flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 18, 19, 20, 21  Next
Author
Thread Post new topic Reply to topic
guignol



Joined: 06 Dec 2008
Posts: 578
Location: /96A
because life is not simply about writing plays
Post 30 May 2019, 03:05
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 552
Location: Belarus
revolution wrote:
Native apps are under my control. I can decide: about availability of sources, scanning for viruses, blocking network accesses, etc. And I can decide when to apply updates, patches, fixes, or simply delete it.

They’re not. Having sources not equals checking them, don’t try to fool us. Thompson’s hack is also to be considered. Scanning for viruses doesn’t guarantee virus detection (false negatives). So, you’re already using unreliable environment.

The rest is complaining about the web applications in general. Removing JS doesn’t give you control over update times. As for simply deleting, with web applications (even with JS on board) you don’t even need to bother deleting them, just stop using.

revolution wrote:
I can ask others that use it about problems.

So, what prevents you from asking with web applications?

revolution wrote:
I can decide if an older version suits me better.

Good luck running an old version of Skype or web browser. You may decide as much as you wish but whenever the application requires interaction over network your decision costs nothing. Web applications are subject to this no matter if they use JS or not.

revolution wrote:
I can decide if an alternative program is more to my liking.

Isn’t the same applicable to web applications?

revolution wrote:
I can decide to run it in a sandbox, or a VM, or not at all.

JS is sandboxed by definition. Noone prevents you from opening the page in a VM or not opening at all.

revolution wrote:
And most of all I decide to have it because I think it will be a benefit to me, not because it is a benefit to someone else at my expense. I can find the author and ask for improvements, or help, and offer to report bugs or donate time or money to help out.

Aren’t you talking about web applications? What’s the difference here?

revolution wrote:
Which can't be done for a website I have no control over. So JS is blocked because I don't know what it will do. I can't make any of those choices, or decisions.

Ehm, what? “Products may expire so I’ll stop drinking milk”. Web applications are absolutely the same, you just have to compare them to the right subset of desktop ones. And the things that make the subset distinct are not related to JS by any means, as well as other cons you mention.
Post 30 May 2019, 07:39
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16699
Location: In your JS exploiting you and your system
bitRAKE wrote:
You've had security concerns here long before the popularity of JS, revolution. Seems you might not have control over that. Razz
And I will continue to have them in the future. But that is not an argument to simply allow JS to do anything it wants at the behest of someone else.

You still haven't mentioned how I can fix the "root" cause?

It doesn't matter about the root cause actually. What matters is that I don't get caught in the middle waiting for someone else to fix their stuff..
Post 30 May 2019, 09:05
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 552
Location: Belarus
revolution wrote:
bitRAKE wrote:
You've had security concerns here long before the popularity of JS, revolution. Seems you might not have control over that. Razz
And I will continue to have them in the future. But that is not an argument to simply allow JS to do anything it wants at the behest of someone else.

You still haven't mentioned how I can fix the "root" cause?

It doesn't matter about the root cause actually. What matters is that I don't get caught in the middle waiting for someone else to fix their stuff..

But since disabling JS doesn’t solve anything you (or, what’s even worse, people who read your posts and have no insight into how things work) might end up mistakenly believing you’re now safe. Security, you say?
Post 30 May 2019, 12:53
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16699
Location: In your JS exploiting you and your system
Disabling JS solves a lot. Even without the security angle, it makes webpages faster.

But I have never said things will be perfectly secure if we disable JS. But one thing is for sure, we would be more secure than we are now. Security is something that needs to be worked towards to improve. It is a process. IMO disabling JS is a part of that process, and a large part of that process. Then we move to the next problem and see how to solve that.

And you still haven't mentioned how I can fix the "root" cause? Razz
Post 30 May 2019, 13:15
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 578
Location: /96A
as if you can't program robots in D
Post 30 May 2019, 15:29
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1424
revolution, I agree with you about JS being overused and disabling it for web pages, but the thing is, there's a thing as "web applications" not just "web pages".

Skype is an example I gave. Would you rather install some bloated desktop client (that's basically just a browser shell anyway) or just use the web version with JS? What's the difference at this point in terms of security? None.

Don't forget some apps automatically update because they are "web" application shells. In this case they could pull off totally alien code you have no control over and still fuck you up even more than JS.

So you can't really get rid of JS because then we'd all be forced to install desktop "web clients" which sucks even more.
Post 30 May 2019, 15:41
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16699
Location: In your JS exploiting you and your system
If you need to use Skype (which hasn't been established, but let's go with that) then install a client app in your machine and use a sandbox, or a VM to constrain it. That way if it fucks you up you can rollback the VM and send a nasty note to the Skype developers.

This gives you some advantages. If a newer version of Skype has all sorts of objectional telemetry then you can keep your older version and avoid such user hostile behaviour. Or if you are forced to use the newer version for some reason then use a hex editor and remove the more nasty bits to make it more acceptable.

But the "real" solution here is to not use such apps that give you no control or choice. There are many alternatives to Skype. Why do you feel compelled to use it?


Last edited by revolution on 30 May 2019, 22:29; edited 1 time in total
Post 30 May 2019, 16:23
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2791
Location: dank orb
Any technology that requires 10+% of a resource for "security" is a failure of engineering. When "security" impedes diversity it is a failure of engineering. The "root" cause is the "security" mindset. Security people engineer themselves into a corner - creating a fragile attack surface all in the name of branding and market share - the process is doomed from the start.

The process you suggest for native applications can be analogously followed for applications at any execution level. Claiming the diversity makes this impossible (or more difficult) is without merit. Rather you want to corner use cases into an area of your familiarity. (It is natural for one to want the culture to stand still for them.)

I'm not against choice - I'm against the idea that everyone needs to make the same choice - that's not choice at all. Real security is the path of greatest opportunity. And that's not opportunity for me, but opportunity for all.

_________________
¯\(°_o)/¯ unlicense.org
Post 30 May 2019, 22:19
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1424
revolution wrote:
If you need to use Skype (which hasn't been established, but let's go with that) then install a client app in your machine and use a sandbox, or a VM to constrain it. That way if it fucks you up you can rollback the VM and send a nasty note to the Skype developers.
You can do the same with a browser and javascript though, sandbox it and all Confused

revolution wrote:
But the "real" solution here is to not use such apps that give you no control or choice. There are many alternatives to Skype. Why do you feel compelled to use it?
Sadly most of the time arguing with your boss or coworkers about reasonable things like this, is like talking to the walls.
Post 31 May 2019, 14:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16699
Location: In your JS exploiting you and your system
Furs wrote:
You can do the same with a browser and javascript though, sandbox it and all Confused
The difference is that you don't know what code you will get delivered to your browser. Each session, each page load, can give you different code. So you can't pre-verify that code is what you want. You can't ask others what is a good version to run. You can''t edit it to disable bits you disapprove of.
Post 31 May 2019, 15:01
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 552
Location: Belarus
revolution wrote:
Furs wrote:
You can do the same with a browser and javascript though, sandbox it and all Confused
The difference is that you don't know what code you will get delivered to your browser. Each session, each page load, can give you different code. So you can't pre-verify that code is what you want. You can't ask others what is a good version to run. You can''t edit it to disable bits you disapprove of.

But the whole reason for sandboxing is not to bother checking, just feeling free to use whatever gets delivered without worrying that it breaks anything. So the rest is not important anymore.

Even more, your statement about pre-verifying is just a lie. You can’t pre-verify anything larger than your reverse engineering skill times the time you have to do that. Asking others is not a way since others don’t do that too.

revolution wrote:
Disabling JS solves a lot. Even without the security angle, it makes webpages faster.

And unusable for web applications. “Good” “fix” that breaks the thing completely.

revolution wrote:
If you need to use Skype (which hasn't been established, but let's go with that) then install a client app in your machine and use a sandbox, or a VM to constrain it. That way if it fucks you up you can rollback the VM and send a nasty note to the Skype developers.

So that they can reply that they don’t care.

revolution wrote:
If a newer version of Skype has all sorts of objectional telemetry then you can keep your older version and avoid such user hostile behaviour. Or if you are forced to use the newer version for some reason then use a hex editor and remove the more nasty bits to make it more acceptable.

I’m looking forward to see this. Have you already added the feature that allows to save a game to the Windows Minesweeper?

revolution wrote:
But the "real" solution here is to not use such apps that give you no control or choice. There are many alternatives to Skype. Why do you feel compelled to use it?

Replacing Skype with Slype or Ukype doesn’t change anything. You’re still forced to update in order to use the program.

revolution wrote:
And you still haven't mentioned how I can fix the "root" cause?

The same way you do it for any other application. JS doesn’t add anything here. Having a website deliver you something unwanted but intended by its owner is exactly the same as downloading and installing a bad application. The other case, when the website delivers something unwanted and UNintended, is the case of a website being hacked, so we fall back to the first case just with a different owner now.

And please, don’t tell us fairytales about how you manually unpack and completely analyze every piece of code inside every installer before running it (especially web-installers that are kind of fashion (really terrible!) these days), and then do the same for every executable is has installed.

Opening a webpage is running the application. The code on the other side has already executed. Your web browser has calculated, by means of CSS, which URL to use to download a picture and thus leaked your privacy long before JS even got loaded. Blame the bad guy, not his stomach.
Post 31 May 2019, 22:30
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16699
Location: In your JS exploiting you and your system
The other difference is that we are more circumspect of things we deliberately install. The advice is to always be vigilant about things we install. So all the unnecessary nonsense that websites try to force upon is ignored and we can select what devil we wish to invite into our systems. So we get less crap and a smaller attack surface to monitor. We can't eliminate everything, but we should at least try, instead of saying "JS is bad but so are other things so therefore JS can do whatever it wants and we don't care".

I care about websites having carte-blanc to do whatever they please. That is just wrong. If I fuck up an install some bad app, then so-be-it, at least I tried. And at least I will have stopped a lot of other stuff before it had chance to run.
Post 31 May 2019, 22:45
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1424
FWIW, I sandbox every single application that has access to the internet. In fact, applications that are not sandboxed don't even have access to the internet, they're blocked by the firewall.

When I do some administrative stuff and need internet for it (e.g. updating the system) I just disable that part of the firewall, temporarily, usually with no apps running except the bare minimum to update.

I also treat a web browser with javascript on (not blocked) as unsafe so I sandbox it separately, just as I would with any other app that has access to the internet. The difference is, I consider javascript far safer because it's not native code...

You can't inspect what javascript does because it gets pulled from the internet, but neither can you from a client app, it can pull off any code it wants as well (and they do, since most "desktop clients" are just browser shells these days!).

Just stop trusting applications that have access to the internet.
Post 01 Jun 2019, 11:44
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 552
Location: Belarus
revolution wrote:
I care about websites having carte-blanc to do whatever they please.

You keep insisting on this “whatever” part which is just not true. Which renders further discussion useless.
Post 02 Jun 2019, 00:44
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 2791
Location: dank orb
Virtual machines are completely safe because they are isolated, right?
https://lists.xen.org/archives/html/xen-announce/2012-06/msg00001.html
(There is much more detailed information, but I couldn't find a link NOT using JS.)

My point isn't JS is safe. My point is that native code is on the same playing field as JS. The sense of control one feels in an illusion when some threshold of complexity is passed. Experience has shown this complexity threshold is very low.

_________________
¯\(°_o)/¯ unlicense.org
Post 04 Jun 2019, 20:40
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16699
Location: In your JS exploiting you and your system
The difference is still not mentioned. With a VM the user decides when new code is allowed to run by installing a new version. A version that comes from a trusted source, probably with SHA hashes, and a well known publisher.. Probably on a schedule of not more than a few times per year, or maybe never updating.

With JS a remote website decides when new code is run. Code from sources even the website owner doesn't know (see the previous link I gave). And from sources not vetted or approved by the user. On a schedule of every page visit. New "exciting features" delivered to you every time you visit.

Someone with a native app in a VM only cares about a few apps total, from a dew devs, doing limited and wanted functions. A firewall policy can catch a lot of bad behaviour, and the user can talk to the dev about any concerns.

With JS who do you talk to? How do you filter at the firewall a browser that goes to so many different domains? How would you limit it to actions only the user desires?
Post 04 Jun 2019, 20:58
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1424
revolution wrote:
The difference is still not mentioned. With a VM the user decides when new code is allowed to run by installing a new version.
Again, web applications. Javascript is, by definition, used for stuff that pulls updates automatically with no choice on your part. Using a desktop client that's really just a browser shell to begin with is not going to make a difference, in fact it's even worse.

Stop comparing Javascript with offline apps. I do agree that it is overused on websites which is why it's good to have it disabled by default, and you enable it only on the web applications you actually need. It's not perfectly safe but it's better than nothing.
Post 05 Jun 2019, 11:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16699
Location: In your JS exploiting you and your system
What you say about an installed app simply being yet another browser in disguise might by true for Skype. Stop using it if you can't trust it. That is why we scrutinise the apps before running. At least with apps we deliberately decide to install we get the opportunity to scrutinise them first and know what we are getting in to. We have more options to monitor them. We have more control over what we permit access to through the VM.
Post 05 Jun 2019, 13:38
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1424
Yeah, and you can do the same with Javascript. If you don't trust the web app/site, don't enable JS. Wink (if the site doesn't work without JS, then it's like trying to connect to a proprietary thing using a proprietary app; if you want to use it, you have to risk it)
Post 07 Jun 2019, 16:15
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 18, 19, 20, 21  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.