/
https://react-etc.net/entry/exploiting-speculative-execution-meltdown-spectre-via-javascript
You hardly can defence yourself even by running sandboxed JavaScript
inside virtual machine on another OS inside. Nothing will protect you
from the harmful software. The whole modern web-ecosystem is targeted
on running third-party downloaded software on each connection. You
literally loose control on you computer that way.
https://eev.ee/blog/2016/03/06/maybe-we-could-tone-down-the-javascript/
If someone wants to take everything from my hands and allow only to use
provided application (JavaScript script), then one can just give me the
VNC/X11/whatever remote graphical connection: it will be completely the
same for my computer. If I need to fill the complex dynamic input form,
or something far from being satisfied with already existing HTML forms,
then give me the telnet access, BBS like -- it is completely safe for
me and my computer, does not require any many-million-line-of-code
software, that you have to *very* regularly update because of constantly
changing and progressing JavaScript/DOM/CSS/whatever features. And the
form/site/application owner is happy too: no bothering about possible
source code obfuscation and compatibility problems.
People had to stop writing software/application they want me to execute
on my computer, when they just can share me the document they want to
show (HTML, images, PDFs, whatever). I already have transmission
protocols and document viewers available -- why should I download yet
another program I have to trust each time? If you use JavaScript, then
you do something completely wrong (or at least strange) from the
security and user's freedom point of view.
--
All messages from/to this account should be considered private.
Messages from/to newsletters should not be reshared.
TZ: Europe/Rome (Italy - CEST).
OpenPGP_signature
Description: OpenPGP digital signature
- Re: FSD as a Git repository, (continued)
- Re: FSD as a Git repository, Lorenzo L. Ancora, 2021/07/19
- Re: FSD as a Git repository, Narcis Garcia, 2021/07/20
- Re: FSD as a Git repository, Lorenzo L. Ancora, 2021/07/20
- Re: FSD as a Git repository, Adonay Felipe Nogueira, 2021/07/20
- Re: FSD as a Git repository, Lorenzo L. Ancora, 2021/07/20
- Re: FSD as a Git repository, Adonay Felipe Nogueira, 2021/07/20
- JavaScript is only a tool, Lorenzo L. Ancora, 2021/07/21
- Re: FSD as a Git repository, Adonay Felipe Nogueira, 2021/07/20
- Re: FSD as a Git repository, Sergey Matveev, 2021/07/20
- Re: FSD as a Git repository, David Hedlund, 2021/07/20
- JavaScript is only a tool,
Lorenzo L. Ancora <=
- Re: JavaScript is only a tool, David Hedlund, 2021/07/20
- Re: JavaScript is only a tool, David Hedlund, 2021/07/20
- Re: JavaScript is only a tool, Sergey Matveev, 2021/07/20
- Re: JavaScript is only a tool, Sergey Matveev, 2021/07/20
- Re: JavaScript is only a tool, Lorenzo L. Ancora, 2021/07/24
- Re: JavaScript is only a tool, Narcis Garcia, 2021/07/24
- Re: JavaScript is only a tool, Narcis Garcia, 2021/07/21
- Re: JavaScript is only a tool, Lorenzo L. Ancora, 2021/07/24
- Re: JavaScript is only a tool, Narcis Garcia, 2021/07/24
- Re: JavaScript is only a tool, Lorenzo L. Ancora, 2021/07/25