5 votes

Undetectable Remote Arbitrary Code Execution Attacks through JavaScript and HTTP headers trickery

Topic removed by site admin
This topic is locked. New comments can not be posted.

53 comments

  1. [11]
    Diff Link
    Oh it's you again. Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters. This kinda crap is best left in like a blog article where you can have your M...

    Oh it's you again. Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters.

    This kinda crap is best left in like a blog article where you can have your M Night twist ending that "the bug was inside us all along." When you're dealing with people on an allegedly serious issue it's disingenuous to be introducing the issue like this. It's not a bug. The web is working as intended. It has consequences and yes, people should be more aware of those consequences and there should be additional mechanisms to prevent them.

    But you are shooting yourself in the foot when you behave this way. Everyone who figures out what you're actually getting at will immediately dismiss you when things click into place. Cut the dramatics, come at the issue from a sane angle. Please. I like the idea but you are killing it. You're working against your own cause here by being obnoxious like this.

    18 votes
    1. [10]
      Shamar Link Parent
      Hi Diff, did we talked before? Yes, there is: "Constant antagonstic behavior and no hope for improvement". You are welcome to read my posts and comments there to see how antagonistic I was (some...

      Oh it's you again.

      Hi Diff, did we talked before?

      Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters.

      Yes, there is: "Constant antagonstic behavior and no hope for improvement".
      You are welcome to read my posts and comments there to see how antagonistic I was (some of the censored comments are readable here).

      But note: blaming me for this attacks is a bit pointless.

      Cut the dramatics, come at the issue from a sane angle.

      Hum... to me, the bug report was clear, descriptive and only mention technical stuffs that can be verified.
      If you think the reactions were insane, why you tell me to change angle?

      Please. I like the idea but you are killing it.

      If so, please: help informing people.
      If you agree that these attacks are possible, informing people can't harm.
      If you think I did a bad work with the bug report, feel free to integrate it. Or to create a new one. Or...

      To my eye is not a matter of how (or who). All it count is

      • informing people, organizations, companies and governments about the attacks they are vulnerable to
      • mitigate such attacks.

      Really: if you can do better than I did, you are welcome!

      1. [5]
        Diff Link Parent
        Probably not enough to make an impression but I've seen you around the net quite a bit now. That's the thing. You're not technically wrong, you're just disingenuous. Purposefully misrepresenting...

        Hi Diff, did we talked before?

        Probably not enough to make an impression but I've seen you around the net quite a bit now.

        Hum... to me, the bug report was clear, descriptive and only mention technical stuffs that can be verified.

        That's the thing. You're not technically wrong, you're just disingenuous. Purposefully misrepresenting things. For example instead of saying "There's a vulnerability with a handful of headers and some remote code execution and yep big browser doesn't want you to know," just come out and say what you mean off the bat instead of obfuscating it. "Javascript can be used to stab users in the back. How do we fix it without breaking it?" And that last bit is important. The solutions you propose will break the internet as it exists today. That's never going to get off the ground. Nobody will accept any solution that has that kind of cost. If you actually want anything fixed like you say you do, you need to work in ways that go with the grain.

        15 votes
        1. [4]
          Shamar Link Parent
          This is the kind of arguments that people debating the qualities of JavaScript as a language would propose. I'm talking about a severe security issue that you say exists! In the number of people...

          "Javascript can be used to stab users in the back. How do we fix it without breaking it?"

          This is the kind of arguments that people debating the qualities of JavaScript as a language would propose.
          I'm talking about a severe security issue that you say exists!
          In the number of people affected, it's equivalent to Meltdown.
          But not being an hardware issue, it could have been already fixed.

          The solutions you propose will break the internet as it exists today.

          Diff, please note that I didn't proposed any mitigation until asked for solutions.
          I just reported the vulnerability describing the attacks.
          If you (or Mozilla) have other effective mitigations to propose (or implement) you are totally welcome to!

          The only thing that I cannot understand as a developer myself is closing the issue pointing to a forum and never tring to address the attacks! They didn't dared to negate the attacks, they are just leaving users vulnerable!

          If you actually want anything fixed like you say you do, you need to work in ways that go with the grain.

          I'm just trying to inform people.
          The fact that informing people is fought (here like elsewhere) is not a good sign about our field, don't you think?

          If the bug report is "not technically wrong", if people are vulnerable to these attacks, those who write that broken code (and those broken Standards) should find the proper way to mitigate the risks.

          Not me.

          1. [3]
            Diff Link Parent
            I'm really sorry I don't know how to explain this to you, but the reason for this isn't because of anything to do with the issues themselves, it's the way you present the issues and yourself.

            The fact that informing people is fought (here like elsewhere) is not a good sign about our field, don't you think?

            I'm really sorry I don't know how to explain this to you, but the reason for this isn't because of anything to do with the issues themselves, it's the way you present the issues and yourself.

            5 votes
            1. [2]
              Shamar Link Parent
              Mm... I appreciate the frankness. I think there is some language barrier here or something, as I carefully try to stay polite and focused on the matter. Fine. Can you please open another report...

              Mm... I appreciate the frankness.

              I think there is some language barrier here or something, as I carefully try to stay polite and focused on the matter.

              Fine.
              Can you please open another report where this issue can be discussed in a more effective way?
              Use your words and style. Really... I don't know how to write it more clearly so it's pointless to try again.

              1. Amarok Link Parent
                The only effective way to mitigate this design choice is to lobby for a change in web standards with the IEEE/IETF. That process will take years to go from talk to spec to finally being...

                The only effective way to mitigate this design choice is to lobby for a change in web standards with the IEEE/IETF. That process will take years to go from talk to spec to finally being implemented in browsers in the future - and as with most specs, most browsers will fuck up the implementation in some way, so there will always be holes. Bugs are as common and inevitable as death and taxes.

                Everyone who works in computing in the security or sysadmin or network fields is already aware of this. That's why the people who do their jobs well lock down company computers and resources using a massive spectrum of centralized controls. Anyone who is serious about information security doesn't put sensitive information on any network that has internet access in the first place, and takes steps to lock down client systems so they can only access that information in rigidly controlled ways.

                When they are done, not one packet of data goes anywhere without being supervised in real time by a dozen not-computer devices on the network, so the code running on the computers becomes irrelevant to the security - the network provides the security. Frankly, it's next to impossible to secure a computer that's on an insecure network, or is physically accessible to anyone but the senior tech staff. That's part of the reason we lock it all up in data centers.

                The sad truth is, not many businesses or people care. No one has ever really given a fuck about computer security - it's hard, it's tedious, it's expensive, and done properly it is a gigantic pain in the ass that degrades workflow and makes everything harder to do. It's far cheaper to deal with the costs of data breaches when they occur, so that's what most businesses do. It's utterly beyond the comprehension of the layman, so they are forever screwed. Anyone who cares about this is free to run noscript or umatrix and that's about as 'fixed' as this issue is ever going to get.

                If you want a real security threat to worry about, tilt your windmills at the cloud computing trend. That's going to cost us all far, far more in the long run than these browser design choices.

                6 votes
      2. [4]
        Emerald_Knight Link Parent
        Then you're going to run into a lot of problems and push people away from your cause. Whether you like it or not, diplomacy matters. I mean, ffs, even Linus Torvalds apologized for shitty behavior...

        To my eye is not a matter of how.

        Then you're going to run into a lot of problems and push people away from your cause. Whether you like it or not, diplomacy matters. I mean, ffs, even Linus Torvalds apologized for shitty behavior despite being notorious for it, because even he realized its importance.

        Methods matter just as much, if not more, as the end goal. You need to either accept that or accept that this will forever be an uphill battle for you.

        7 votes
        1. [3]
          Shamar Link Parent
          Thanks for your suggestion, but it's not an uphill battle. It's not a battle at all. Not for me. I just want to inform people they are vulnerable to these undetectable attacks. And that the...

          Thanks for your suggestion, but it's not an uphill battle.
          It's not a battle at all. Not for me.

          I just want to inform people they are vulnerable to these undetectable attacks.
          And that the organizations they trust omit to inform them about such attacks.
          And that such organizations don't want to mitigate the risks.
          Despite the mitigations are relatively simple and cheap.

          Simply stating the Truth is not a battle.

          1. [2]
            Emerald_Knight Link Parent
            You're intentionally twisting my words here. You know perfectly well what I mean by "uphill battle". At this point it's clear that you have no intention of engaging in a good faith discussion of...

            You're intentionally twisting my words here. You know perfectly well what I mean by "uphill battle". At this point it's clear that you have no intention of engaging in a good faith discussion of this issue and, quite frankly, I'm less inclined to listen to any criticism about JavaScript purely because of this sort of antagonistic behavior that seems to be the norm among anti-JavaScript advocates. Less so than ever because of how extreme your antagonism is.

            Good luck with your cause. You're going to need a lot of it.

            8 votes
            1. Shamar (edited ) Link Parent
              You didn't say anything about the issue, you just talked about "methods" and how "diplomacy matters". If you have any question on how these attacks can be performed, I'm glad to help. Fun fact:...

              you have no intention of engaging in a good faith discussion of this issue [...]

              You didn't say anything about the issue, you just talked about "methods" and how "diplomacy matters".
              If you have any question on how these attacks can be performed, I'm glad to help.

              this sort of antagonistic behavior that seems to be the norm among anti-JavaScript advocates

              Fun fact: I'm a JavaScript programmer myself.
              And this issue is not only about JavaScript: any Rust program compiled to WebAssembly and distributed over the Web would expose the visitors to the exact same attacks (but made worse by the compiler's optimization).

              Good luck with your cause.

              Thanks, but it's not "my cause". Really!
              It's just a severe security vulnerability affecting billions of people and organizations.

  2. [7]
    Comment deleted by author
    Link
    1. [6]
      Shamar (edited ) Link Parent
      I guess you don't know much about the "wide-reaching internet standards" you are talking about. I opened a bug report because these are Living Standards that follow the implementations. To fix...

      I guess you don't know much about the "wide-reaching internet standards" you are talking about.

      I opened a bug report because these are Living Standards that follow the implementations.
      To fix these "Standards" you need to fix at least one implementation before.

      Also, I challenge you to find a line in the Standards we are talking about stating that JavaScript cannot be OPT-IN on a per website basis.

      Guess what?
      You don't need to violate any WHATWG's standard to implement these mitigations.

      1. [5]
        Nephrited Link Parent
        Different person, hello! I'm a web developer by profession, including JS. You are correct that there is no line in the web standard that requires a browser to enable JS execution by default....
        • Exemplary x3

        Different person, hello! I'm a web developer by profession, including JS.

        You are correct that there is no line in the web standard that requires a browser to enable JS execution by default. However, there is also no line that requires any browser to disable JS execution by default. This is, by definition, not a bug!

        What you have here is a change request, or perhaps a web standards proposal. The correct channels to go through for this are detailed quite helpfully here for Chrome, and to a degree here. I'm afraid I don't know the Mozilla process but Bugzilla isn't the place for it, as, again, it's not a bug, and issues will be correctly closed as some variation of "Working as Intended".

        I would recommend not framing it as a bug at all, as currently the entire thing can be summed up as "Javascript can perform code execution", to which the response is, quite rightly, "Yeah. It's meant to."

        23 votes
        1. [4]
          Shamar Link Parent
          Hi Nephrited, web developer by profession (including JS) here too. To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug. Would you leave...

          Different person, hello!

          Hi Nephrited, web developer by profession (including JS) here too.

          You are correct that there is no line in the web standard that requires a browser to enable JS execution by default. However, there is also no line that requires any browser to disable JS execution by default. This is, by definition, not a bug!

          To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug.

          Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?

          1. [3]
            Nephrited Link Parent
            As a software developer you should then be aware that a risk is not a bug. They are distinct issue types, and are tracked separately. A bug is a problem with software not performing as expected...

            To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug.

            As a software developer you should then be aware that a risk is not a bug. They are distinct issue types, and are tracked separately. A bug is a problem with software not performing as expected when compared with the specification.

            What you have is a problem with the specification itself. Concepts cannot have "bugs", but they can be flawed.

            Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?

            No, I would not. I would go through the correct channels, noting the risk and filing a change request, pointing out the issues. You can do the same, and I strongly encourage it!

            14 votes
            1. [2]
              Shamar Link Parent
              Out of curiosity, do you think a dangling pointer is a risk or a bug? That's true for the specified parts. Do you really think that bugs happen only in the parts covered by a specification? :-)...

              As a software developer you should then be aware that a risk is not a bug.

              Out of curiosity, do you think a dangling pointer is a risk or a bug?

              A bug is a problem with software not performing as expected when compared to the specification.

              That's true for the specified parts.
              Do you really think that bugs happen only in the parts covered by a specification? :-)

              Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?

              No, I would not. I would go through the correct channels, noting the risk and filing a change request, pointing out the issues.

              And meanwhile you leave your user vulnerable to these attacks.

              Do you have an idea of the time required to get a new standard approved by W3C?
              And, again, you cannot get a standard approved by WHATWG without an implementation working.

              You can do the same, and I strongly encourage it!

              I'd say it's a bit naive of an expectation, but I'm very happy if you are going to try it yourself!

              1. Nephrited Link Parent
                Yes, the process was detailed clearly in the links I provided. I'm afraid it doesn't matter what your opinion of the process is. If you wish to make a change, you have to follow the correct...

                Yes, the process was detailed clearly in the links I provided. I'm afraid it doesn't matter what your opinion of the process is. If you wish to make a change, you have to follow the correct procedures.

                Good luck!

                13 votes
  3. Deimos Link
    Removing and locking this while I figure out what's going on, may or may not reinstate it after.

    Removing and locking this while I figure out what's going on, may or may not reinstate it after.

    10 votes
  4. [17]
    Shamar Link
    This security report, closed by Mozilla without saying wherther Firefox's users are vulnerable to the wide class of undetectable attacks described, was issued on September 29, 2018. It was cross...

    This security report, closed by Mozilla without saying wherther Firefox's users are vulnerable to the wide class of undetectable attacks described, was issued on September 29, 2018. It was cross posted to the Chromium team roughly 24 hours later (publicly visible here)

    The Lobste.rs' thread suggested by Frederik Braun to continue the discussion has now been censored, but it has been cached here

    Neither Mozilla nor Google have yet confirmed or denied the vulnerabilities, but two PoC attacks have been published already (here and here), showing at least one more severe vulnerability: the trust of people in Mozilla.

    All browsers from the other WHATWG members are likely vulnerable to these attacks as well.

    2 votes
    1. [7]
      alyaza Link Parent
      i have no stake in this and computer security is not my thing but i think it's a bit laughable to call the lobste.rs thread here censored. having taken a gander through that thread and others you...

      The Lobste.rs' thread suggested by Frederik Braun to continue the discussion has now been censored, but it has been cached here

      i have no stake in this and computer security is not my thing but i think it's a bit laughable to call the lobste.rs thread here censored. having taken a gander through that thread and others you shared on lobste.rs, i can absolutely see why they would remove you from the premises. you seem to take a very fire-and-brimstone, bible thumping attitude to this issue which, while understandable i suppose, gets really fucking annoying if it's basically all you ever do and the bulk of what you ever talk about, especially when people have repeatedly reiterated to you that while your claims are valid, this is ultimately a trade-off that people made which would be bordering on impossible to fix without a radical upending of the system that will almost certainly never happen.

      at some point, it is not productive to have a conversation with you if you're never willing to see the other side, never willing to take a step back, never willing to cede ground, and ultimately never willing to stop preaching fire-and-brimstone when people repeatedly tell you why things are this way. that is seemingly why the lobste.rs thread was removed, that is seemingly why you got banned, and in my judgement that's not censorship, that's just people getting tired of you not being willing to productively contribute to any potential conversations on the subjects you've brought up.

      16 votes
      1. [6]
        Shamar Link Parent
        Well... thanks for your opinion! :-D I hope others will go through the comments to see if you are right or not. Anyway you are wrong on something: nobody from Mozilla said "Firefox users are...

        Well... thanks for your opinion! :-D
        I hope others will go through the comments to see if you are right or not.

        Anyway you are wrong on something: nobody from Mozilla said "Firefox users are vulnerable to these attacks, but there are trade-offs that we value more than their security".

        Ultimately I just asked: "Are Firefox users vulnerable to this wide class of undetectable attacks?".
        Is this "antagonistic behaviour" to you?

        1. [5]
          alyaza Link Parent
          yes, if you literally never stop talking about it after continually being told the same things over and over and over again by both familiar and unfamiliar faces alike. at some point if you are...

          Ultimately I just asked: "Are Firefox users vulnerable to this wide class of undetectable attacks?".
          Is this "antagonistic behaviour" to you?

          yes, if you literally never stop talking about it after continually being told the same things over and over and over again by both familiar and unfamiliar faces alike. at some point if you are either unwilling or unable to take the hint people have been laying pretty thick on you, you're basically doing nothing but concern trolling by continually bringing things like this up and expecting people to have any more answers than what they've already given. that is antagonistic, and absolutely a cause for people telling you to fuck off from their website, whether you like it or not or think it's censorship or not.

          10 votes
          1. [4]
            Shamar Link Parent
            So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding. (in the thread they suggested to discuss the issue)

            So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding.
            (in the thread they suggested to discuss the issue)

            1. [3]
              alyaza Link Parent
              yeah. take the fucking hint. from your AMA on dev.to to lobste.rs to your bug report on mozilla to here and no doubt other places, people have all given you the exact same answer. this is a...

              So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding. (in the thread they suggested to discuss the issue)

              yeah. take the fucking hint. from your AMA on dev.to to lobste.rs to your bug report on mozilla to here and no doubt other places, people have all given you the exact same answer. this is a trade-off that has been made, fixing it is a highly impractical measure at this stage in the game and would most likely only occur in circumstances that are basically unprecedented, and your fire-and-brimstone attitude toward this issue and the people who respond to you comes off as obnoxious, asshole-ish, and concern troll-y.

              you have a point, yes, and people recognize that. but it's really not difficult to see why people would deplatform you and consider you antagonistic, willfully ignorant, and somewhat of a troll, because even now you give that vibe off to me, and i'm trying giving you the benefit of the doubt here and assuming you're operating in good faith.

              17 votes
              1. [2]
                Shamar Link Parent
                Just like I don't care about being defined a troll on internet, I don't care about having a point. I just care about these issues been fixed and people being informed. From the very beginning....

                you have a point, yes, and people recognize that

                Just like I don't care about being defined a troll on internet, I don't care about having a point.

                I just care about these issues been fixed and people being informed. From the very beginning.

                assuming you're operating in good faith

                What could I gain from this?
                What could Mozilla lose from this?
                What JS developers (like I am) are afraid to lose from this?

                I think the answers to these questions explain pretty well who is in good faith and who is not.

                1. alyaza Link Parent
                  i'm not really interested in repeating my points since i've already made them, but i think this conversation demonstrates exactly why you are something of an internet vagabond when it comes to...

                  i'm not really interested in repeating my points since i've already made them, but i think this conversation demonstrates exactly why you are something of an internet vagabond when it comes to proselytizing about this subject and will probably continue to be for the foreseeable future. i would ordinarily ask that you self-reflect on why absolutely nobody is supporting you on this in any capacity (to the point where your comments in this topic have garnered no votes at all when literally any other response might have garnered just as many as my comments), but realistically i doubt self-reflection will work any better than lobste.rs banning you, mozilla all but ignoring you, and countless people demonstrating to you why you are barking up the wrong tree and why what you are suggesting is impractical. all i can offer is hope that at some point in the future you will recognize that what support and sympathy you may have otherwise garnered on this subject has evaporated because of the manner in which you participate in discussions like this.

                  i do wish you luck in your endeavors but, judging by your demeanor, i suspect that you will continue to be unsuccessful in pursuing them.

                  6 votes
    2. [9]
      Greg Link Parent
      I don't think you're framing this in a way that helps your case at all. It's not an attack, it's not a bug, it's the way that we have agreed for the the web to work. Starting a conversation about...

      I don't think you're framing this in a way that helps your case at all. It's not an attack, it's not a bug, it's the way that we have agreed for the the web to work.

      Starting a conversation about flaws in that agreement and pointing out that the tradeoffs made might have harmful consequences is a reasonable thing to do. Looking at the consensus behaviour, declaring it's a bug, and refusing to accept that the vast majority disagrees with you, is not going to get anyone on your side.

      15 votes
      1. [7]
        cfabbro (edited ) Link Parent
        Nor is attempting to put this blame on any particular browsers when literally all of them that adhere to the web standards are "vulnerable" to the same "bug". Not only that, but like one of the...

        is not going to get anyone on your side.

        Nor is attempting to put this blame on any particular browsers when literally all of them that adhere to the web standards are "vulnerable" to the same "bug". Not only that, but like one of the commenters in bugzilla stated, this "vulnerability" is exactly why the subresource integrity specification exists.

        And furthermore, what exactly is the proposed "solution" to this "problem"? Prevent any code from executing on browsers without explicit permission, essentially forcing every user to use a uMatrix/NoScript like system? Yeah, I can surely see the vast majority of users on the web figuring out how to do that. /s

        The fearmongering tone of the bugzilla post certainly doesn't help either.

        11 votes
        1. [6]
          Shamar (edited ) Link Parent
          I opened the issue to Mozilla because I trusted them to put their users' security before their profit. As an advocate of Firefox from version 0.8, I believed in their twitter tag line "Made for...

          I opened the issue to Mozilla because I trusted them to put their users' security before their profit.
          As an advocate of Firefox from version 0.8, I believed in their twitter tag line "Made for people, not profit."
          I was naive, actually. But I was suggested to open such issue by a Mozilla developer.

          But it's not a matter of blame. It's just trying to spread the word.
          They are responsible for their own brand. If they feel shame for their actions they can easily fix it.

          And furthermore, what exactly is the proposed "solution" to this "problem"?

          When requested, I proposed a few mitigations (not solutions):

          • Page Refresh though META tag and JavaScript are disabled by default
          • Both can be enabled on a per website basis, but
            • No script or CSS is requested with Cookies or other HTTP headers;
            • Each script and CSS is requested through a dedicated TCP connection ;
            • SubResource Integrity is made mandatory (at least for JavaScript);
            • For each URI, record the SRI of last downloaded contents and warn the user if a page propose a different SRI for that same URI ;
            •  Warn the user about scripts served with suspect HTTP headers;
          • On browser exit, remove from the cache all resources downloaded by pages that have Meta Refresh and/or JavaScript enabled.
          • View Page Source should never fetch new versions of the page from the server (whatever the HTTP Headers provided with the page are)

          Obviously all this leaves the door open for pages that:

          • are visited only once
          • are visited for the first time

          thus I would also mark as “Not Secure” web pages visited for the first time that require JavaScript.

          The one that scares so many JavaScript developers, is battle tested for near 20 years: both Java applets and Flash were opt-in without much drama.

          this "vulnerability" is exactly why the subresource integrity specification exists.

          Except that it is NOT mandatory on scripts, so it's basically useless.

          The fearmongering tone of the bugzilla post certainly doesn't help either.

          Did you tried the exploits?
          Did you tried to tunnel into a properly firewalled and proxied private network?

          I might suggest you to try with your bank. You will understand the risks, then.

          1. [3]
            cfabbro (edited ) Link Parent
            Look, I largely agree with you in that more can be done and most of your proposals are not bad (e.g. mandatory SRI is a decent standard which should probably be adopted eventually), however IMO...

            Look, I largely agree with you in that more can be done and most of your proposals are not bad (e.g. mandatory SRI is a decent standard which should probably be adopted eventually), however IMO you are hopelessly naive if you think Javascript can suddenly be made opt-in without completely breaking the web. The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit and so would very likely just find a way to permanently enable javascript immediately again anyways, so then what would you have gained by making it opt-in other than annoying people?

            And as I said previously, it certainly doesn't help that you are going about this by intentionally fearmongering. Cool it on the anti-government, anti-weborgs rhetoric and maybe then you can actually win some people to your side instead of constantly getting your posts removed and getting banned from places.

            12 votes
            1. [2]
              Shamar (edited ) Link Parent
              You mean the way they do with push notifications? ;-) First you raised awareness about the topic, instantly improving the security of users and organisations. Then in less than a year you will get...

              The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit

              You mean the way they do with push notifications? ;-)

              what would you have gained by making it opt-in

              First you raised awareness about the topic, instantly improving the security of users and organisations.

              Then in less than a year you will get a faster and more accessible Web, since the site owners will stop using JavaScript when they don't need to.

              You will also see faster progress on declarative alternatives to JS, such as CSS and new HTML elements.

              Finally, fine grained user interaction wont be so easy to track.

              Cool it on the anti-government, anti-weborgs rhetoric

              Government agencies are affected by these attacks like any other users.

              As for web organisations, I was surprised by Mozilla reactions until somebody pointed me that the vast majority of their budget comes from Google.

              Google that people would probably trust in a opt-in JavaScript world but that would lose precious data collected through Analytics.

              maybe then you can actually win some people to your side

              To be fair, the fact that we need marketing or politics to get such a wide variety of attacks mitigated is dangerous by itself.

              I don’t want to play this game. It is a burden on the credibility of our whole sector.

              And I don't want to win allies, I just want to inform people.

              1. cfabbro (edited ) Link Parent
                Yes, exactly the same. Which is the point of the very next part of that same sentence, "and so would very likely just find a way to permanently enable JavaScript immediately again anyways", which...

                The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit

                You mean the way they do with push notifications? ;-)

                Yes, exactly the same. Which is the point of the very next part of that same sentence, "and so would very likely just find a way to permanently enable JavaScript immediately again anyways", which you conveniently avoided addressing by quoting only the immediately preceding and proceeding parts. People would treat having to explicitly enable JavaScipt on every site exactly the same as they do push notifications, which is to say they will see it as an annoyance, set it once and then forget it... unless you continue to annoy them every time the JavaScript changes in which case they will simply find a way to permanently enable it or migrate to browsers that don't constantly annoy them with explicit permission requests and don't artificially limit functionality for no good reason, and then you're right back to square one. "Don't throw the baby out with the bathwater."

                You will also see faster progress on declarative alternatives to JS, such as CSS and new HTML elements.

                Without JavaScript any new alternatives would likely wind up having the exact same "vulnerability" as you are falsely attributing to JavaScript since code execution is a fundamental part of the functionality of the web. You can argue about how browsers should make more of an effort to limit the abuse potential (which I would argue they already are) and do a better job of informing the users of said potential abuses, but demanding that all browsers cease allowing code execution without explicit permission is incredibly impractical.

                As for web organisations, I was surprised by Mozilla reactions until somebody pointed me that the vast majority of their budget comes from Google.

                Following my criticism of your anti-weborgs rhetoric with even more anti-weborgs rhetoric isn't helping you at all. Their (and everyone else's) response to your "bug" report likely has nothing to do with their source of funding and everything to do with the hyperbolic language you keep using and way in which you are behaving.

                11 votes
          2. [2]
            calcifer Link Parent
            The changes you are "suggesting" here would break such a significant percentage of the web the idea is not even worth entertaining. When TLS 1.3 was in draft stage and it turned out that 1-1.5% of...

            The changes you are "suggesting" here would break such a significant percentage of the web the idea is not even worth entertaining. When TLS 1.3 was in draft stage and it turned out that 1-1.5% of users were having trouble with it, IETF abandoned their approach and added tons of compatibility stuff with TLS 1.2, because everyone agreed breaking 1% of requests was huge.

            So I believe you know nobody is going to pick you up on this, and you are not really seeking change, just grandstanding.

            9 votes
            1. Shamar Link Parent
              Yes, but TLS 1.3 was not a bug fix. What I proposed would fix a severe security vulnerability that affects 90% of users. Maybe there are better fix, but it's something that fix not break. Well......

              everyone agreed breaking 1% of requests was huge

              Yes, but TLS 1.3 was not a bug fix.
              What I proposed would fix a severe security vulnerability that affects 90% of users.
              Maybe there are better fix, but it's something that fix not break.

              you know nobody is going to pick you up on this

              Well... actually a few people are moving in the underground... ;-)

      2. Shamar Link Parent
        You are right, as explained in the report, it's not one single attack, but a whole class of them. It is a bug in the architecture of the web as designed and distributed by WHATWG's members. Even...

        It's not an attack

        You are right, as explained in the report, it's not one single attack, but a whole class of them.

        it's not a bug

        It is a bug in the architecture of the web as designed and distributed by WHATWG's members.

        it's the way that we have agreed for the the web to work.

        Even if you were right on this, it wouldn't make these attacks less dangerous or the users less vulnerable.

        However, the responsibility is not on everybody.
        It's on those organizations who turned the Semantic Web into what it is today.
        Fortunately, they could easily fix it with trivial changes to the browsers that would then been adopted as Living Standard. Unfortunately they don't want to. So they should be held accountable for any breach done through one of this attacks.

        The fact is that while when you play a 3D game in the browser you might suspect that you are executing a custom program that can compromise your machine and your network, when you read an article in an online magazine or look a video, there's no need to execute custom programs provided by strangers, thus most people are not aware of the risks.

        Also, due to the HTTP Cache-Control headers, all evidences of these attacks can be easily removed: do you really think that everybody understand and agree to take this risks?

        pointing out that the tradeoffs

        Given the variety and the severity of these attacks, I don't think there is much to trade off.

        The suggested mitigations are fast and cheap to implement and would not affect much the user experience while increasing their security a lot.

        is not going to get anyone on your side

        It's not a war to me. It's not me against them.
        It's just a matter of time: when an hospital or a bank network will be hacked this way, they will have to respond for having covered up these attacks to their users.

        Meanwhile, I just try to inform the users to let them understand the risks and improve their security.

  5. [18]
    jlpoole Link
    The complainant's point resonates with me. Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised? I'm starting...

    The complainant's point resonates with me. Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised? I'm starting to think: no, they are not and harken back to the day when web sites were very simple: text and binary images without the threat of someone compromising your computer. (My statement does not take into account possible security issues in JPEG files.)

    1 vote
    1. [17]
      cfabbro Link Parent
      IMO, yes... unequivocally yes. And if your answer to that is "no", then you can always install uMatrix or NoScipt and block all remote script execution, or use Lynx or a Lynx-based browser which...

      Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised?

      IMO, yes... unequivocally yes. And if your answer to that is "no", then you can always install uMatrix or NoScipt and block all remote script execution, or use Lynx or a Lynx-based browser which doesn't support that to begin with. Voilà, you have now effectively opted out of all "remote sites manipulation" of your computer... and also opted out of the vast, vast majority of web functionality, including being able to participate on Tildes. But expecting/demanding that be the default browser behavior, like OP is doing, is incredibly unrealistic and naive (again, merely IMO).

      11 votes
      1. [16]
        Shamar Link Parent
        Fine. But is having all these wonderful technologies that let remote sites manipulate any user experience worth the risk of your private banker's computer being compromised? What about your doctor?

        Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised?

        IMO, yes... unequivocally yes.

        Fine.
        But is having all these wonderful technologies that let remote sites manipulate any user experience worth the risk of your private banker's computer being compromised? What about your doctor?

        1. [5]
          cfabbro (edited ) Link Parent
          Jesus, dude give it up already with the hyperbolic, fearmongering bullshit. All that it and your scaaaaary bold text does is make you that much harder to take seriously.

          Jesus, dude give it up already with the hyperbolic, fearmongering bullshit. All that it and your scaaaaary bold text does is make you that much harder to take seriously.

          7 votes
          1. [4]
            Shamar Link Parent
            You didn't answer.

            You didn't answer.

            1. [3]
              cfabbro Link Parent
              Never mind my private banker or doctor, what about my priest, rabbi and witch doctor!? Will you not save my eternal soul from the menace that is the JavaScript web standard!? Never-mind the fact...

              Never mind my private banker or doctor, what about my priest, rabbi and witch doctor!? Will you not save my eternal soul from the menace that is the JavaScript web standard!?

              Never-mind the fact that it's been around and fully supported by every major browser since ECMAScript 1 was first introduced 20+ years ago, leaving us all "vulnerable" to this "bug" allowing people to "attack" our web connected computers with "undetectable remote arbitrary code execution"... and yet in all that time, my priest, rabbi and witch doctor's records have remained uncompromised? Go figure!

              4 votes
              1. [2]
                Shamar Link Parent
                What's not clear about the HTTP Cache control part of the bug report. Or maybe I mispelled "undetectable"? Now you will say that this is an uncostructive answer to your totally constructive...

                What's not clear about the HTTP Cache control part of the bug report.
                Or maybe I mispelled "undetectable"?

                Now you will say that this is an uncostructive answer to your totally constructive comment.
                I don't know what to do with this attitude.

                But note, by talking about how these attacks can be used against people beyond "you" and how such third party attacks could severely affect your life too, I was not trying to spread FUD: these attacks are likely to happen.

                Indeed instead of saying they cannot, you are just basically saying I'm a fool.
                I don’t care much, really.

                But if you can prove such attacks are not possible please do it. ;-)

                1. cfabbro Link Parent
                  I have tried to engage you constructively to no avail since you just keep repeating the same talking points and keep relying on fearmongering instead of making rational arguments. My last response...

                  I have tried to engage you constructively to no avail since you just keep repeating the same talking points and keep relying on fearmongering instead of making rational arguments. My last response wasn't meant to be "constructive" it was my attempt to get across that "I'm done with this"... which apparently failed, so instead I will spell it out explicitly. --> I'm done with this. <--

                  Good luck in your crusade to take down the modern interactive web and JavaScript. :)

                  6 votes
        2. [10]
          deing Link Parent
          If they follow any security practices, my doctor or banker don't use a PC with sensitive data for just browsing the web, but instead, for example, an semi-air-gapped system. Doing otherwise would...

          If they follow any security practices, my doctor or banker don't use a PC with sensitive data for just browsing the web, but instead, for example, an semi-air-gapped system.
          Doing otherwise would be neglegient in this age of cryptolockers and spyware.

          5 votes
          1. [9]
            Shamar Link Parent
            For these specific attacks, the sensitive data in their browsing PC are totally irrelevant. They just need to connect through their DMZ network with their smartphone.

            For these specific attacks, the sensitive data in their browsing PC are totally irrelevant.

            They just need to connect through their DMZ network with their smartphone.

            1. [8]
              Nephrited Link Parent
              Could you clarify that second statement, please? It sounds like you just said "If a user willingly breaches security protocols, a security breach will occur".

              Could you clarify that second statement, please?

              It sounds like you just said "If a user willingly breaches security protocols, a security breach will occur".

              7 votes
              1. [7]
                Shamar (edited ) Link Parent
                A doctor is not a security expert. Nor is a private banker. Do you really think all companies, all over the world, spent the money required to train all of their emplyees about the risks for their...

                A doctor is not a security expert. Nor is a private banker.
                Do you really think all companies, all over the world, spent the money required to train all of their emplyees about the risks for their customers when they read an apparently harmless text article over the Web?

                In any case, these are just some of the possible attacks.

                Do you like to stay vulnerable? Fine!

                Do you want other people to stay unaware AND vulnerable? Be honest and tell them.

                1. [2]
                  Nephrited (edited ) Link Parent
                  My apologies, but I believe you have a fundamental misunderstanding of the issues you are trying to tackle, coupled with an alarmist attitude to presenting them. This topic seems to demonstrate...

                  My apologies, but I believe you have a fundamental misunderstanding of the issues you are trying to tackle, coupled with an alarmist attitude to presenting them.

                  This topic seems to demonstrate that it's impossible to discuss the apparent problem with you, as you don't appear to process the statements people are making to you, but rather regurgitate the same words again and again ("But DOCTORS. BANKERS. ATTACKS.").

                  If you can demonstrate to me a workable PoC that exposes PII data on my machine (your linked examples didn't do anything of note, perhaps I executed them wrongly?), without resorting to the use of bolded text, capital letters or exclamation marks, then we might get somewhere.

                  Cancel this, I just re-read through your blog post. I now firmly believe this stance is the result of a conspiracy theory, and have to redirect you to my original advice: If you want to make a change, follow the proper channels and get a change request underway. Don't get me wrong; it will get rejected, but at least you'll have tried.

                  8 votes
                  1. Shamar Link Parent
                    The linked PoC shows how to access the open ports on your machines and how to access the webservices that your machine can access. Despite your firewall or proxy. What's not clear about them?

                    The linked PoC shows how to access the open ports on your machines and how to access the webservices that your machine can access. Despite your firewall or proxy.

                    What's not clear about them?

                2. [4]
                  jsx Link Parent
                  Wow. You are such an antagonistic chicken little that constantly deflects away constructive counter-points that it's no wonder no-one wants to try and work with you.

                  Do you like to stay vulnerable? Fine!

                  Wow. You are such an antagonistic chicken little that constantly deflects away constructive counter-points that it's no wonder no-one wants to try and work with you.

                  1 vote
                  1. [3]
                    Shamar Link Parent
                    And I guess this is a constructive counter point, isn't it? Please find in this thread an alternative constructive proposal to mitigate the vulnerability. One single alternative proposal posted...

                    And I guess this is a constructive counter point, isn't it?

                    Please find in this thread an alternative constructive proposal to mitigate the vulnerability.

                    One single alternative proposal posted before this comment.

                    1. Soptik (edited ) Link Parent
                      Sorry for hijacking the discussion, but. First, calm down everyone, please. Second, u/Shamar, do you have a solution that wouldn't change the end-user web experience? This means, not disabling JS...

                      Sorry for hijacking the discussion, but. First, calm down everyone, please. Second, u/Shamar, do you have a solution that wouldn't change the end-user web experience? This means, not disabling JS support, no opt-in JS (btw: do you really think that would help?). I'm afraid no non-destructive solution exists, simply because JS is deeply ingrained and The Web wouldn't work without it (by The Web I mean most websites) and the issue you have with javascript is that it executes - which is the point of javascript.

                      Please don't discuss with me about points like that most websites won't work without JS - we both know it would affect tons of websites and I think that kind of discussion would be completely useless.

                      And I think it isn't bug, it's design flaw. Here's an example: If I make a software with backdoors, it's not a bug (because I put it in intentionally). The same way JS isn't bug, because the features it has are intentional.

                      5 votes
                    2. jsx Link Parent
                      How is your web standard change request proposal going? Or do you think that you don't need to follow the official channels?

                      How is your web standard change request proposal going? Or do you think that you don't need to follow the official channels?

                      2 votes