flat assembler
Message board for the users of flat assembler.

Index > Heap > Why we should always disable JS, Wasm and Flash

Goto page Previous  1, 2, 3 ... 17, 18, 19, 20, 21, 22  Next
Author
Thread Post new topic Reply to topic
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
revolution wrote:
There are examples of JS code that doesn't need any bugs in any browser but still steals people's info. The most recent example is the one I posted about >100 websites infected with CC card stealing code. Another is the rowhammer vuln, where the "fix" was to deliberately degrade the JS capabilities for timing accuracy.

Where the vulnerability was server-side. Having control over the server one doesn’t need JS to gain something, one can just steal the data stored about all users without waiting for every of them to open a particular page. And yes, server having been attacked is indistinguishable from server owner being willing to collaborate with third-party passing them data. But JS is not the root cause here.

As for side channel attacks, they are inevitable due to the symmetry of physical processes. There’s nothing special in guessing what a persondoes in the bathroom by measuring the time they spend there. This doesn’t really count as a vulnerability in software/hardware, maybe a vulnerability in the Universe. AFAIR, many people reported either Meltdown or Spectre proofs of concept to fail on “vulnerable” hardware. Which is not surprising when the “attack” requires a lot of prerequisites like being able to time execution of a few instructions precisely in multitasking environments. Or being able to smell what happends behind the bathroom door.

Still, nothing wrong with JS here, the same can be achieved with any other thing your browser is capable of.

revolution wrote:
So here is yet another example of JS exploit that requires no bugs in anything, all it needs is a plain old Turing complete language with the ability to run dynamically in a browser.

https://sensorid.cl.cam.ac.uk/

And look at the proposed solution:
Quote:
How to mitigate this fingerprinting attack?

To mitigate this calibration fingerprint attack, vendors can add uniformly distributed random noise to ADC outputs before calibration is applied. Alternatively, vendors could round the sensor outputs to the nearest multiple of the nominal gain. Please refer to our paper for more details. In addition, we recommend privacy-focused mobile browsers add an option to disable the access to motion sensors via JavaScript. This could help protect Android devices and iOS devices that no longer receive updates from Apple.

So, you require having motion sensors and giving particular page access to them just to gain what?.. To know that the sensor in a device is (possibly!) the same you’ve already seen somewhere?

I’ll make it even easier for you then. MAC-address of network card I use to post this message is AC-2B-6E-70-14-62. It is even more unique than the fingerprint a motion sensor has, since the uniqueness here is intended by manufacturers. I have JS enabled by default and only disable it for testing purposes. I explicitly permit you to steal money (have them as my present or free bonus) from my rarely used MasterCard which expires within a few months. It has around a few dollars left there. I’ve recently bought a few pieces of hardware and looked for them online. I explicitly permit you to publish a brief summary of what hardware is that. I have no custom security settings for files and folders my D: drive. I explicitly permit you to make your executable that would show me “Ha-ha, JS sucks, stupid!” message run at system bootup. I will open the pages with JS you choose but, obviously, will not do anything like “input your credit card number and CVC/CVV code here”. Please, show me how unique information about my hardware (plus a lot of other tips I gave you) can give you anything, even having control over JS executing in my browser.

revolution wrote:
Hah, so maybe the "fix" for the upcoming future, as yet unknown, problems is to keep degrading JS the capabilities. Yeah. And the ultimate end point is JS that can't do anything. Now that is a solution I can begin to like. Smile

Hah, so maybe it is worth being consistent in measures you take and the “fix” is to detach your computer from all networks and to never insert any hardware into it? Remember the “vulnerability in the USB protocol” that allows a device to pretend it is a keyboard and to log key presses. How do you even run non-open-source software?
Post 23 May 2019, 11:22
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16901
Location: In your JS exploiting you and your system
revolution
You are aware that without JS all those vulnerabilities don't exist. Right? I don't understand how you can suggest that JS is not in any way responsible. It might not be the "root" cause of compromised web-servers, but it is the delivery mechanism to cheat the users. JS is part of the problem. If no one had JS (I wish) then compromising servers with user targeted exploits would be very much harder. And such exploits would require bugs in the browser. Browser bugs can and do exist, but at least they aren't deliberately built in as part of the normal operating expectation. And they would be different for every browser type and version. FF wouldn't be affected by Chrome bugs, and vice-versa. That makes coding and sending exploits a very high bar to attain.

Right now, the JS bar is not only too low, but it is part of the expected normal running environment. So if one has a properly functioning browser and JS then that puts the user at more risk. The whole situation is backwards.
Post 23 May 2019, 12:35
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
revolution wrote:
You are aware that without JS all those vulnerabilities don't exist. Right?

Really? VBScript anyone? Clever tricks using modern CSS features like CSS expressions that actually make CSS at least very close to Turing completeness?

revolution wrote:
I don't understand how you can suggest that JS is not in any way responsible. It might not be the "root" cause of compromised web-servers, but it is the delivery mechanism to cheat the users. JS is part of the problem.

Totally agree. But fixing a vulnerability should be done by fixing its root cause. Vulnerability is not in JS, it’s in the features JS provides access to. Not having JS you lose access to those features, right, that’s why removing JS “fixes” the problem. But now you’ve also lost lots of useful stuff. It’s like cutting the whole hand to stop pain in a single finger. Root cause should be fixed.

revolution wrote:
If no one had JS (I wish) then compromising servers with user targeted exploits would be very much harder. And such exploits would require bugs in the browser. Browser bugs can and do exist, but at least they aren't deliberately built in as part of the normal operating expectation. And they would be different for every browser type and version. FF wouldn't be affected by Chrome bugs, and vice-versa. That makes coding and sending exploits a very high bar to attain.

So, security through obscurity is the way to go, right? It’s not surprising that doing funny things with elevated privileges is treated as “security vulnerabilities” these days. Because, yes, it’s hard to find a real vulnerability, so most “security experts” prefer to suggest some tricky stuff obscuring the fact they gain nothing new by their “attack”.

And this pays, ’cause non-IT people just believe and are willing to pay for “solutions”. And the “finders” of such “vulnerabilities” get the feeling of being security experts. But, sadly, it just adds to the nonsense that is going on in IT these days.

revolution wrote:
Right now, the JS bar is not only too low, but it is part of the expected normal running environment. So if one has a properly functioning browser and JS then that puts the user at more risk. The whole situation is backwards.

But if you have no lock in your door it doesn’t matter if the thieves have the key or not. The house is vulnerable, point. You can destroy the paper telling where the stash is. Doesn’t help. You can barricade the doorway with cupboards and chairs but that just slightly increases the difficulty. Putting make-up on a vulnerability doesn’t make it magically fixed.
Post 24 May 2019, 10:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16901
Location: In your JS exploiting you and your system
revolution
DimonSoft wrote:
But fixing a vulnerability should be done by fixing its root cause
I would really really love to fix the root cause, but like I mentioned already in this thread, I have no control over remote websites, so I can't fix the root cause. All I can do is limit the delivery, I can't do anything more. It would be like saying the root cause of skin cancer is the UV sun rays, so we should fix the Sun instead of wearing sunblock. Can't be done. You suggest the impossible. Sad
DimonSoft wrote:
... removing JS “fixes” the problem. But now you’ve also lost lots of useful stuff.
What is the "useful stuff" you speak of? That is where we differ I think. I can't figure out what is supposed to make JS so vital that removing causes so much harm. I don't use JS, what am I missing out on? Fancy animated menus? I can do without those.
DimonSoft wrote:
So, security through obscurity is the way to go, right?
It's called improving security piece by piece. Else we just throw our hands up in the air and say to everyone "please rape, rob and kill me now". No, we fix the most egregious problems, and work our way on to the next. Rather than continually "fixing" JS over and over and over again.
Post 24 May 2019, 11:00
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2800
Location: dank orb
bitRAKE
revolution wrote:
What is the "useful stuff" you speak of? That is where we differ I think. I can't figure out what is supposed to make JS so vital that removing causes so much harm. I don't use JS, what am I missing out on? Fancy animated menus? I can do without those.
If you knew what you were missing we wouldn't be having this conversation. Some of the biggest proponents of JS are the largest forces on the internet! Load up a Facebook page - that's A LOT of JS - wtf are they doing? Any large media outlet, the race for the mindshare of consumers is immense! What do they want with JS? Why not do everything on the server side? JS isn't going anywhere - in fact all the scripts will be programmable. Just get a comfy chair and watch the carnage.

_________________
¯\(°_o)/¯ unlicense.org
Post 24 May 2019, 20:57
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16901
Location: In your JS exploiting you and your system
revolution
bitRAKE wrote:
Load up a Facebook page ...
That ain't gonna happen any time soon. Razz

But I get your point. Indeed what are they doing? Bad things, of course.

I watched as someone installed WhatsApp on their phone. The permissions pages were awful. It wants access to everything. Why? All is needs is the network, right? Nope, it wants contacts and SMS messages also. What for?? Plus about a zillion other things like microphone, speaker, camera, battery level, wifi control, etc. What for??? "To enhance your experience". Haha, sure it is. But at least we can choose whether or not to install the app. So the user has the option. So okay, no problem. If you wanna allow companies to do such stuff then your choice, go for it. Scan the app for viruses or whatever and proceed.

Can you imagine if every time you visited or refreshed a web page with new content you get a permission dialog saying "This website wants to listen to your microphone, read you clipboard, send data to remote servers, monitor your mouse movements, capture video images, execute rowhammer exploits, report your location to FB, fingerprint your unique ID, mine for bitcoins, etc, etc," Wow, people would suddenly realise just how much they are allowing.
Post 24 May 2019, 21:27
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1435
Furs
Well I mean web applications need Javascript or something like that... no way around it. For example, using the web version of Skype instead of installing that junk.

But in those cases, you'd use the "desktop client" anyway so it's not a bigger risk.

I prefer the web version for such things because you don't have to infest your system with those bloated garbage clients.
Post 25 May 2019, 15:42
View user's profile Send private message Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2800
Location: dank orb
bitRAKE
FYI: The default setting in Chrome is to allow Apps to continue after the browser is closed.

_________________
¯\(°_o)/¯ unlicense.org
Post 25 May 2019, 16:38
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16901
Location: In your JS exploiting you and your system
revolution
"Almost all websites today are heavily embedded with tracking components. For every website you visit, you could be unknowingly loading content from potentially malicious parties and leaving a trail of your internet activity," Professor Kaafar said.

The research also found that 1.2 percent of third parties linked to the top 200 thousand websites were suspicious. Popular web resource Javascript, generally used to improve the user experience of the web, represents the greatest risk of malicious activity as they are designed to be executed undetected.

"The potential threat should not be underestimated, as suspicious content loaded on browsers can open the way to further exploits including Distributed Denial of Service attacks which disrupt traffic to websites, and ransomware campaigns which cost the world more than US$8 billion in 2018," Professor Kaafar said.

"Worryingly, the original or 'first party' websites have little to no visibility of where these resources originate. This points to a lack of 'trustability' of content on the web, and the need to better regulate the web by introducing standardised security measures and the notion of explicit trust."
And yet we still get the bright red banners informing us to enable JS or suffer. When in reality the bright red banners should say turn off JS or suffer.

Simple solution to the problem here, kill JS. Solved.
Post 27 May 2019, 14:10
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2800
Location: dank orb
bitRAKE
That's a bunch of hand waving: "almost", "could be", "potentially", "suspicious", ...

https://wot19submission.github.io/ - is a more helpful source. Work done in Feb. linked by a "news" site recently - seems suspicious. Very Happy

Virus Total was their measure of suspicion, lol.

The web is diverse?

You don't say!

What a conclusion. I'm not scared of my digital shadow, and I only need very limited trust. If you are suspicious of your neighbors I suggest inviting them to dinner and not spying on them.

_________________
¯\(°_o)/¯ unlicense.org
Post 27 May 2019, 21:59
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16901
Location: In your JS exploiting you and your system
revolution
The problem is that you never know which places you are going to connect to next. The content changes. Today it will play nicely. Tomorrow it will steal your CC details. The next day it will be something else. Although the granularity of one day is only for example, it could just as easily be changing from second to second.
Post 27 May 2019, 22:26
View user's profile Send private message Visit poster's website Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 233
Ali.Z
revolution wrote:
Simple solution to the problem here, kill JS. Solved.

i agree, and i bet one day JS will be xor'ed.

_________________
Asm For Wise Humans
Post 29 May 2019, 08:52
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
revolution wrote:
I would really really love to fix the root cause, but like I mentioned already in this thread, I have no control over remote websites, so I can't fix the root cause. All I can do is limit the delivery, I can't do anything more. It would be like saying the root cause of skin cancer is the UV sun rays, so we should fix the Sun instead of wearing sunblock. Can't be done. You suggest the impossible. Sad

The root cause of skin cancer is not the UV sun rays. Weak immune system that fails to recognize and kill bad cells is. UV sun rays are just another external effect that may cause certain cells to break. Even if you removed UV rays there would still be a bunch of other stuff that could have caused cancer cells to appeat with higher probability.

Side channel “attacks” and identity detection are pretty much inevitable in a our university. Otherwise we would be able to produce and consume infinite energies, reach infinite speeds, etc. But the law of energy conservation is still there. And JS is just another way of using it. You can remove it from the picture but that doesn’t solve the problem.

revolution wrote:
What is the "useful stuff" you speak of? That is where we differ I think. I can't figure out what is supposed to make JS so vital that removing causes so much harm. I don't use JS, what am I missing out on? Fancy animated menus? I can do without those.

So, you insist on installing a special program for every network application I might need? You insist on executing native applications instead of running JS scripts with limited capabilities?

One good example has already been mentioned: Skype. Another one is Google Documents. I seriously doubt I want to have another MS Office package installed just to gain simultaneous document editing with chat. I seriously doubt I want to replace this with offline editing and git ’cause that would be really bad for the efficiency of the process.

You don’t really check native applications. And they run with much higher privileges than JS. So, which way is safer?

revolution wrote:
DimonSoft wrote:
So, security through obscurity is the way to go, right?
It's called improving security piece by piece. Else we just throw our hands up in the air and say to everyone "please rape, rob and kill me now". No, we fix the most egregious problems, and work our way on to the next. Rather than continually "fixing" JS over and over and over again.

“Rain hasn’t started, but at least I spent a few hours waving my hands and rain dancing. Next time I’ll try a more sophisticated dance”.
Post 29 May 2019, 10:26
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16901
Location: In your JS exploiting you and your system
revolution
DimonSoft wrote:
The root cause of skin cancer is not the UV sun rays. Weak immune system that fails to recognize and kill bad cells is. UV sun rays are just another external effect that may cause certain cells to break. Even if you removed UV rays there would still be a bunch of other stuff that could have caused cancer cells to appeat with higher probability.
Okay, that might be true. But the sentiment still applies. We can't fix the root cause, which is your suggestion, but we still we have to protect ourselves somehow. So out comes the sunblock.

Can you explain how I am expected to fix the root cause of a website delivering me unwantedware via JS?
Post 29 May 2019, 12:51
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 604
Location: Belarus
DimonSoft
revolution wrote:
Okay, that might be true. But the sentiment still applies. We can't fix the root cause, which is your suggestion, but we still we have to protect ourselves somehow. So out comes the sunblock.

Can you explain how I am expected to fix the root cause of a website delivering me unwantedware via JS?

Sure. How do you fix it for native applications?
Post 29 May 2019, 20:11
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16901
Location: In your JS exploiting you and your system
revolution
Native apps are under my control. I can decide: about availability of sources, scanning for viruses, blocking network accesses, etc. And I can decide when to apply updates, patches, fixes, or simply delete it. I can ask others that use it about problems. I can decide if an older version suits me better. I can decide if an alternative program is more to my liking. I can decide to run it in a sandbox, or a VM, or not at all. And most of all I decide to have it because I think it will be a benefit to me, not because it is a benefit to someone else at my expense. I can find the author and ask for improvements, or help, and offer to report bugs or donate time or money to help out.

Which can't be done for a website I have no control over. So JS is blocked because I don't know what it will do. I can't make any of those choices, or decisions.
Post 29 May 2019, 20:22
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2800
Location: dank orb
bitRAKE
You've had security concerns here long before the popularity of JS, revolution. Seems you might not have control over that. Razz

_________________
¯\(°_o)/¯ unlicense.org
Post 30 May 2019, 01:48
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 644
guignol
You may wish for an apple or an orange, but you will get a peach.
Post 30 May 2019, 02:42
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 644
guignol
Can you, ask others about problems?

And where do you keep all those older versions, or indeed your VM?
Plus, why are you not using all the open-source?
Post 30 May 2019, 02:51
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 644
guignol
and people do hate benaffleck
Post 30 May 2019, 03:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 17, 18, 19, 20, 21, 22  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.