flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 12, 13, 14
Author
Thread Post new topic Reply to topic
DimonSoft



Joined: 03 Mar 2010
Posts: 451
Location: Belarus
revolution wrote:
So once again a site is hacked and has rogue JS code inserted to clickjack you CC details. You can't fix this by "improving" the JS parser because this is precisely what JS is supposed to do; i.e. run arbitrary code delivered to you from random websites.

https://thehackernews.com/2018/09/newegg-credit-card-hack.html
Quote:
Magecart hackers used what researchers called a digital credit card skimmer wherein they inserted a few lines of malicious Javascript code into the checkout page of Newegg website that captured payment information of customers making purchasing on the site and then send it to a remote server.

You can fix this by applying the fix to where the real problem lies: to the backend. It’s funny, while being afraid of paparazzi, to fix doors in your bathroom by replacing them with a wall but taking shower in the kitchen has even more problems, and the bigger problem is still the broken window that you forget to close.
Post 24 Sep 2018, 10:57
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16128
Location: Hyperborea
We, the user, have no control over the backend of a random website. Sure, it would be great if every website could guarantee us that their systems are 100% secure, but unfortunately shit happens.
Post 24 Sep 2018, 12:17
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16128
Location: Hyperborea
https://motherboard.vice.com/en_us/article/zm9jd4/old-school-sniffing-attacks-can-still-reveal-your-browsing-history

Hmm, I wonder how it works? Let's have a look into the article ... Ah, here it is:
Quote:
By embedding a special script in a web page ...
You guessed it, scripting is the culprit again.
Post 04 Nov 2018, 16:10
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 451
Location: Belarus
revolution wrote:
https://motherboard.vice.com/en_us/article/zm9jd4/old-school-sniffing-attacks-can-still-reveal-your-browsing-history

Hmm, I wonder how it works? Let's have a look into the article ... Ah, here it is:
Quote:
By embedding a special script in a web page ...
You guessed it, scripting is the culprit again.

And if we open the real article that you’ve decided to hide by linking to some bla-bla piece of text instead, we’ll see what’s going on here.

The “attack” only allows you to get an answer to the question “Did the user visit this particular URL?” Now, well, it shows like a thousand of ways to do that by using stupid CSS3 features from 2020 which should not be there anyway. And all that is just to be able to think of a URL and tell “Well, he visited google.com”. Good boy, have your cookie, it was really worth doing all these clever tricks to get positive answer.

Well, it could have worked to brute-force your passwords. Passed via GET method. But let’s play fairly: if you use services which pass their sensitive information via GET method you’ve already lost even before JavaScript had been created. Having your search history revealed by brute-forcing possible queries is not interesting by any means: even if you know my browser has ever opened a page for particular query, you can tell nothing about myself since that could be some other person, that could be opened by accidentally clicking on a wrong link, etc. You don’t put your passwords and PIN codes in the search query, I hope?

The only interesting part there is measuring the time it takes to open particular page. But you don’t even need JS for that: you can as well measure the time it takes between the page is requested and the embedded <video> starts loading. Do it all from your rogue server. Just put the link you want to check as href to a CSS file or favicon: that should be enough to tell the difference. At least with the precision of Meltdown attack: plus-minus a few elephants.

JavaScript is crap, nobody argues. But let’s avoid blaming it for things that are not its fault and linking to shitturity (not security) articles.
Post 04 Nov 2018, 19:28
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16128
Location: Hyperborea
My thinking is that it is just plainly wrong to allow a remote third party to use my CPU and computer resources against me. JS is one easy way for people with bad intentions to easily do damage and harm. And there is no easy way to verify that a website has not been compromised, even one's own website might be delivering rouge JS code because some bad actor compromised the server.

And if later CSS3 turn out to enable the same type of remote malware then I will also be against the usage of CSS3.

The "big boys" seem to think it is okay to just grab whatever data they want without regard for the little people's privacy. Even the major browser vendors have removed all the easy GUI interfaces to turn off JS bacause they claim it is "safe".

As an aside, I don't use a smart phone either for similar reasons. Every* app just wants to collect data without asking and spy on everything the user does.

* Yeah, of course not every app. But most of them. How does whatsapp make money when they charge nothing for the app and have no advertising? Hmm ... seems very suspicious to me.
Post 05 Nov 2018, 19:06
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 451
Location: Belarus
Well, I use smartphone. One with Symbian 9.4 in it, AFAIR. Any connection to the Internet by any application requires that you see a system-defined window to select your preferred way of communication. So, if you use an application that is not a browser you just know what to do if an app asks for the Internet. Doesn’t work with Android though.

As for spying, I’m sure we all require a global change in minds. As soon as all people understand that ads should never-never-never be (never!) clicked (never! never!) no matter (never! never! never!) how cool (you hear? never!) it is, the developers of ad platforms will just lose the ability to earn the cost of developing the platform. The whole idea of writing ad delivery software pieces should be considered globally as bad as selling narcotic drugs to children. Until we have it this way, we’ll lose the war anyway.
Post 05 Nov 2018, 19:46
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16128
Location: Hyperborea
I'm actually okay with ads, but I'm not okay with ads that use JS, or ads that drop cookies. Cookies are easy to deal with, just refuse them, problem solved. Use a whitlist for sites like flatassembler that keep the user and login details. Everyone else just has to deal with no cookies from me. The evercookies that many people find difficult to delete are easily solved by, you guessed it, having no JS.

I do stop ads from being animated. Having no JS eliminates almost all animations these days, and turning off gif animations, and disabling video auto-play, in the browser stops the remainder. If there is some gif or vid that I actually want to view then I download it and view it outside the browser.
Post 05 Nov 2018, 20:03
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 451
Location: Belarus
So, you’re okay to spend your time and bandwidth for downloading terrific amounts of useless information, it just shouldn’t have JS/animations in it? With no intention to offend you, but isn’t that an equivalent of “Feel free to sh&t on me, it just shouldn’t be liquid”?

No, really, you put quite a lot of effort into setting your environment properly and maintaining the setup but still sometimes feel the smell. And then you go outside and use some public or another person’s computer where the Bristol scale substance is everywhere and all the efforts become useless.

Just like that substance should only be in the toilet, ads should only be where users explicitly ask for. Oh, well, sometimes a bird may drop some while flying by (hidden ads in TV shows) but not more than that. Otherwise we’ll be clearing our personal world with trickier tools and they will invent trickier means to deliver ads.

IMNSHO.

BTW, do CSS animations count?
Post 06 Nov 2018, 06:15
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 283
Who cares about Bristol?!
What's it anyway?


Last edited by guignol on 06 Nov 2018, 08:12; edited 1 time in total
Post 06 Nov 2018, 06:41
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 283
And what kind of revolution is that without his/her own OS?
Post 06 Nov 2018, 06:51
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 7787
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699
isn't it all the pixels on screen are animated, those who got sharp eyes actually can see the refreshing frequencies pixels, they blink, those dots, Laughing
Post 06 Nov 2018, 07:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16128
Location: Hyperborea
Ads help to pay for the websites we view. Otherwise an alternative like micropayments, or JS to mine for bitcoins are worse solutions IMO. At some point the website owners would like to eat so we can't practically eliminate all ads. But those ads have to be well behaved, which I enforce by my setup. If a site has more ads than useful content then I just don't go back there. If the ratio of ads-to-content is small and not trying to be in-my-face then I don't mind too much.

I already save a few hundred kB of data bandwidth by not downloading all those JS frameworks/libraries. So replacing that with a few 10;s of kB for a JPG/PNG image seems like a reasonable trade-off.
Post 06 Nov 2018, 10:17
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 451
Location: Belarus
revolution wrote:
Ads help to pay for the websites we view. Otherwise an alternative like micropayments, or JS to mine for bitcoins are worse solutions IMO. At some point the website owners would like to eat so we can't practically eliminate all ads. But those ads have to be well behaved, which I enforce by my setup. If a site has more ads than useful content then I just don't go back there. If the ratio of ads-to-content is small and not trying to be in-my-face then I don't mind too much.

Let’s imagine ads are considered evil by everyone in the whole world. I think that would be a good stuff. Websites without actual content die before being created. Websites that are created only for the purpose of earning money die within a short period of time. The only websites that can survive are two groups:
* websites that are used as portfolios and/or online stores—places for the only purpose of selling owner’s products, like, say, Microsoft puts its software and documentation, an individual developer puts his/her programs, etc.;
* websites for which their owners are willing to pay despite earning nothing in return (except, maybe, respect for being experts in the topics of their websites)—like home pages and private blogs.

Maybe some aggregators also for the purpose of making it easier to find what you need. A lot of junk information disappears, search engines have thousands degrees less information for indexing, etc.
Post 06 Nov 2018, 18:57
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 12, 13, 14

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2018, Tomasz Grysztar.

Powered by rwasa.