Date: Thu, 19 Jul 2001 19:26:29 -0400 From: Shannon <shannon@widomaker.com> To: questions@FreeBSD.ORG Subject: Re: ARRGH Netscape stinks! Message-ID: <20010719192629.C29468@widomaker.com> In-Reply-To: <15188.54022.876036.338916@guru.mired.org>; from mwm@mired.org on Tue, Jul 17, 2001 at 07:06:30PM -0500 References: <21096630@toto.iv> <15188.23500.936661.82769@guru.mired.org> <20010717115346.A18795@grumpy.dyndns.org> <15188.54022.876036.338916@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 17, 2001 at 07:06:30PM -0500, Mike Meyer wrote: > David Kelly <dkelly@hiwaay.net> types: > > On Tue, Jul 17, 2001 at 10:37:48AM -0500, Mike Meyer wrote: > > > JavaScript is a security nightmare. Java isn't quit so bad, but CERT > > > recommends turning them both off. I turn off Flash because I haven't > > > had time to investigate the security issues. > > Uh, don't you have Java and Javascript crossed? > > I don't think so. The people at Sun who worked on Java at demonstrably > thought about the security implications of what they were doing, and > dealt with the worst excesses in the design. As a result, Java > security problems tend to be bugs in the implementation, with "in > violation of security policies" being a common phrase. JavaScript > tends to have bugs along the lines of "we never thought anyone would > do that", like sending email to an arbitrary address at page load > time, or putting java script in a cookie file then loading the cookie > file to get access to the disk. The net result is that JavaScript > tends to have nastier bugs than Java. Absolutely, although both are capable of doing very bad things, mostly because of braind-dead decisions by the browser authors. The worst comes when JavaScript is used to bootstrap Java virii (Javirii?). For example, both Java and JavaScript can reprogram your home page on some browsers and platforms, and other configuration items, and JavaScript can put code on your system which runs on browser startup, mostly through things like changing your home page to the little Javirus. Even if they don't hurt your local data, they are capable of irreperable damange to your sanity. I have some squid filter to eradicate a lot of them, but there are still some really annoying ones that get through. So far I've not seen this happen when hitting the same web sites or files with a UNIX version of the various browsers, but that could be because the JScript only hits Windows systems. It would not surprise me if Netscape/AOL has left some nasty little holes like that in the UNIX versions. I did have one JavaScript virus get my UNIX browser, and it basically started peppering me with ads related to every page I went to. The heavy integration of Java/Script in Mozilla worries me, besides it being so horribly slow. CERT is very correct in recommend these be disabled. Unfortunately there are some sites I use often that require it. It would be nice if you could turn scripting off for all but specific sites. -- shannon@widomaker.com _________________________________________________ ______________________/ armchairrocketscientistgraffitiexenstentialist "And in billows of might swell the Saxons before her,-- Unite, oh unite! Or the billows burst o'er her!" -- Downfall of the Gael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719192629.C29468>