flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 20, 21, 22
Author
Thread Post new topic Reply to topic
DimonSoft



Joined: 03 Mar 2010
Posts: 572
Location: Belarus
Taking a single word and trying to apply its meaning out of context definitely does the trick of going off-topic. You can replace “trust” with any synonym you wish (I’m not a native speaker so might have chosen a bad one) but the concept stays the same: it you choose to use something you implicitly agree to be subject to all the good and bad consequences. If you’re not OK with that, you’d better stop using that. It’s quite funny to complain about the shop near your house selling expired food by to keep buying it.
Post 07 Sep 2019, 05:56
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16782
Location: In your JS exploiting you and your system
We don't have to trust every part of something. Just because we decide to visit a website doesn't mean we will trust everything it gives us. And we shouldn't simply trust something unseen and unknown. We can perhaps trust the text, and the images, but deny JS. Or for those that don't trust their browser to deal with malformed images we might decide to only trust the text. Or some other combination. There is no requirement to trust it all, or trust nothing. There are positions in between the two ends of the spectrum.

If I see a hole in the ground and am curious to find out what is inside, I wouldn't simply dive in without any care and see what happens. A bear might eat me, or a snake might bite me, or I might find the answer to immortality. I can't predict ahead of time which it might be. So I go there with caution.

But for some reason we are expected to simply allow any and all websites to do whatever they please and never question it, or even consider it might be harmful. But so many of the links I have shown in this thread tell us otherwise, we can't trust random websites to be all good and honest. There are plenty of scumbags out there very willing to take advantage of those that won't show caution.
Post 07 Sep 2019, 07:15
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 572
Location: Belarus
revolution wrote:
We don't have to trust every part of something. Just because we decide to visit a website doesn't mean we will trust everything it gives us. And we shouldn't simply trust something unseen and unknown. We can perhaps trust the text, and the images, but deny JS. Or for those that don't trust their browser to deal with malformed images we might decide to only trust the text. Or some other combination. There is no requirement to trust it all, or trust nothing. There are positions in between the two ends of the spectrum.

But JavaScript code IS text. Text that specifies what a browser should do. Just like HTML. Just like SVG images. Just like CSS. In every of these cases instructions live in a very limited virtual environment. The only difference for JS is that it provides instructions in imperative way while the rest use declarative one. But neither causes vulnerabilities itself.

So, why do you trust you browser to be able to process and sandbox correctly some texts but not others?

revolution wrote:
If I see a hole in the ground and am curious to find out what is inside, I wouldn't simply dive in without any care and see what happens. A bear might eat me, or a snake might bite me, or I might find the answer to immortality. I can't predict ahead of time which it might be. So I go there with caution.

Run your web browser in a virtual machine and go for a walk in a large hamster ball, no problem. But wait, then you have to trust your VM to be able to process and sandbox correctly a large amount of native code that you don’t believe to be reliable. Oops!

revolution wrote:
But for some reason we are expected to simply allow any and all websites to do whatever they please and never question it, or even consider it might be harmful.

Lie! Webpage JS is limited to the environment that includes DOM and BOM. It can’t do whatever it “wishes”. It doesn’t even do anything by itself since it’s just a text that has no real meaning to hardware.

revolution wrote:
But so many of the links I have shown in this thread tell us otherwise, we can't trust random websites to be all good and honest. There are plenty of scumbags out there very willing to take advantage of those that won't show caution.

Choosing only JS-based attacks on browser implementations and them blaming only JS. What a beautiful (no) manipulation!

As soon as you stop filtering the information it will become obvious that JS is just the particular bus that took the attacker to the crime place. There’re lots of buses out there and many of them have the same number and route. Breaking one doesn’t prevent the attacker to take another or even call taxi.
Post 07 Sep 2019, 16:51
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 20, 21, 22

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.