flat assembler
Message board for the users of flat assembler.

Index > Heap > Why we should always disable JS, Wasm and Flash

Goto page Previous  1, 2, 3 ... 22, 23, 24, 25, 26  Next
Author
Thread Post new topic Reply to topic
guignol



Joined: 06 Dec 2008
Posts: 725
guignol
btw, revō, where's that cool browser writ in fasm?
Post 30 Dec 2019, 09:43
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7755
Location: Kraków, Poland
Tomasz Grysztar
Post 19 Feb 2020, 15:46
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9002
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
gotta quit internet Very Happy , everybody got a mouse moving picture now, unless you move using tab
Post 19 Feb 2020, 16:32
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17474
Location: In your JS exploiting you and your system
revolution
Image tagging has been known for a long time. Those ETag values can be used as pseudo tracking cookies. The consequence of which is if you enable image caching then you have also enabled sites to track you with ETags. The solution it to disable images (or only whitelist images in sites you care about). And if you have done that then CSS :hover images will also be neutered.
Post 19 Feb 2020, 17:05
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7755
Location: Kraków, Poland
Tomasz Grysztar
revolution wrote:
The solution it to disable images (or only whitelist images in sites you care about). And if you have done that then CSS :hover images will also be neutered.
What about other kinds of resources that CSS can access? Like fonts, cursors, etc.
Post 19 Feb 2020, 17:13
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17474
Location: In your JS exploiting you and your system
revolution
Tomasz Grysztar wrote:
What about other kinds of resources that CSS can access? Like fonts, cursors, etc.
Those could be interesting vectors also.

For me personally I always used my own font. FF allows us to select a local font and ignore anything the site wants to give us.

I wasn't aware that sites could also set custom cursors.
Post 19 Feb 2020, 17:20
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 774
Location: Belarus
DimonSoft
revolution wrote:
Image tagging has been known for a long time. Those ETag values can be used as pseudo tracking cookies. The consequence of which is if you enable image caching then you have also enabled sites to track you with ETags. The solution it to disable images (or only whitelist images in sites you care about). And if you have done that then CSS :hover images will also be neutered.

But it’s CSS that gives access to this stuff! Why should we disable JS that gives access to certain things but not CSS?

---

It’s funny how people moved to looking for stuff that uses optimization effects. I doubt effects of optimization should be treated as security vulnerabilities but… Meltdown/Spectre, this stuff. I’m looking forward to measuring CPU temperature to find out whether particular branch executes or not.
Post 20 Feb 2020, 08:18
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9002
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
You Won't Believe what this One Line Change Did to the Chrome Sandbox
https://googleprojectzero.blogspot.com/2020/04/you-wont-believe-what-this-one-line.html

https://www.forbes.com/sites/gordonkelly/2020/04/23/google-chrome-critical-security-exploit-windows-10-upgrade-warning-update-chrome-browser/

Quote:
It's important to point out that other Chromium-based browsers suffer the same risk (Opera, Brave, Microsoft's new Edge browser), and that means you may tempted to quit Windows 10 if you are more wedded to your browser than your operating system.
Post 26 Apr 2020, 08:24
View user's profile Send private message Reply with quote
Tomasz Grysztar



Joined: 16 Jun 2003
Posts: 7755
Location: Kraków, Poland
Tomasz Grysztar
https://twitter.com/geekygirlsarah/status/1260409688413306882?s=20

The irony is that you may not be able to read it without JS enabled, so here's a transcript:
Sarah Withee (@geekygirlsarah) wrote:
I've been using NoScript, a browser extension that disables all JavaScript and lets you enable them on a server-by-server basis. Let me tell you about what I've learned and how broken the internet experience has been since doing this a few weeks ago.

First, right off the bat sites seem to fall into 3 categories:

- Blank white screens (45%)
- Sites with some things but most content doesn't load (50%)
- Sites that still mostly work (extremely rare, maybe 4%)
- Sites that fully work (less than 1%)

Second, I almost always tell a site their own JS is "trusted". That usually allows a page to mostly work, content to fill in,etc.

Next things to break are:
- Login forms
- Contact forms
- Basic button/link interactions

These should work from basic HTML but don't anymore

Third, the vast majority of sites anymore have 5 or more outside (third-party) servers that have JavaScript loading things on them. These seem to be:

- Ad networks
- Analytics
- Debuggers
- Trackers
- Legit services site needs

Fourth, obviously Google dominates the web. It's easy to block google-analytics .com & such. What's harder is things like ReCaptcha, since it loads off of google .com, among other services people use often. The newer versions of that track your movements/clicks all over.

And now we're at a point where it's harder to even just log in to a service without having to also fill out a Google ReCaptcha form. Two issues with this:
- You have to agree to Google's Privacy Policy (despite you not using their service)
- You can't opt out

Fifth, with logging in, they often break. Your data isn't submitted with forms anymore, you have a dead form submitted with JS. The good ones work if you reenable the site's JS. The bad ones work only if you reenable all JS because they pass your login around so much.

Sixth, there's fun things where text boxes don't store their own text anymore. Like I can type in things but the Submit button doesn't turn on because it hasn't realized text was in. JS logs keystrokes to store in variables then fills text box. No JS, no logging...what?!?

Seventh, other fun misadventures happen. For example, I'm locked out of a Microsoft account. Why? Because by the time I figured out all the JS entries to enable from going from visualstudio.com->microsoftonline.com->live.com->microsoft.com->etc., I look like a hacker.

I'm sure there's other things I'm forgetting.

I'm not anti-JavaScript, I'm anti-everything-through-JS. Why? It breaks basic functionality of the web. I can't disable trackers. I can't protect my privacy. And most of all, even things like typing and buttons just quit.

Can we please stop doing ridiculous nonsense with websites that don't need it? You don't need JS to make a button press or JS to make a link work or JS to type text or JS to load all content on a page or... just no.

Developers, stop breaking the web, please.

To end this... I may have to remove this extension in the end and just block more through ublock because the internet is becoming literally more and more unusable and privacy-invading and I hate it.
Post 14 May 2020, 15:13
View user's profile Send private message Visit poster's website Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 361
Ali.Z
what Sarah Withee said is true, and the internet is doomed; from my personal experience only few 5+/- sites that fully work without JS, and i always prefer to have my needs available offline instead of going online.

_________________
Asm For Wise Humans
Post 14 May 2020, 19:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17474
Location: In your JS exploiting you and your system
revolution
I don't understand this habit:
Quote:
Second, I almost always tell a site their own JS is "trusted".
It is unaudited and unauditable. Why trust it so blindly? Just because it is delivered first party doesn't make it safe or safer.
Post 15 May 2020, 05:41
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9002
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
revolution wrote:
I don't understand this habit:
Quote:
Second, I almost always tell a site their own JS is "trusted".
It is unaudited and unauditable. Why trust it so blindly? Just because it is delivered first party doesn't make it safe or safer.


there are just millions thing we interacted with, is unaudited, and almost impossible to audit,

from the keyboard i am using now, mouse, cpu, motherboard, lcd screen, phone, power plug, wireless usb, speaker, external connector, etc

mcd food, kfc, cakes, juice, even the house we staying,

this behaviour is our habit, we never audit,
Post 15 May 2020, 07:29
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17474
Location: In your JS exploiting you and your system
revolution
My comment was more related to the arbitrary decision that first party JS is somehow trustable, and third party JS isn't. The author has made some judgement about it, but doesn't back it up with any reasoning.

If you are concerned about JS then why carve out an exception for first party JS? I don't see any discussion about how someone decides that.
Post 15 May 2020, 11:10
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1494
Furs
revolution wrote:
My comment was more related to the arbitrary decision that first party JS is somehow trustable, and third party JS isn't. The author has made some judgement about it, but doesn't back it up with any reasoning.

If you are concerned about JS then why carve out an exception for first party JS? I don't see any discussion about how someone decides that.
Because the site doesn't work without it? Obviously the first thing you do when it doesn't work (or is completely white) is to "trust" its javascript.
Post 15 May 2020, 14:15
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17474
Location: In your JS exploiting you and your system
revolution
Furs wrote:
Because the site doesn't work without it? Obviously the first thing you do when it doesn't work (or is completely white) is to "trust" its javascript.
I want to turn on the light without putting my hand into the blender. But the light won't turn on if the blender is off. And I want to turn on the light damn it! So, WTF, I'll just turn on the blender and put my hand in. Nothing could possibly go wrong.
Post 15 May 2020, 15:19
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9002
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
if you are using chrome, firefox, etc with ublock origin, noscript, ghostery extension or etc extensions,

and the website doesn't function, no show, no load, etc

the next plausible action

is to temporarily disable all your extensions,

or

changing your block setting to trust website scripts,
Post 16 May 2020, 04:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17474
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
if you are using chrome, firefox, etc with ublock origin, noscript, ghostery extension or etc extensions,

and the website doesn't function, no show, no load, etc

the next plausible action

is to temporarily disable all your extensions,

or

changing your block setting to trust website scripts,
Or just don't bother with that website.

Why is it so important to get that one page to work?

There are almost certainly plenty of other websites that can deliver your needed content without requiring you to put your hand in the blender.
Post 16 May 2020, 04:27
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9002
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
well, the internet www doesn't work this way,

from government website, banking services, etc services that deal with your physical stuffs, your identity, be it form submission, company forum that you need to submit attachments and queries, and more,

we don't get alternative when dealing with such websites,

for other news website, or etc non essential that trying to enforce their js, we certainly can proceed to next website,

but isn't what i wrote is something common sense?
Post 16 May 2020, 05:04
View user's profile Send private message Reply with quote
sts-q



Joined: 29 Nov 2018
Posts: 32
sts-q
Microsoft takes great effort in order to make pupils get used to Microsoft software, preferably so far, that they and their parents and teacher can not imagine there is a world beyond.

What is is influence of Google on new web developers?
Post 16 May 2020, 08:09
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 9002
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
sts-q wrote:

Microsoft takes great effort in order to make pupils get used to Microsoft software, preferably so far, that they and their parents and teacher can not imagine there is a world beyond.

monies for marketing purpose, total brainwash everyday

sts-q wrote:

What is is influence of Google on new web developers?

Google almost control all the standard, even microsoft concede defeat, changing their edge to base on chromium
Post 16 May 2020, 17:07
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 22, 23, 24, 25, 26  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.