flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua

l_inc wrote:

revolution wrote:
the required registration lie


Here is a bit of information on that.

And it is still a lie even on that very page discussing it.

Quote:
It's 100% free, no registration required to browse or to post answers.

And right at the bottom:

Quote:
You must log in to answer this question.

So no registration is required ... unless you actually want to use the website.

Also, I still don't see any evidence of the need to server-push there. Once again ignoring the required registration lies the site appears to be usable without JS, and anything extra would be enhancements, which is the "proper" way to use JS IMO.
Post 07 Apr 2015, 23:32
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3459
Location: Bulgaria
@revolution - I have a proposal for you. As long as your have fairly clear opinion about web browsers and JS and in accordance with this my post, what you think about to start a project for the best asm web browser ever made? Supporting full HTML and CSS and without any JS? (But I will advocate about some different technique for server push Smile )

IMHO, instead of just talking idle talks, you can make a great achievement! From my side, I can promise to remove all possible JS dependencies in Fresh IDE web site and even from the fossil repository. Smile
Post 08 Apr 2015, 05:58
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
I think that making a new browser would be an excellent project. But without the server push thing because so far no one has been able to show any website that needs it. And getting a new standard though is probably the most difficult part of all. Plus, convincing all those fluff and advertising sites to be more respectful and less annoying might prove impossible. :p

But I already have a browser without JS so the reason as stated for making a new browser might not be the best. A better reason IMO would be to rid ourselves of all the current browser wars nonsense; where they concentrate more upon keeping up with the other guys useless "features" instead of fixing bugs and making it more stable and crash less.
Post 08 Apr 2015, 06:22
View user's profile Send private message Visit poster's website Reply with quote
redsock



Joined: 09 Oct 2009
Posts: 265
Location: Australia
Just chiming in here, revolution, I can give you one specific example of why JS is a decent thing to have around:

Back in the olden days, everything that you couldn't display as a non-interactive PDF you were forced to download, install, and trust the so-called developers of same. Having been through the code of Spidermonkey myself, and that of Google's V8, their "sandbox" attempts (and succeeded) to nullify the "rogue JS ruining your machine". That cannot of course be said of all things VB/Microsoft.

Anyway, I was commissioned to do several online casino projects over the years, and rather than force all of the clients to install ready-made applications (regardless of certification), it is _damn nice_ to be able to, via JS + Ajax be able to render HTML5 goods without forcing a user to download and install application code.

While I appreciate wholeheartedly your sentiment for refusing to allow/accept JS, there _is_ places it belongs and most come from turning what would have otherwise been a non-interactive PDF document (or whatever the equivalent thereof) into an interactive one, and I can show you countless code examples of not only how this is a useful thing, but how you should be happy about the sandboxing strategies that all of the major browser vendors have taken.

(NOTE: I am _not_ evangelising JS here, just pointing out that "Rich Internet Applications" needn't involve a _download and install_ of some application code.)

Smile Smile
Post 08 Apr 2015, 06:31
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3459
Location: Bulgaria
@revolution: So, you said "yes", right? Great! Please, point us to the web site of the project, when ready. BTW, I can donate a sub domain of "asm32.info" for the needs of the project (and hosting of course).
Post 08 Apr 2015, 06:49
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
redsock: I think that downloading applications is actually a better method than trusting a generic browser with JS. The reason being that applications can be audited and checked, whereas JS can't be audited. Every time you visit a webpage you might get new JS code. That JS code could come from the website owner, or a hacker, or the NSA, or your ISP, or your employer, or someone at the table next to you at the cafe. The trust model is all wrong.

I agree that download-and-install is terrible, but only because of the silly need to install that seems to have permeated all applications. Download and audit is good, not bad, and puts the trust at the right point. If there is some new update later with "awesome new features" then one can choose to update or not as the needs dictate.
Post 08 Apr 2015, 06:58
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua

JohnFound wrote:
@revolution: So, you said "yes", right? Great! Please, point us to the web site of the project, when ready. BTW, I can donate a sub domain of "asm32.info" for the needs of the project (and hosting of course).

Haha, nice try. I don't have any spare time for anything like that. I can't even get started on the ARMv8 yet and that would be less work. Sad
Post 08 Apr 2015, 07:00
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3459
Location: Bulgaria

revolution wrote:
Haha, nice try. I don't have any spare time for anything like that. I can't even get started on the ARMv8 yet and that would be less work. Sad



Come on, I don't have any spare time either. I am working on my job, then take care for my paralyzed father, for my family (with teenage daughter!), working on a home renovation, my assembly projects and still trying to sleep at least for 5..6 hours everyday. Smile

_________________
Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9
Post 08 Apr 2015, 07:14
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua

JohnFound wrote:
... (with teenage daughter!) ...

Enough said. I surrender.
Post 08 Apr 2015, 07:45
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
Post 28 Apr 2015, 22:34
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
I consider CSS as scripting.
Post 29 Apr 2015, 00:37
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua

typedef wrote:
I consider CSS as scripting.

Do you mean Cross Site Scripting or Cascading Style Sheets?
Post 29 Apr 2015, 01:07
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
A good description of JSF**k:
http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/

Just another reason to turn off JS. Websites (and email of course) cannot be trusted. There are too many places they can be compromised or spoofed.
Post 29 Feb 2016, 11:59
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 790
Location: Jakarta, Indonesia
Without ignoring those security-related issues, I wonder how feasible
it is to develop web apps without JS nowadays?

Let's say an HTML5+CSS only online spreadsheet. Hmm
Confused
Post 01 Mar 2016, 02:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
Is there really a need to put active spreadsheets online? Or is it just new and trendy so everyone wants to do it.
Post 01 Mar 2016, 03:24
View user's profile Send private message Visit poster's website Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 790
Location: Jakarta, Indonesia
Well, that's just one of the examples.
Most of the time, every time I need to build
fancy UI, JS is involved (jQuery etc)

Razz
Post 01 Mar 2016, 03:55
View user's profile Send private message Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2124
Location: Usono (aka, USA)

revolution wrote:
Just another reason to turn off JS. Websites (and email of course) cannot be trusted. There are too many places they can be compromised or spoofed.


Does email spoofing really happen a lot??

There's one extremely cantankerous man who has annoyed me (and others) to no end. I have often wondered if he was (sometimes?) spoofed by someone else since his responses were so absurdly aggravating. Though he's pretty consistently been horrible (more or less) for several years. In the end I decided that he was just annoying and had health issues. It's just the easiest answer, without any proof otherwise. (I've also wondered if someone spoofed me to him, perhaps pissing him off unfairly, but I've also seen no real-world indication of that either.)

Although unrelated, I do remember one particular email spoof (of someone else) a few years ago:

https://sourceforge.net/p/freedos/mailman/message/27698444/

Somewhat insane. The urge to insult was too strong, but they couldn't be bothered to actually subscribe to the mailing list, even though there is no forced requirement to publish real name. But I guess even using a real email was too personal or too much work for that freak.

Normal, boring, technical discussions don't have quite the risk of being controversial (or political), so it's rare that anyone even has any emotions at all. But I guess in the real (crazy) world, nothing is sacred.

Anyways, Gmail is now rolling out some new features about this, so I guess it's way more common than I thought.

Post 02 Mar 2016, 02:43
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 861
Or just sandbox the browser yourself and use as much JS as you want (as long as you understand the compromise, so if you went to a site and don't want to be tracked, empty the sandbox and then go to it).

First have a base profile for yourself. It's surprising how little files you need for Firefox for instance: just the extensions, the extensions.sqlite, localstore.rdf, bookmarks.html and prefs.js. Just copy those to the sandbox before launching and launch Firefox with the -profile option pointing at that location inside the sandbox (remember redirections though). Of course, do this in a script. You can use Sandboxie on Windows for this.

You don't need specialized 3rd party software for this though. Take Linux for instance. Just make another user, let's call him 'browser' with no ability to be logged into and which cannot even use sudo or su. This user should have no write access to its own home (make /home/browser owned by your main user account, and disable write permissions for anyone except owner, but keep read permissions and execute for everyone), so it will be forced to only write into the Sandbox (i.e cookies and other crap).

Then make a shell script that simply copies your base profile (this one must be kept safe, and 'browser' user not have access to it) into a location like /tmp/browser (which 'browser' user has access to), and use gksudo to launch Firefox as the 'browser' user (with -u switch), with firefox's -profile option set to /tmp/browser or whatever.

In this way you also mitigate alot of exploits because even if they take control of your browser completely, they will not be able to do anything unless they also escape the sandbox or exploit privilege escalation. The point being, you're much safer than just relying on browser to not have exploits in the first place. For extra security, make the 'browser' user have no read/write access to your main files (and only have him share a place in /tmp where it can read/write files so you can share files between browser and the outside world), but if that's not possible or inconvenient at least make it not able to WRITE to any of your files or folders (except Downloads).

Yes it requires a bit more effort to setup, but once you got the users properly setup and the script written, it's all automatic. At least it's far less effort than coding your own browser or other stuff. It's a matter of double-clicking or just launching the browser, quitting it and then running another script to clean the sandbox. That is all.

You may have to symlink .mozilla and .cache/mozilla (plus .adobe) inside /home/browser to somewhere in /tmp/browser because the home is not writeable, but you get the idea. The point is that to empty the sandbox all you have to do is remove /tmp/browser, it's all contained within (and the only place the 'browser' user can write to).

(and lastly you'll have to allow 'browser' to display content on the X server and perhaps connect to the PulseAudio server for audio in videos, there are many guides around, use the UNIX socket method for PA)

And by the way, why Firefox? Well, because of NoScript. Selectively enable JS just for things you need, not an entire site. You'd be surprised how much junk there is on any given site.
Post 04 Mar 2016, 10:54
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15233
Location: 1I/ʻOumuamua
Furs: Thank you for the practical suggestion. Unfortunately that still does not address the spoofing problem as was mentioned in the ebay JSF**k problem above. It is not as simple as only making the browser bulletproof and exploitproof (if that is even possible considering the complexity) it also requires making it incapable of being spoofed and/or hijacked to take the user to a different place than they expect.


Last edited by revolution on 04 Mar 2016, 12:26; edited 1 time in total
Post 04 Mar 2016, 11:13
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 861
I just read it and it appears it's some sort of phishing/site exploit, which of course can happen. I did not try to imply my method is exploit-proof on the internet for all of them, just the tracking and hijacks of your browser from sites you do not trust anyway.

For example with NoScript you'd have to selectively enable JS on ebay for it to work, but unfortunately I agree that a lot of people would just 'trust' a big name site like that (myself included).

In that case you can get compromised, but my method still applies that it separates sites from each other. For example, let's say you log on to your email account after visiting ebay with that exploit; without doing the sandbox suggestion, you can be fully tracked and, depending on the level of the exploit, even have your password compromised for your email account.

The difference here lies not in whether you can get hacked or not via one website (which is obviously possible even in a website), but that the incident should be local to the sandbox only.

Barring privilege escalations and other extra exploits the hacker has to go through, as long as you clean the sandbox after visiting ebay, your email account should be perfectly safe, not to mention your browsing habits not tracked. Another important thing to remember is that, using a different user (or Sandboxie on Windows), you can see all processes still run under the user or sandbox. It is trivial to make a script to kill them all in such case, before emptying the sandbox, so no exploit or malware is still in the background when you launch your next browser instance.

Of course it is important to keep a proper state of mind when browsing, you can't just blindly think you are protected without understanding possible risks or exploits available.

If you ever see a specific site does not work properly without JS and feel the need to enable JS on that less-than-trustworthy site via NoScript (or really, even sites you trust like ebay, as shown by the JSF**k problem you mentioned), then make sure you know the possibility of an exploit is available.

In this case, for example, if you visited your bank account or whatever in the past (and might have residue in RAM, who knows?) on that same browser session, I would personally just empty the sandbox, re-launch the browser, enable JS on the new site, do whatever... and empty it again afterwards.

Sure, call me paranoid, but like I said you don't have to go to such extremes, but just in case you want to, it's available with a couple of clicks. Ultimately it's up to how much you care about all of this.

Also I realize it's quite weird to be posting this as my first posts but I'm a long time user of FASM in fact, usually searching this forum. Smile
Post 04 Mar 2016, 11:48
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next

< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.