flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 15, 16, 17, 18, 19, 20  Next
Author
Thread Post new topic Reply to topic
ManOfSteel



Joined: 02 Feb 2005
Posts: 1149
guignol wrote:
Malformed HTML?

HTML like anything else must be parsed and interpreted. Are you denying the possibility that an HTML document that contains something the browser doesn't expect could potentially cause something like a buffer overflow, which I guess is what DimonSoft is suggesting?
Post 13 May 2019, 11:16
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 541
Location: Did I forgot to take off the kettle again?
So what hyper is?
Come to think of it!
Post 13 May 2019, 22:03
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
revolution wrote:
The difference is as I stated above. I have control over when or if I change the code on my machines. I still run WinXP, I know it well and I know how to keep it in good condition. But I don't have that choice on a website. Someone places malicious code on their website and then expect everyone to blindly run it. That is very different.

I remember having Google Chrome silently updating itself in summer 2010 or 2011 when I was still using Windows XP (almost reached my monthly traffic limit then). I used to disable all updates back then and only update certain applications manually. A few years later a Skype update silently enabled updates in its settings.

To install an application you generally give the installer administrative privileges. Which gives a potential attacker even more possibilities.
Post 16 May 2019, 18:06
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16631
Location: In your JS exploiting you and your system
A least with your own machine you can decide to continue using the application or not. Your choice. You decide what code gets to run under what circumstances. It isn't foolproof, but once you have decided an app is acceptable to your conditions it stays that way for you. No one else can change it. And when Google or MS decide to give you a big F.U. and force update something then it is time to delete it and find something else that gives you respect.

You don't have that choice on a website. Someone else decides what code you run. Whether you like it or not. If some website gives you malicious code that steals your CC numbers how would you even know? You can't audit it. There are millions of sites, running thousands of different setups, in thousands of different ways. No one can know all of them are safe at all times. Having JS on permanently is just asking for trouble.
Post 16 May 2019, 18:59
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
revolution wrote:
A least with your own machine you can decide to continue using the application or not. Your choice. You decide what code gets to run under what circumstances. It isn't foolproof, but once you have decided an app is acceptable to your conditions it stays that way for you. No one else can change it. And when Google or MS decide to give you a big F.U. and force update something then it is time to delete it and find something else that gives you respect.

You don't have that choice on a website. Someone else decides what code you run. Whether you like it or not. If some website gives you malicious code that steals your CC numbers how would you even know? You can't audit it. There are millions of sites, running thousands of different setups, in thousands of different ways. No one can know all of them are safe at all times. Having JS on permanently is just asking for trouble.

At least with a website you can decide to continue using the website or not. Your choice.

You don’t have that choice with a desktop application. Once you run an installer with administrative privileges you lose control over where and what executable modules get registered to autostart on system startup, to run when you open documents of certain formats and perform certain actions. If some desktop application contains a module that steals your Bitcoin wallets’ data how would you even know? You can’t audit it since it had rights to remove any audit-related data and register itself to do it further. There are hundreds of desktop applications you might want to use, multiply by 10 if you’re looking for a tool for a new task. No one can know all of them are safe at all times. Having computer on is just asking for trouble.
Post 16 May 2019, 20:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16631
Location: In your JS exploiting you and your system
I can know fasm is safe. I have the source code and I can decide to update or not as I please. If the fasm web host gets hacked and starts producing a malware version of it, then I'll just say no. I can see the changes. And I can continue to use the previous version that works fine. Or if I don't have the technical ability to determine the safeness I can ask others about what version they run and go from there.

I can't say that for a website using JS. Today I can examine the code and make some decision about its safeness. But tomorrow it can be something else completely. And I can't know ahead of time before the code runs as to whether it is safe. I am expected to run it without any sense of care or scrutiny. Many websites deliberately hide their code with minimisers and obfuscaters. Why is that? What are they trying to hide? And I can't ask others for their opinions because they might get different code from me. I can't compare versions to known good ones. I can't downgrade the site to some older version if the current one is corrupted. None of that is in my sphere of control.

It would be like being expected to simply download and install all applications that are presented to us, and all updates, automatically just because someone somewhere else tells our system to do it. We are told not to click on links in emails. Why? Because they might lead to websites that overtake our system, using JS of course. But if the websites were not able to run code then those kinds of things wouldn't be possible and links could become useful again.

We have built a precarious system of remote parties being able to do things we don't approve of because of JS (or browser scripting in general, not just JS. Flash also, and whatever else can run code).

DimonSoft: You appear to be saying that JS code is perfectly fine to run because other code might also be able to do bad things. Have I understood you correctly? The way I see it is that we work to solve these problems one-by-one. Rather than simply throw our hands in the air and give up because lots of other things have problems also. There are other problems of course. But those are independent from JS. And they need to also be solved or minimised. And if those other things are not necessary then we just eliminate them, like we should with JS.
Post 16 May 2019, 21:21
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8235
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
Is less always beautiful? is less bloat, less runtime, less apps, less dll, equal to better security?

If we put this practice into drawing, it would be disastrous, when a cat doesn't looks like a cat, and one call it a cat, misunderstanding surely arise,

If we define code as 0 and 1, then everything is malicious, Laughing

I would suggest a browser extension that could limit Javascript, eg, allow only specific functions to work and how many times it could be used, when a user browse a web, any functions call that exceed normal count rate will be highlighted before execution is allow, and user will be prompted whether they want to run this website or not.

I think we could have Javascript, it is part of the great internet right now, and we need to find ways to limit its power, a method for check and balance instead of calling a ban on it.
Post 17 May 2019, 02:34
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16631
Location: In your JS exploiting you and your system
sleepsleep wrote:
I would suggest a browser extension that could limit Javascript, eg, allow only specific functions to work and how many times it could be used, when a user browse a web, any functions call that exceed normal count rate will be highlighted before execution is allow, and user will be prompted whether they want to run this website or not.
But that wouldn't solve the issue. Many of the above problems exposed in this thread don't require JS to be buggy, or the browser to be buggy., They don't require great power of JS code. All they need is some way to send data to a remote agent. They only need to use basic functions to achieve that. So when you are typing you CC number into a "secure" page the malicious code simply grabs that and sends it to whoever they please.

So it isn't that some cut down version will suddenly make it secure. That isn't how it works. The root problem is that random code is running in the browser. Code that the user has not been able to examine or verify in any way.
Post 17 May 2019, 03:57
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
revolution wrote:
I can know fasm is safe. I have the source code and I can decide to update or not as I please.

You can’t due to the Thompson’s hack that has been ecently mentioned at this forum.

revolution wrote:
If the fasm web host gets hacked and starts producing a malware version of it, then I'll just say no. I can see the changes.

But fasm web host is just a website. Which can be hacked. And it’s server side that usually gets hacked in the first place.

revolution wrote:
I can ask others about what version they run and go from there.

And if a web host is hacked (or you have installed a malware driver during the installation of a new desktop application) you’ll see tons of answers stating the version is fine.

revolution wrote:
Many websites deliberately hide their code with minimisers and obfuscaters. Why is that? What are they trying to hide? And I can't ask others for their opinions because they might get different code from me.

Minimizers let pages load faster. Obfuscators are largely useless, but this is not a good reason to blame websites instead of website developers. If a webhost is hacked (or you have installed a malware driver during the installation of a new desktop application) you might get a version different from what other people get. Both JS and EXE/sources are different variations of code that gets downloaded from a host. The only real difference is in the way you start them: EXE gets run when you double-click it/push Enter/etc., JS gets run when you open a page. In both cases it is a result of some user action.

revolution wrote:
I can't downgrade the site to some older version if the current one is corrupted.

I initially thought you were talking about Skype versions starting from 2010. Old ones were much better but they don’t work anymore and I can’t downgrade ’cause they won’t work with current protocol version.

revolution wrote:
It would be like being expected to simply download and install all applications that are presented to us, and all updates, automatically just because someone somewhere else tells our system to do it.

When you give administrative privileges to an installer you do the same. In both cases noone usually gets to actually use the opportunity this way.

revolution wrote:
We are told not to click on links in emails. Why? Because they might lead to websites that overtake our system, using JS of course.

Not really. It could very well be a piece of malware that is linked which pretends to be a valid program. It could also be a malformed document that triggers a vulnerability in the browser’s implementation. What about disallowing PDF? Modern browsers tend to open it when you click the link, and the format is complex enough to have security bugs in the software (namely plugins that are used to open it in a browser).

revolution wrote:
DimonSoft: You appear to be saying that JS code is perfectly fine to run because other code might also be able to do bad things. Have I understood you correctly? The way I see it is that we work to solve these problems one-by-one. Rather than simply throw our hands in the air and give up because lots of other things have problems also. There are other problems of course. But those are independent from JS. And they need to also be solved or minimised. And if those other things are not necessary then we just eliminate them, like we should with JS.

No, I’m talking about it being useless to hide in a bathroom when a man with a chainsaw has already got through the metal door and guards at the entrance.

revolution wrote:
But that wouldn't solve the issue. Many of the above problems exposed in this thread don't require JS to be buggy, or the browser to be buggy., They don't require great power of JS code. All they need is some way to send data to a remote agent. They only need to use basic functions to achieve that. So when you are typing you CC number into a "secure" page the malicious code simply grabs that and sends it to whoever they please.

Only if your browser is buggy. JS only allows to send data to the same host or a few other hosts that the initial host said to be trusted ones. Sending data to the same host (or trusted ones, like from google.com to mail.google.com) is perfectly valid. If your browser allows more, it’s a bug in the browser, not a problem of JS. Even safer than links, since you stay at the same website.

revolution wrote:
So it isn't that some cut down version will suddenly make it secure. That isn't how it works. The root problem is that random code is running in the browser. Code that the user has not been able to examine or verify in any way.

The code is not random. Its capabilities are a small subset of what a desktop application can do. Only bugs in lower layers may allow it to do more. Well, the idea of turning the interpreter into a compiler (JIT) might cause the bugs to be achieved easier, but the same blame should go to any other JIT implementation of any language.
Post 17 May 2019, 06:05
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16631
Location: In your JS exploiting you and your system
So you are saying that JS is perfectly safe to run always? Because ... ?

Maybe I don't understand your argument. You are saying that because my desktop OS/software might be unsafe that that somehow makes JS safe?
Post 17 May 2019, 07:08
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2778
Location: dank orb
Security has always been an illusion.

I always liked the idea of programmable agents migrating about the internet - a cyber ecosystem. Hopefully all these layers upon layers of security will eventually let us do something like that. There are some tools that act like agents for us on the internet, but they are very restricted and controlled by large corporations.

If AI is going to be creating content then I need tools on the web to help me filter in programmatic ways to counter the information wasteland. Besides browser plugins or unplugging completely, what options are there? I don't want a "trusted source" to spoon feed me - I want tools to verify trust.
Post 17 May 2019, 07:10
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8235
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
bitRAKE wrote:

I always liked the idea of programmable agents migrating about the internet - a cyber ecosystem. Hopefully all these layers upon layers of security will eventually let us do something like that. There are some tools that act like agents for us on the internet, but they are very restricted and controlled by large corporations.

You mean things like amazon echo, siri, google assistant?

Information verification is possible, but they come with cost, very high cost.
Post 17 May 2019, 10:30
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
revolution wrote:
So you are saying that JS is perfectly safe to run always? Because ... ?

Maybe I don't understand your argument. You are saying that because my desktop OS/software might be unsafe that that somehow makes JS safe?

Why should I use binary evaluation system? You’ve chosen JS as the target for blaming and reject the fact that being able to use JS is just another way of doing something bad after the website is broken, not the root cause.

I do hate the whole HTML+CSS+JS ecosystem since it’s yet another example of taking a good idea, not understanding it and transforming it into something it was never designed for. CSS has recently gone the wrong way of becoming a declarative programming language, just like JS that was primarily designed to improve the experience of using the Web, not to implement client-side bloatware. But I am far from claiming JS to be the main or even serious security risk, since it is the least one an average user faces. The most popular, maybe. But popularity actually has the positive effect of having implementations even more secure and reliable.

Nearly every house that has been robbed recently had a backpack or some other bag inside that thieves might have found convenient to carry stolen things. But the bag is not the security vulnerability, just a convenience for someone who’s already inside.
Post 17 May 2019, 15:06
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16631
Location: In your JS exploiting you and your system
So you are okay with JS running random code in your system because you have other things that are also vulnerable?

Wouldn't you prefer to have one fewer vulnerability (i.e. no need for JS) and thus have one fewer thing to cause you problems?
Post 17 May 2019, 15:24
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2778
Location: dank orb
sleepsleep wrote:
You mean things like amazon echo, siri, google assistant?

Information verification is possible, but they come with cost, very high cost.
I mean programmable interfaces. If I can say, "Okay, alexa - let me know of papers published on Lie Groups," and then at some future date the device says, "I found a paper that might interest you" -- then yes, I speak of those devices. Or, "Let me know of changes to the situation in Venezuela," and it would both understand my present bias (based on information seen thus far), and search for something different.

Controlling the perception of trust is a business position and not a reality one need live in. Information verification is specifically costly, but not generally so. Block chains are a possible way to have a certificate of verification that builds over time and is independent of the source with cost amortized over the steps.

_________________
¯\(°_o)/¯ unlicense.org


Last edited by bitRAKE on 17 May 2019, 17:40; edited 1 time in total
Post 17 May 2019, 17:13
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16631
Location: In your JS exploiting you and your system
So you want something to actively scan the Internet for topics you care about. Isn't that just like hitting Google/Bing/DDG/flatassembler.net in a loop and logging new links?

BTW BitRAKE your link gives an error from Cloudflare "Invalid SSL certificate"
Post 17 May 2019, 17:19
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2778
Location: dank orb
We know that scanning is costly and certainly not the way to do it.
Post 17 May 2019, 17:42
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16631
Location: In your JS exploiting you and your system
So then each site has to announce changes to you. Instead of you pulling information, sites will push it to you. That is similar to the email notifications.
Post 17 May 2019, 17:44
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2778
Location: dank orb
Email notifications were a good first step, but how to deploy agents doing more complex things?

link fixed, thank you
Post 17 May 2019, 18:01
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
revolution wrote:
So you are okay with JS running random code in your system because you have other things that are also vulnerable?

Wouldn't you prefer to have one fewer vulnerability (i.e. no need for JS) and thus have one fewer thing to cause you problems?

So, you prefer to throw out of your house everything that can be used to simplify carrying things away instead of paying more attention to your door and windows?
Post 17 May 2019, 19:06
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 15, 16, 17, 18, 19, 20  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.