Hi Matthias!
Am Freitag, 28. Juni 2013, 10:37:44 schrieb Matthias Kirschner:
I'd like to have some feedback from you. Do you agree with those points?
- on most computers Javascript is enabled by default
Most stats say so!
- This gives anyone a platform to play with parts of their owners
equipment.
As already stated in this thread, every document that's opened on a computer, uses its resources. It doesn't matter if you open HTML or HTML with JS or an ODT.
- From a security point you are lost as soon as you give an adversary
the opportunity to control your system.
As I said in 2) its irrelevant, what gets interpreted. I would further say, that JavaScipt is very much in the focus of many people regarding to security. Plain HTML or odt or txt or png might not be.
- Only non-active web content can guarantee that you keep control over
your equipment.
Don't agree. I can create pretty non-active pages that might crash your browser just by overusing resources. Most browser act very badly in this case. I am not sure if that crash is usable as attack vector, somebody might analyze.
And the last question: if all above is true, do we want to tell this to the public? Does it help? Or would we be seen as being completely paranoid.
Not paranoid enough when it comes to tracking [1].
I think there are problems regarding to web applications. Often licensing is not done properly, so much code, especially javascript code is put out unlicensed although the creator wanted it to be free. Tell them about free software licenses [2].
Modern Web applications aren't possible without JavaScript, take that for granted. But there is an elephant in the room. Ever thought about who controls the infrastructure behind most web services? The backend code? For most services there is no competition in hosting, because the backend is not free. Further in many services the user is the product. Because of that, the service is usable at no charge.
So we should concentrate on alternatives for cloud services that are either self hostable and/or at least hosted by more than one provider. Users should be made aware of the fact, that hosting of cloud services costs a lot of money. They are the product, unless they pay for it with money. Some kind of privacy admiring hosting provider charter would be fine too.
Best! Christian
[1] https://panopticlick.eff.org/ [2] http://www.theregister.co.uk/2013/04/18/github_licensing_study/