flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 16, 17, 18, 19, 20  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
I need shelter so I am willing to maintain it. I don't need JS, I am not willing to keep it.
Post 17 May 2019, 19:12
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2777
Location: dank orb
What do you think about WASM revolution - same bad?

_________________
¯\(°_o)/¯ unlicense.org
Post 17 May 2019, 19:25
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
bitRAKE wrote:
What do you think about WASM revolution - same bad?
I assume you mean WebAssembly. I don't know much about it. From what I have seen it can't be run on its own, JS will call it. Maybe I got that wrong? Anyhow, since it appears to be yet another version of code that random websites expect me to run without any verification or scrutiny then it looks to be more bad layered onto existing bad. It will just steal your info more efficiently.
Post 17 May 2019, 19:37
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2777
Location: dank orb
Are there any protections which would satisfy your criteria for unknown code execution? There are WASM VMs which are separate from the browser, but usually that is not the case. And it might be possible to use WASM in a browser without JS, but presently that is not the case. I'm kind of interested to see if the restriction on WASM are sufficient to prevent exploitation - seriously doubt it. (Assuming JS is just used to load the WASM, can information be stolen?)

_________________
¯\(°_o)/¯ unlicense.org
Post 17 May 2019, 20:32
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
bitRAKE wrote:
Are there any protections which would satisfy your criteria for unknown code execution?
Unknown code should be treated with extreme caution IMO. Why would it be any other way? Especially code that can be changed without my knowledge or control. And code delivered to a browser from an external source is probably the most insecure way to get code. And yet here we are being admonished and ridiculed for saying it is a bad thing.

Sandboxes don't work. Claims of "protections" don't work. Smart people can write some pretty slick code to find side channels or alter things to trick users. Just scroll back through this thread to see all the things in action.
Post 17 May 2019, 20:44
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2777
Location: dank orb
I completely agree with your judgement on JS, but I personally have nothing to hide from a browser, lol. The account I use online is very limited, and has never had a problem. The problems I've had online were because of malicious people with no accountability. One guy even emailed me, repeatedly - taunting how he'd gotten the better of me. Just sadistic people.

Technology moves to fast for me restrict myself in the way you've chosen to. I expect there to be malice at every scale of commerce. Aren't we overdue for more hardware problems? Every abstraction is a huge cost - DOS was so nice and responsive. That was probably the last time I really knew what was running on my machine.

Accountability, solves many problems - like how having video cameras everywhere has brought down crime rates at the cost of privacy. Yet, the hardcore thieves have found ways around the cameras.

_________________
¯\(°_o)/¯ unlicense.org
Post 17 May 2019, 22:06
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
You might think that you have nothing to hide from your browser. But the next time you are doing banking, entering your password for your email, or entering your CC number into a payment site,, then consider if you would be okay with some malicious JS sending those details off into the hackers DB.
Post 18 May 2019, 06:24
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
I request an example of a webpage with JS which would steal my data WITHOUT relying on browser bugs and my direct permission. I find it just strange to be afraid of Russell’s teapot.

You know, many attackers use English. That’s why you should avoid people who speak English. Every attacker drinks water. Avoid using water since an attacker might have introduced something bad into it. Air could probably be poisoned by an attacker, stop breathing.

Air is not the reason you get poisoned in this case, it’s just one of thousands of ways to simplify poison delivery. But the real problem is that someone has access to such poison and the need to poison you. You don’t want to choose HOW you get poisoned, you want to AVOID it in the first place.
Post 19 May 2019, 09:16
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
DimonSoft wrote:
I request an example of a webpage with JS which would steal my data WITHOUT relying on browser bugs and my direct permission.
Yes, the links are in the past pages of this thread. There are many examples. Sad
Post 19 May 2019, 10:05
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1421
DimonSoft wrote:
I request an example of a webpage with JS which would steal my data WITHOUT relying on browser bugs and my direct permission. I find it just strange to be afraid of Russell’s teapot.
Most of the time they aren't browser bugs but oversight. The problem is that javascript is too powerful and Turing complete so people will always find ways to abuse features.

Having to "disable" or "workaround" those exploits is akin to Allowing By Default in computer security, and then blacklisting the bad guys. That's just retarded. You Deny By Default and then explicitly allow what's needed after careful inspection. Javascript is the opposite of this.
Post 19 May 2019, 12:19
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
revolution wrote:
DimonSoft wrote:
I request an example of a webpage with JS which would steal my data WITHOUT relying on browser bugs and my direct permission.
Yes, the links are in the past pages of this thread. There are many examples. Sad

Choose one that you feel the best. But note the condition that it should be a vulnerability caused by JS itself, not by its implementation or some other piece of code where JS is just someone who happens to be on the other side of the airtight hatchway.

Furs wrote:
The problem is that javascript is too powerful and Turing complete so people will always find ways to abuse features.

Which is the property of literally every programming language that has any practical use.

Furs wrote:
Having to "disable" or "workaround" those exploits is akin to Allowing By Default in computer security, and then blacklisting the bad guys. That's just retarded. You Deny By Default and then explicitly allow what's needed after careful inspection. Javascript is the opposite of this.

What about images? I remember IE6 (or IE4) had a vulnerability that allowed malformed PNG file to cause arbitrary code execution. Shouldn’t we just deny images and browsers then?

Besides, a good website should be browsable without images anyway (alttext and stuff, you know). Shouldn’t we use a single set of rules for all the documents that are hypertexted (linked) to web pages?
Post 20 May 2019, 14:53
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
If there is a problem in a browser rendering PNG files then it can be fixed in a new version. We don't have to rely upon every website out there to update their server to fix every PNG file in existence. We update the browser and move on.

Because other languages are Turing complete won't suddenly make JS okay. I still don't get your argument about mentioning other things that are similar. You have to show how the use case is the same. If you had talked about Flash, then that is the same use case, random code we are expected to run. But C, or whatever, are not delivered to a browser for direct running.
Post 20 May 2019, 15:46
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1421
revolution wrote:
Because other languages are Turing complete won't suddenly make JS okay. I still don't get your argument about mentioning other things that are similar. You have to show how the use case is the same. If you had talked about Flash, then that is the same use case, random code we are expected to run. But C, or whatever, are not delivered to a browser for direct running.
Exactly.

You know that annoying popup you get when trying to execute a newly downloaded program under Windows?

That's the difference between C (or other languages) and Javascript.

We are told not to run random applications from the internet, but that's exactly what Javascript does by default and it is encouraged by all these "experts" who tell you not to run stuff. It's hypocritical.

Websites should be coded as if Javascript must be explicitly turned on for that website, if it really needs it.
Post 20 May 2019, 18:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
Furs wrote:
Websites should be coded as if Javascript must be explicitly turned on for that website, if it really needs it.
Kind of. But many website absolutely, must, without fail, have those animated menus. So what happens is that the sites refuse to show themselves until you get to experience those ever so necessary fancy menus. The meaning of "really needs it" becomes weakened to be "our site needs to look fancy so run our JS".

And another weird thing I see is people running NoScript (or whatever else does the same) to "protect" themselves, and then as soon as a website won't work correctly they immediately enable JS. Rolling Eyes So all you have to do to get someone to run your malicious code is make the page look broken. Laughing
Post 20 May 2019, 18:42
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8227
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
Art is Pain and Life is Suffering in John Wick Chapter 3: Parabellum
Post 21 May 2019, 00:34
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 532
Location: Belarus
revolution wrote:
If there is a problem in a browser rendering PNG files then it can be fixed in a new version. We don't have to rely upon every website out there to update their server to fix every PNG file in existence. We update the browser and move on.

PNG is just another document that is linked to a webpage and gets processed. The only difference is that PNG processing is limited to producing an image while JS processing is limited to making changes to the page and everything needed for that.

Both normally don’t get out of the box unless there is already a vulnerability in the browser implementation, in which case, like you said, you just update the browser.

Text document (which JS is) doesn’t get magically executed. It has well-defined borders of what can and cannot be done, and it doesn’t allow JS do anything arbitrary. Choosing JS as the only target to blame is just trying to cure stomach by shaving. You’re trying to punish a shop assistant for servicing a murderer who escaped from prison: the shop assistant does nothing wrong, you should chack the prison guards instead, because after you solve the problem with the shop assistant the same problem will occur with taxi drivers.

revolution wrote:
Because other languages are Turing complete won't suddenly make JS okay. I still don't get your argument about mentioning other things that are similar. You have to show how the use case is the same. If you had talked about Flash, then that is the same use case, random code we are expected to run. But C, or whatever, are not delivered to a browser for direct running.

JS and Flash are not delivered for direct running either. Processor and operating system themselves have no notion of what JS or Flash are. They cannot cause anything to happen by themselves, they need a particular runtime environment that takes them and makes the wheels turn. PNG doesn’t get rendered by itself, DOC(X) doesn’t get presented to the user itself, PDF, HTML, whatever. All of them are just text or binary documents, not executables.

You may say native executables also require some environment, say an OS. But an executable may generally run without requiring any OS functions at all. You can do it. You’ll obviously be very limited in what you can do easily and what has to be reimplemented by yourself, but you can. JS and Flash, OTOH, cannot even add two numbers without the interpreter/JIT compiler/renderer/whatever.

---

The rest of the discussion after my last post is about quality in use, not about security. And what I completely agree with is that JS shouldn’t be used without proper reasoning behind the choice. But choosing tools is mostly done by “what I know” these days, not by “what I need”. We should have expected that when every cat and dog started to write programs in C#, Ruby and Lua.

I agree that JS is wildly overused and misused. Very few tasks really need JS. From the top of my head: something like Google Documents, maybe.

But the solution you come up with by this moment is called “graceful degradation” or “progressive enhancement” and this has nothing to do with security threats.
Post 22 May 2019, 12:19
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
There are examples of JS code that doesn't need any bugs in any browser but still steals people's info. The most recent example is the one I posted about >100 websites infected with CC card stealing code. Another is the rowhammer vuln, where the "fix" was to deliberately degrade the JS capabilities for timing accuracy.

Hah, so maybe the "fix" for the upcoming future, as yet unknown, problems is to keep degrading JS the capabilities. Yeah. And the ultimate end point is JS that can't do anything. Now that is a solution I can begin to like. Smile
Post 22 May 2019, 14:15
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
So here is yet another example of JS exploit that requires no bugs in anything, all it needs is a plain old Turing complete language with the ability to run dynamically in a browser.

https://sensorid.cl.cam.ac.uk/

And look at the proposed solution:
Quote:
How to mitigate this fingerprinting attack?

To mitigate this calibration fingerprint attack, vendors can add uniformly distributed random noise to ADC outputs before calibration is applied. Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain. Please refer to our paper for more details. In addition, we recommend privacy-focused mobile browsers add an option to disable the access to motion sensors via JavaScript. This could help protect Android devices and iOS devices that no longer receive updates from Apple.
So here again the proposed solution is to degrade JS. Make it less capable. Sounds good to me. Let's keep degrading it until there is nothing left. Smile
Post 22 May 2019, 15:01
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2777
Location: dank orb
Is a browser side language required to detect a user? Use alone should be sufficient.

https://www.kompyte.com/blog/5-ways-to-identify-your-users-without-using-cookies/

JS just lowers the bar so everyone can do it - not just big business.
Post 23 May 2019, 00:56
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16628
Location: In your JS exploiting you and your system
bitRAKE wrote:
Is a browser side language required to detect a user? Use alone should be sufficient.

https://www.kompyte.com/blog/5-ways-to-identify-your-users-without-using-cookies/

JS just lowers the bar so everyone can do it - not just big business.
I notice that two of those methods require JS, local storage and canvas fingerprinting. One of those methods is useless, IP address. One of them relies upon image caching and uses ETAG as a cookie replacement. The final one, user behaviour, is very tricky.

Just get users to log in and then tracking is easy. Razz

But I see basic user tracking as unrelated to random code execution with JS or Flash. Users have more control over cookies, their behaviour and the ETAG/cache. Their IP probably changes regularly, or it is shared with other users. The place where JS comes in here is to bypass all the things the user has control over and use its own methods to make the browser work for the remote site and work against the user's interests.
Post 23 May 2019, 04:48
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 16, 17, 18, 19, 20  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.