[kwlug-disc] DuckDuckGo.com -- an alternate search engine
Bob Jonkman
bjonkman at sobac.com
Mon Aug 2 03:18:55 EDT 2010
On Wed, 2010-07-28 at 03:54 -0400, Chris Frey wrote:
> It's a whole lot more complicated to check that every permutation of
> legal Javascript code is safe.
Speaking of Turing, I'll bet that checking that every permutation of
legal Javascript code to see if it is safe is equivalent to the Halting
Problem -- impossible to determine.
And so instead of running an 'IsItSafe' plugin I run a 'NoScript' plugin
which saves me an infinite amount of time.
--Bob.
On Wed, 2010-07-28 at 03:54 -0400, Chris Frey wrote:
> On Tue, Jul 27, 2010 at 09:15:57PM -0400, Ralph Janke wrote:
> > Well, it still does not explain why networking is ok, but Javascript is not.
> > Javascript is not the only security issue exposed in networking.
> >
> > Hence: Javascript in and of itself should not be bad! :)
>
> Not necessarily bad, just more risky.
>
> To me, there is a world of difference between TCP/IP and Javascript.
> The one is data interpreted by known code. The other is unknown code
> interpreting unknown data.
>
> By "unknown" I mean that the data and the code is not something I've
> vetted before it hits my browser.
>
> Secure code treats data as an untrusted payload. Something to be parsed
> and analyzed, where sizes and lengths are double checked at all times,
> etc. The data might indicate some action to be taken, but it is the code
> that is already on my system, installed by known means, that does the
> work.
>
> Javascript pushes that a little too far for my liking. Yes, it is data,
> but it is data in the form of Turing complete code. It is one thing to
> double check that the TCP header size field is correct. It's a whole
> lot more complicated to check that every permutation of legal Javascript
> code is safe.
>
> I'm not saying it's impossible, just that the level of difficulty is
> orders of magnitude higher, and therefore so is the risk.
>
> It's not just Javascript. Whenever programmable content is added to pure
> data, there's more risk: VB script in Word documents, ActiveX controls,
> Flash games, rm commands in man pages, embedded SQL in application code,
> scripts in PDF files (Adobe has had its share of headaches with this), etc.
>
> - Chris
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org
--
Bob Jonkman <bjonkman at sobac.com> http://sobac.com/sobac/
SOBAC Microcomputer Services Voice: +1-519-669-0388
6 James Street, Elmira ON Canada N3B 1L5 Cel: +1-519-635-9413
Software --- Office & Business Automation --- Consulting
More information about the kwlug-disc
mailing list