The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

More JavaScript Browser Attacks…  Meanwhile (ISC)2 Requires JavaScript, and All Is Well

Tuesday, June 05, 2007 by Pascal Meunier
in Kudos, Opinions and Rants
Share:

Hear, see and speak no Evil—but pretend JavaScript is safe and force your customers to turn on JavaScript in their browsers to make your site sparkle.  It’s not your problem, is it?  It’s the developers of browsers that should fix their code! 

Meanwhile the parade of JavaScript-based attacks continues.  When even the organization responsible for CISSPs, (ISC)2, makes it impossible to update your CISSP credits without JavaScript turned on, what hope is there for shopping, banking, credit card security sites (e.g., verified by VISA) and investment sites (e.g., Fidelity)  to adopt careful and responsible stances?  I didn’t even get a reply from the (ISC)2 web site developers when I pointed out JavaScript issues.  It’s a slick click interface party!  Woohoo!  Ooh, shiny! 

It’s a party for attackers, that is.  JavaScript is not the only problem, when any browser extension can take down the browser (or take control of it…).  When will we see browsers architectured like operating systems, so that a plug-in can crash without taking the browser with it?  When will plugins have configurable security policies and limited privileges, so that a bug in a plugin doesn’t compromise our computer’s security?  It seems that browser architecture isn’t more advanced than Windows 95 and is about as secure, yet we poke puddles of pus with them and then prepare food, and don’t even worry about getting infected.  Basic browser hygiene is provided by the NoScript Firefox extension, but when every site forces you to enable JavaScript, what’s the use?  One thing is sure—I don’t see many people taking this seriously. 

Tags for this post:

Leave a comment (6 so far) »

Comments

Posted by Giorgio Maone
on Thursday, June 7, 2007 at 12:42 PM

You may be interested in Robert Hansen expressing the opposite point of view: while JS is evil (and better to be generally disabled with NoScript), “secure” sites removing their dependencies on it does no good.

http://ha.ckers.org/blog/20070607/the-javascript-paradox/

Posted by Pascal Meunier
on Friday, June 8, 2007 at 03:47 AM

Thanks Giorgio.  I’m not convinced by Mr. Hansen’s arguments.  First, he hypothesizes a security functionality implemented in the client, and proceeds to weigh this pink elephant against one-size-fits-all security requirements (or rather, “security indifference”) inferred from invalid metrics.  First of all, security implemented on the client side is a bad idea, so whatever the bank could have implemented is no great loss.  “We have to assume the JavaScript was there for a reason” could be simply because of developer ignorance, personal preference, or most likely to make the web site respond slightly faster—there is no reason to infer that there is a security value to it (“because it’s a bank” doesn’t seem likely to me). 

Second, he says it won’t change anything for the vast majority of people because they will leave JavaScript on.  This is initially an issue with the developers of web browsers that distribute them with insecure defaults—it would take one flipped bit in the next distribution of Firefox and other browsers to change that.  Then, everyone is different, and regardless of what 90, 99 or 99.9% (however many 9’s you want to add) will do, it is a violation of my security policy to force me to turn on JavaScript.  The popularity of the NoScript extension is a strong indicator that there are quite a number of other people for whom this could be true as well. Is it acceptable for a bank to violate the security policies of its customers?

In those who browse with JavaScript turned on all the time, there may be some who would browse with it off if it wasn’t so inconvenient, so the actual number of people currently browsing with JavaScript on isn’t a very good argument.  In the absence of choice (put up with it or go home isn’t really a choice) statistics like that are misleading at best. 

There is no paradox—if everyone removes their dependencies from JavaScript, the world will be a safer place for me and those of a similar mind.  People who have unsafe habits should always be accountable for them, whether it’s anonymous, promiscuous sex, lack of hygiene, or security, even if they are the great majority.  Then, evidence may convince more people to change their practices.  There was a time when “99.99%” of people wouldn’t eat whole wheat bread or whole rice…  Times change with education.  Fatalistic, pessimistic attitudes like Mr. Hansen’s don’t help any of us.

Posted by Jim Horning
on Tuesday, June 12, 2007 at 03:33 PM

When will we see columnists who do not use “architectured” as a verb?  I think you meant “designed”?  I’m not really sure.

You are on the slippery slope towards my favorite “IBM word”: rearchitecturalizationing.  At one time, you were expected to be either prorearchitecturalizationing or antirearchitecturalizationing.  But the days of the 360 are past.

Jim H.

Posted by Pascal Meunier
on Thursday, June 14, 2007 at 08:13 AM

Thanks Jim.  I agree that the choice of words is important—my late father insisted on it.  I hope that I never have to use that word, “rearchitecturalizationing”, as I have no idea what it means.  However, I can define my use of “architectured”.  It has a narrower meaning than “designed”.  Design can be done at many different abstraction levels.  Architecture is the design done at the abstraction level closest to requirements, and generally involves a model of the system and the technologies used to link its parts.  The design choices made at this step define the failure modes available to a system, and their possible consequences both in terms of security and recovery.  Architecture is why even if you hire geniuses to re-implement and redo lower level design steps of Windows 95 or the current browsers, they are sorely limited in what they can accomplish.  I think that the wikipedia page on <a HREF=“http://en.wikipedia.org/wiki/Software_architecture” rel=“nofollow”>software architecture</a> is interesting.  They don’t have a page for “rearchitecturalizationing”, though smile

Posted by Browser Security News » Blog Archive »
on Wednesday, June 27, 2007 at 05:12 AM

[...] Read More…Source: CERIAS Posted in Latest News |June 27th, 2007 by News|    Leave a Comment [...]

Posted by Stephan
on Wednesday, June 27, 2007 at 05:00 PM

I think it’ll be quite some time before browsers get anywhere out of the “Windows 95” context as you put it.  Considering how sluggish and slow-to-catch-up the dominant market share browser (IE) is compared to everyone else.  Perhaps with Safari’s new entry into the Windows realm things will speed up.  But on the other hand, seems as if browsers are quite advanced compared to this: http://news.yahoo.com/s/infoworld/20070626/tc_infoworld/89653

Leave a comment

Commenting is not available in this section entry.

Previous entry »

« Next entry