• JavaScript security

    From Nightfox@VERT/DIGDIST to All on Tue Apr 12 21:55:44 2011
    Abouut 10-15 years ago (or perhaps up to as recent as 6-7 years ago), I remember people saying JavaScript was insecure and couldn't be trusted and that people should just disable JavaScript in their web browser. These days, however, many sites and web-based software rely on JavaScript, and without JavaScript, they just wouldn't work. Makes me wonder what has changed? I like JavaScript, and there's lots of cool stuff you can do with it, so it's hard to imagine turning it off, particularly with the plethora of web-based software that relies on it now. Why do web browsers even still provide an option to disable JavaScript?

    Nightfox

    ---
    ■ Synchronet ■ Digital Distortion BBS: digdist.bbsindex.com
  • From Cykros@VERT/ENTROPY to Nightfox on Fri Apr 15 15:45:34 2011
    Re: JavaScript security
    By: Nightfox to All on Tue Apr 12 2011 17:55:44

    Abouut 10-15 years ago (or perhaps up to as recent as 6-7 years ago), I remember people saying JavaScript was insecure and couldn't be trusted and t people should just disable JavaScript in their web browser. These days, however, many sites and web-based software rely on JavaScript, and without JavaScript, they just wouldn't work. Makes me wonder what has changed? I l JavaScript, and there's lots of cool stuff you can do with it, so it's hard imagine turning it off, particularly with the plethora of web-based software that relies on it now. Why do web browsers even still provide an option to disable JavaScript?

    Nightfox

    Generally the best bet seems to be to use firefox + the noscript extension,
    so you get to pick what javascript (or at least what hosts with javascript) actually winds up running. Because javascript is still often insecure.

    cykros


    ---
    ■ Synchronet ■ [ENT] aNNo 2081 UHQ * CRO BBS WHQ * FLT AMiGA NZHQ * FOOD WHQ [ENT]
  • From Nightfox@VERT/DIGDIST to Cykros on Fri Apr 15 03:10:32 2011
    Re: JavaScript security
    By: Cykros to Nightfox on Fri Apr 15 2011 11:45:34

    Generally the best bet seems to be to use firefox + the noscript extension, so you get to pick what javascript (or at least what hosts with javascript) actually winds up running. Because javascript is still often insecure.

    Ah, interesting.. I was just curious what people think these days.

    Nightfox

    ---
    ■ Synchronet ■ Digital Distortion BBS: digdist.bbsindex.com
  • From Tracker1@VERT/TRN to Nightfox on Sun Apr 17 06:55:40 2011
    On 4/12/2011 5:55 PM, Nightfox wrote:
    Abouut 10-15 years ago (or perhaps up to as recent as 6-7 years ago), I remember people saying JavaScript was insecure and couldn't be trusted and that
    people should just disable JavaScript in their web browser. These days, however, many sites and web-based software rely on JavaScript, and without JavaScript, they just wouldn't work. Makes me wonder what has changed? I like
    JavaScript, and there's lots of cool stuff you can do with it, so it's hard to
    imagine turning it off, particularly with the plethora of web-based software that relies on it now. Why do web browsers even still provide an option to disable JavaScript?

    10-15 years ago people were saying you could get a virus unless you disabled cookies in your browser too. It is one area modern browsers have put a lot of energy into preventing security issues via JS directly.

    Flash was always a far bigger hole than JS as far as security went, in Flash7 you could get filesystem access... though Flash has gotten better... Adobe Reader and Java are bigger targets now than anything else.

    --
    Michael J. Ryan - http://tracker1.info/

    ---
    ■ Synchronet ■ Roughneck BBS - telnet://roughneckbbs.com - www.roughneckbbs.com