flat assembler
Message board for the users of flat assembler.

Index > Heap > Why we should always disable JS, Wasm and Flash

Goto page Previous  1, 2, 3 ... 23, 24, 25, 26  Next
Author
Thread Post new topic Reply to topic
DimonSoft



Joined: 03 Mar 2010
Posts: 773
Location: Belarus
DimonSoft
revolution wrote:
sleepsleep wrote:
if you are using chrome, firefox, etc with ublock origin, noscript, ghostery extension or etc extensions,

and the website doesn't function, no show, no load, etc

the next plausible action

is to temporarily disable all your extensions,

or

changing your block setting to trust website scripts,
Or just don't bother with that website.

Why is it so important to get that one page to work?

There are almost certainly plenty of other websites that can deliver your needed content without requiring you to put your hand in the blender.

First of all, guys, those extensions are written in either JS or a JS-like language. I hope you don’t trust those extensions as well. And I hope you don’t use software with embedded Python/Lua/put_your_language_here interpreters.
Post 16 May 2020, 18:53
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
It's not about the language, it is about the delivery and unauditability.

If I ran JS locally with source that I can download and audit before running, then that is a situation much different from a random website that expects us to run their shitty code without bothering take even a cursory look at the source. And many websites deliberately obfuscate their sources so that we can't make sense of it. Just run it and don't ask questions you lowly web user.
Post 16 May 2020, 23:32
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 773
Location: Belarus
DimonSoft
revolution wrote:
It's not about the language, it is about the delivery and unauditability.

If I ran JS locally with source that I can download and audit before running, then that is a situation much different from a random website that expects us to run their shitty code without bothering take even a cursory look at the source. And many websites deliberately obfuscate their sources so that we can't make sense of it. Just run it and don't ask questions you lowly web user.

Are you sure you’re in control of browser extensions? Especially with Chrome which, I remember, used to update itself in spite of updates being disabled which was the main reason for me to never use it again since it cost me all the monthly traffic while on a limited internet connection. Are you sure updates to your browser extensions (that disable JS) are safe? Are you sure updates to any program using any scripting engine are reliable?

Unless you, guys, consider these cases, the whole discussion about “I potentially can check” looks like “I potentially can be a millionaire, so treat me as such”. Security is not only about potential, it’s about reality as well. You always have to trust somebody.
Post 17 May 2020, 07:56
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
I don't use any extension to control JS. That was mentioned by sleepsleep. I have JS disabled in the browser settings. Note that NoScript, an extension, requires JS to be enabled in the browser settings. I wish my browser wasn't bloated with a JS interpreter I don't use, but such is life.

JS from random websites, run by browser, on the fly is where we are asking for trouble. It isn't a reasonable expectation for anyone to audit the code for themselves before running. Everyone visiting a website can be delivered a different set of JS, code they are expected to blindly run, every time they visit or refresh the page. Let examine a scenario: Yesterday we spent an hour reviewing the JS code from one site and it was neutral so we ran it. We hope we didn't miss anything. But today when we refreshed we got new code: has it been weaponised, has the server been hacked? Do we want to spend another hour reviewing it to see? And tomorrow yet another bunch of code to review. Aarrggh, exhausting. We've got better things to do.

You can run JS code locally with an interpreter, if you wanted to. But there isn't really much demand for that. Other languages fill that need better, and are more popular.
Post 17 May 2020, 08:28
View user's profile Send private message Visit poster's website Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 773
Location: Belarus
DimonSoft
So, what about updates? Are you able to tell if they are OK or we are still talking about “I can do this theoretically and this somehow magically makes it safe”?
Post 17 May 2020, 09:10
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
What updates are you referring to? Browser updates?

FWIW: I don't update my browser. It is still the same since what seems like forever.
Post 17 May 2020, 09:13
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
revolution wrote:

I don't update my browser.

not sure what browser you are using, but why you don't want to update your browser?

revolution wrote:

I have JS disabled in the browser settings.

maybe the JS will run whenever you are not using your browser, Laughing
why you trust the browser will respect your config inside browser settings, to disable JS?

we should believe the browser will secretly load some JS and run when CPU idle for 1 hour Very Happy

DimonSoft wrote:

I remember, used to update itself in spite of updates being disabled which was the main reason for me to never use it again since it cost me all the monthly traffic while on a limited internet connection.

i seriously doubt the chrome browser extension is the culprit that consuming your monthly traffic,
the largest extension i suspect, would be around 50MB since those crx are basically zipped file,

DimonSoft wrote:

the whole discussion about “I potentially can check” looks like “I potentially can be a millionaire, ..."

anyone can learn programming, then spend their resources to check everything, but how many of us willing to do this?
and how many of us having the time to do this?

is like anyone can grab the rubbishes, separate them by category, then send them to process, but how many of us willing to do this, 24x7?
Post 17 May 2020, 09:39
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
why you don't want to update your browser?
Because I have verfied my current browser works for what I want. Why do you update yours?
sleepsleep wrote:
why you trust the browser will respect your config inside browser settings, to disable JS?
It is easy to check. Load a page with JS. See that the JS does nothing. So far after all these years my browser has never run any JS code.

Thoughts about it having a secret fifteen year timer to trigger running JS again ... well okay, but that isn't very likely. And if it suddenly does, then I'll look into what actions I need to take to make sure it doesn't happen.
Post 17 May 2020, 10:07
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
revolution wrote:

Because I have verfied my current browser works for what I want. Why do you update yours?

https://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224
https://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html?vendor_id=26
Post 17 May 2020, 11:51
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
So you upgrade because you are scared of bugs and being pwned? So why enable JS? Most of those problems are around because of JS. Sites use JS as leverage to exploit the bugs.
Post 17 May 2020, 12:21
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
total annihilation of JS is impossible in 2020, for the reasons i said ealier,

the other way would be browsing inside vm,

idk the percentage of cves caused by JS, but i guess at least 20% are non JS and could execute with just HTML and images, so you still don't want to upgrade?

wait, maybe you don't upgrade windows also? or linux? or bsd?
Post 17 May 2020, 12:36
View user's profile Send private message Reply with quote
DimonSoft



Joined: 03 Mar 2010
Posts: 773
Location: Belarus
DimonSoft
sleepsleep wrote:
DimonSoft wrote:

I remember, used to update itself in spite of updates being disabled which was the main reason for me to never use it again since it cost me all the monthly traffic while on a limited internet connection.

i seriously doubt the chrome browser extension is the culprit that consuming your monthly traffic,

That was an example of a popular browser not respecting particular settings.

revolution wrote:
So you upgrade because you are scared of bugs and being pwned? So why enable JS? Most of those problems are around because of JS. Sites use JS as leverage to exploit the bugs.

Are you saying that buffer overflow attacks are not a thing? Or that they require JS being enabled? What about those cases when newer HTML features get added and browsers start failing to load such pages at all (try to open a modern webpage in one of the first versions of Opera/FF/Chrome or in old IE, it’s highly likely to get them really confused up to crashing).
Post 17 May 2020, 13:00
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
total annihilation of JS is impossible in 2020, for the reasons i said ealier,
I don't use JS. Haven't for many years. So it is possible.

And throwing up your hands and accepting defeat is kind of sad. Like: I give up, please rob me, rape me, stab me, poison me, whatever me. Sad
Post 17 May 2020, 13:05
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
revolution wrote:

I don't use JS. Haven't for many years. So it is possible.

i use javascript everyday, from the moment i double click browser till i close it,

revolution wrote:

And throwing up your hands and accepting defeat is kind of sad.

i don't have the ability nor capability to stop JS invasion,
the best defence i got is running browser inside vm, thats all,
Post 17 May 2020, 15:20
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
Websites using JS to do a port scan on your own system. Are they looking for vulnerabilities in your setup? No one seems to know. But It's possible those sites have been hacked and/or the library they use has been hacked, and using your own system to report on itself to some nefarious actor.

https://security.stackexchange.com/questions/231966/web-sites-executing-local-port-scans-is-this-coming-from-a-library-can-it-be-b

ETA another link:
https://blog.nem.ec/2020/05/24/ebay-port-scanning/
Quote:
And, finally, they have a claim called “True Location” which sounds a bit like they attempt to de-anonymize people using people using VPNs.
Quote:
True Location and Behavior Analysis: Detection of location cloaking or IP spoofing, proxies, VPNs, Tor browsers and changes in behavior patterns, such as unusual transaction volumes.
It’s not just Ebay scanning your ports, there is allegedly a network of 30,000 websites out there all working for the common aim of harvesting open ports, collecting IP addresses, and User Agents in an attempt to track users all across the web.


Last edited by revolution on 27 May 2020, 12:46; edited 2 times in total
Post 27 May 2020, 12:28
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
sleepsleep wrote:
i don't have the ability nor capability to stop JS invasion,
You can. Disable JS.

I think the term you are looking for is that you are unwilling to stop JS invasions.
Post 27 May 2020, 12:30
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
revolution wrote:

You can. Disable JS.

I think the term you are looking for is that you are unwilling to stop JS invasions.

the situation is like this,
i need to login local bank website to perform transaction,
if i disable JS, it means no more login and etc, no more etc etc etc,

is that i am unwilling to disable JS, or i don't actually have a choice here?
Post 27 May 2020, 14:23
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 1489
Furs
revolution wrote:
You can. Disable JS.

I think the term you are looking for is that you are unwilling to stop JS invasions.
For someone (who used to be?) unwilling to ditch Windows because they had no choice as many apps/drivers they needed only worked on Windows, you sure talk a lot about disabling JS even if the website may be needed by someone else. Wink
Post 27 May 2020, 15:43
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8999
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
Image
Post 27 May 2020, 19:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
Furs wrote:
For someone (who used to be?) unwilling to ditch Windows because they had no choice as many apps/drivers they needed only worked on Windows, you sure talk a lot about disabling JS even if the website may be needed by someone else. Wink
I Still have to use Windows.. And now the spyfest W10 Sad But I refuse to accept its spying and things because it is never connected to a network. I had to make a sacrifice to make it this way. I now have to carry two systems around. Windows is still the only system that actually works properly, Linux is basically crap, but at least Linux is honest and doesn't yet feel the need to spy on everything and everyone.

The same with JS. There are sacrifices to be made if it is disabled. Mainly because many website writers get too focussed on sexy animations and other unneeded things, and decide to require JS just to support them. sleepsleep is unwilling to visit the local bank branch or ATM machine and instead decides to use the Internet and risk malware monitoring or using the connection.

Another option for sleepsleep is to only use JS for that one website and refuse to allow any other websites to rape the computer through the browser. That is an imperfect solution. It relies upon that one website to always have no bad employees, and always have no malware on their systems injecting bad code, and always have no intrusions into the code from remote bad actors, and various other ways websites can be hacked or weaponised against people. Good luck sleepsleep, I hope no one steals all your money through your browser.
Post 27 May 2020, 22:25
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3 ... 23, 24, 25, 26  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.