[thelist] Who really turns off JavaScript?
thelist at cjmarsh.com
thelist at cjmarsh.com
Sat Nov 5 10:49:27 CST 2005
Ken
[..]
> > I do this for several reasons, one of which is: I'm curious
> about the
> > dependency on javascript of some websites that I visit. I'm curious
> > because these websites hold data about me, and on more than one
> > occasion I have found that turning off javascript exposes further
> > serious vulnerabilities.
>
> Could I ask what purpose this serves? Are you interested in
> testing the vulnerabilities in the web application in
Yes I am.
> question (and giving them data in the first place would be a
> bit foolish no?)
If you assume that an organisation's website, IT systems and management
never, ever change - then yes. In real life I have found this not be the
case.
> Or are you interested in avoiding security
> issues?
I am interested in avoiding security issues, although this is not my primary
reason for turning off javascript.
> (I'm not entirely sure how you'd do that)
You would turn off javascript within your browser settings and become
impervious to XSS issues (for example), no?
[..]
> > I draw your attention to point 10 in the following essay:
> >
> <http://www.microsoft.com/technet/archive/community/columns/security/e
> > ssay
> > s/10imlaws.mspx>
>
> Could you clarify how point 10 in that essay backs up a point
> in your email? I'm a little confused as to what it correlates to.
I placed the reference in a separate paragraph to signify that it was not
backing up a particular point. In terms of a correlation - the article
referenced by the original post (to which I responded) states:
"Do we really believe that this is some kind of security issue today in late
2005? I’m no security expert, but aren’t phishing scams and browser
vulnerabilities the real security concerns of the day"
[http://www.pixelmech.com/notebook/2005/11/who-really-turns-off-javascript
accessed 2005-11-05].
This suggests that the author thinks that there can be no further security
issues with javascript simply *because* it is late 2005. The article also
makes reference to AJAX:
"My point is being made more toward enhanced functionality (such that Ajax
can provide"
[http://www.pixelmech.com/notebook/2005/11/who-really-turns-off-javascript
accessed 2005-11-05]
The author of the essay that I referenced posits:
"Recent years have seen the development of ever-cheaper and more powerful
hardware, software that harnesses the hardware to open new vistas for
computer users, as well as advancements in cryptography and other sciences.
It's tempting to believe that technology can deliver a risk-free world, if
we just work hard enough. However, this is simply not realistic."
[http://www.microsoft.com/technet/archive/community/columns/security/essays/
10imlaws.mspx accessed 2005-11-05]
The author then suggests:
"The solution is to recognize two essential points. First, security consists
of both technology and policy—that is, it's the combination of the
technology and how it's used that ultimately determines how secure your
systems are."
[http://www.microsoft.com/technet/archive/community/columns/security/essays/
10imlaws.mspx accessed 2005-11-05]
I had hoped that this article may be of interest to someone else on the
list.
Does this clarifies things somewhat?
Regards
Chris Marsh
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.12.8/161 - Release Date: 03/11/2005
More information about the thelist
mailing list