More JavaScript Browser Attacks… Meanwhile (ISC)2 Requires JavaScript, and All Is Well
Hear, see and speak no Evil—but pretend JavaScript is safe and force your customers to turn on JavaScript in their browsers to make your site sparkle. It’s not your problem, is it? It’s the developers of browsers that should fix their code!
Meanwhile the parade of JavaScript-based attacks continues. When even the organization responsible for CISSPs, (ISC)2, makes it impossible to update your CISSP credits without JavaScript turned on, what hope is there for shopping, banking, credit card security sites (e.g., verified by VISA) and investment sites (e.g., Fidelity) to adopt careful and responsible stances? I didn’t even get a reply from the (ISC)2 web site developers when I pointed out JavaScript issues. It’s a slick click interface party! Woohoo! Ooh, shiny!
It’s a party for attackers, that is. JavaScript is not the only problem, when any browser extension can take down the browser (or take control of it…). When will we see browsers architectured like operating systems, so that a plug-in can crash without taking the browser with it? When will plugins have configurable security policies and limited privileges, so that a bug in a plugin doesn’t compromise our computer’s security? It seems that browser architecture isn’t more advanced than Windows 95 and is about as secure, yet we poke puddles of pus with them and then prepare food, and don’t even worry about getting infected. Basic browser hygiene is provided by the NoScript Firefox extension, but when every site forces you to enable JavaScript, what’s the use? One thing is sure—I don’t see many people taking this seriously.
on Thursday, June 7, 2007 at 12:42 PM