On Fri, 28 Jun 2013 11:18, timo.lindfors@iki.fi said:
Well, javascript is run a restricted environment. I don't see how you'd be lost by running javascript. Also many universities let their students
To most users the browser is their window to the world and an alias for the computer. They don't understand that there is a difference. And web designers (or well, the marketing dept) try very hard to convince them that there is indeed no difference.
A box which automatically downloads all kind of binaries an runs them after they have passed a so-called virus checker, may also be considered a restricted environment. The restriction is in this case controlled by the virus checker and not the browser.
There are security issues also in the code that parses this non-active content. Javascript is replacing a lot of things that used to be separate plugins with poor security track record.
Plugins are installed by the user and not be data to be viewed. That makes a big difference:
- The user is enabled to control the code. - The plugin has a well defined behaviour and is not a volatile bunch of code. - A security audit of the plugin can be done.
Please, I don't want to hear a claim, that the JS code on web sites is secure because it is signed or distributed via a trusted (https) web site. PKIX (the X.509 based infrastructure used by https) is fucked up beyond all repair.
Shalom-Salam,
Werner