The web is a weapon the same way a hammer is a weapon. For the majority of users it's a tool, but a minority of users may use it to do harm onto others. Also applicable to knives, or a cargo truck.
The web is a weapon the same way a hammer is a weapon. For the majority of users it's a tool, but a minority of users may use it to do harm onto others. Also applicable to knives, or a cargo truck.
To be honest, I wonder if you have read the article. If US' control of DNS roots is a knife, it's firmly in their hand and pointed to all other nations. Though I agree this is a coarse weapon that...
To be honest, I wonder if you have read the article.
If US' control of DNS roots is a knife, it's firmly in their hand and pointed to all other nations.
Though I agree this is a coarse weapon that won't be used often (to retain plausible deniability).
The blind execution of JavaScript is much worse as it is pretty fine grained but can be trivially exploited by any website you visit, without leaving any evidence of the attack on your machine.
If it is a knife, it lacks the handle.
I think it's kind of silly to suggest that this is a JavaScript problem. Any website--even Tildes--can be designed such that each thing you're viewing is trackable without JavaScript. Hell, you...
I realized that the worst security issue is inherent to JavaScript design itself.
You execute a custom program controlled by someone else.
Someone else that knows you very well. That can read your mails.
That knows what you read. That knows what you look for.
That knows where you live. That knows your opinions.
That knows your friends. Your tastes…
I think it's kind of silly to suggest that this is a JavaScript problem. Any website--even Tildes--can be designed such that each thing you're viewing is trackable without JavaScript. Hell, you can wrap submitted external links around an internal link that logs the click before redirecting to the target site. You can take a video, place a thumbnail that looks like a video player, and have it link to a separate page serving the video in order to track whether or not the video is actually being viewed. There are a ridiculous number of options available to you to track someone without having JavaScript enabled. JavaScript merely increases the number of events you can track and makes the process easier.
Without JavaScript several information about the user could not be collected: when you zoom text when you zoom an image the size of your screen (used to fingerprint and track anonymous users) the...
Without JavaScript several information about the user could not be collected:
when you zoom text
when you zoom an image
the size of your screen (used to fingerprint
and track anonymous users)
Once these information are collected (which could be sensible info by themselves) a trivial DNS rebinding would allow the attacker to access any unauthenticated service or that your browser automatically authenticate for ( or AFAIK any service you authetnicated for in another tab).
Also your machine could be controlled to attack a third party. The attack surface is unbounded even if you believe that meltdown ans spectre cannot be exploited by JavaScript.
All leaving no evidence on your machine through Cache-Control.
To me, the fact that other attack vectors exist doesn't justify to leave people vulnerable to this huge one.
I don't see how this contradicts my original comment at all. I was addressing the silliness of being concerned about tracking with regards to JavaScript specifically. That's a privacy concern....
I don't see how this contradicts my original comment at all. I was addressing the silliness of being concerned about tracking with regards to JavaScript specifically. That's a privacy concern. What you're bringing up now is a security concern. While the two certainly have overlap, they're two distinct subjects. My addressing one does not imply that I'm providing commentary on the other.
Also note that I already stated that JavaScript increases your tracking capabilities by expanding the number of events that are trackable. I'm well aware of the fact. My point was that JavaScript makes this tracking more capable and efficient, but isn't what makes tracking itself a possibility.
A final point that I hadn't previously brought up: visiting a website is effectively no different from downloading and executing a program from the internet. One just happens to execute directly through the browser. In either case, you need to execute due diligence when deciding whether or not to run said program. Naturally there will be security concerns whenever any executable resources are running.
My intent here isn't to argue or to suggest that your submission was bad or full of falsehoods, but to provide a critique about some of the contents. Your argument is only as strong as your weakest supporting point, so I want to draw attention to where the arguments are weakest so that they can either be reinforced or discarded as necessary.
In short: you're right, JavaScript is a potential security hole. All executable code is. But I'm talking about privacy, not security, and how it will always be an issue even without JavaScript.
Sorry. After several debates on the matter, your comment looked similar to those who tried to justify the refusal to mitigate the problem. Their argument usually goes like "certain attacks are...
In short: you're right, JavaScript is a potential security hole.
Sorry.
After several debates on the matter, your comment looked similar to those who tried to justify the refusal to mitigate the problem.
Their argument usually goes like "certain attacks are possible without JavaScript so let's leave users vulnerable to all the other ones."
Thanks for elaborating.
Fine, sone attacks to the user's privacy are possible without JavaScript. Even some attacks to the user's security are possible without JavaScript. Still JavaScript's attack surface is by several order of magnitude larger.
All executable code is [a potential security hole, ndr]
True, but the Web is (perceived as) a HyperText.
People reading an article on the Web are not aware they are executing a program written by strangers that has potentially been customized for them (or their specific minority).
And this is obvious: how can you expect that you need to execute a custom program to read a text?
But I'm talking about privacy, not security, and how it will always be an issue even without JavaScript.
Agreed.
But we can still largely mitigate the leaks without it. Or at least, make the users aware.
+1 Cool trick I didn't think about. Much less precise though, and requires a user interaction (the link click) that JavaScript doesn't need. Also it could leaves small evidences in all proxy logs...
+1
Cool trick I didn't think about.
Much less precise though, and requires a user interaction (the link click) that JavaScript doesn't need.
Also it could leaves small evidences in all proxy logs (both in the link URI and in the size of the CSS downloaded).
I wonder if Mozilla has ever been served something under the Patriot Act that mandates they do something. We'll never know, this is just speculation. But what a sad state of affairs when some such...
Mozilla, I’m looking at you.
I wonder if Mozilla has ever been served something under the Patriot Act that mandates they do something. We'll never know, this is just speculation. But what a sad state of affairs when some such speculation could be true. Having a browser able to alter the dynamics of the machine it is running on is pure folly and an invitation for compromise.
Technology is a prosecution of Politics by other means. While everybody pretends that the Internet is a safe place for freedom, it is still strongly in the hands of the U.S.A. and serves their...
Technology is a prosecution of Politics by other means.
While everybody pretends that the Internet is a safe place for freedom, it is still strongly in the hands of the U.S.A. and serves their geopolitical objectives.
Through the strict control of Pentagon (DIUx at Mountain View) and CIA (In-Q-Tel at Palo Alto) on companies that pretend to be libertarian and to support the free/neutral Internet, the States knows, monitor and (potentially) manipulate the citizens of other nations more than their governments can do.
The article analyses the history of the Internet and the Web to outline two powerful but overlooked weapons of this cyber war: the DNS roots and the WHATWG browsers.
The web is a weapon the same way a hammer is a weapon. For the majority of users it's a tool, but a minority of users may use it to do harm onto others. Also applicable to knives, or a cargo truck.
To be honest, I wonder if you have read the article.
If US' control of DNS roots is a knife, it's firmly in their hand and pointed to all other nations.
Though I agree this is a coarse weapon that won't be used often (to retain plausible deniability).
The blind execution of JavaScript is much worse as it is pretty fine grained but can be trivially exploited by any website you visit, without leaving any evidence of the attack on your machine.
If it is a knife, it lacks the handle.
I read your article. I understand the numerous risks and attack vectors possible through JavaScript.
What are you proposing as the solution?
I think it's kind of silly to suggest that this is a JavaScript problem. Any website--even Tildes--can be designed such that each thing you're viewing is trackable without JavaScript. Hell, you can wrap submitted external links around an internal link that logs the click before redirecting to the target site. You can take a video, place a thumbnail that looks like a video player, and have it link to a separate page serving the video in order to track whether or not the video is actually being viewed. There are a ridiculous number of options available to you to track someone without having JavaScript enabled. JavaScript merely increases the number of events you can track and makes the process easier.
Without JavaScript several information about the user could not be collected:
and track anonymous users)
Once these information are collected (which could be sensible info by themselves) a trivial DNS rebinding would allow the attacker to access any unauthenticated service or that your browser automatically authenticate for ( or AFAIK any service you authetnicated for in another tab).
Also your machine could be controlled to attack a third party. The attack surface is unbounded even if you believe that meltdown ans spectre cannot be exploited by JavaScript.
All leaving no evidence on your machine through Cache-Control.
To me, the fact that other attack vectors exist doesn't justify to leave people vulnerable to this huge one.
I don't see how this contradicts my original comment at all. I was addressing the silliness of being concerned about tracking with regards to JavaScript specifically. That's a privacy concern. What you're bringing up now is a security concern. While the two certainly have overlap, they're two distinct subjects. My addressing one does not imply that I'm providing commentary on the other.
Also note that I already stated that JavaScript increases your tracking capabilities by expanding the number of events that are trackable. I'm well aware of the fact. My point was that JavaScript makes this tracking more capable and efficient, but isn't what makes tracking itself a possibility.
A final point that I hadn't previously brought up: visiting a website is effectively no different from downloading and executing a program from the internet. One just happens to execute directly through the browser. In either case, you need to execute due diligence when deciding whether or not to run said program. Naturally there will be security concerns whenever any executable resources are running.
My intent here isn't to argue or to suggest that your submission was bad or full of falsehoods, but to provide a critique about some of the contents. Your argument is only as strong as your weakest supporting point, so I want to draw attention to where the arguments are weakest so that they can either be reinforced or discarded as necessary.
In short: you're right, JavaScript is a potential security hole. All executable code is. But I'm talking about privacy, not security, and how it will always be an issue even without JavaScript.
Sorry.
After several debates on the matter, your comment looked similar to those who tried to justify the refusal to mitigate the problem.
Their argument usually goes like "certain attacks are possible without JavaScript so let's leave users vulnerable to all the other ones."
Thanks for elaborating.
Fine, sone attacks to the user's privacy are possible without JavaScript. Even some attacks to the user's security are possible without JavaScript. Still JavaScript's attack surface is by several order of magnitude larger.
True, but the Web is (perceived as) a HyperText.
People reading an article on the Web are not aware they are executing a program written by strangers that has potentially been customized for them (or their specific minority).
And this is obvious: how can you expect that you need to execute a custom program to read a text?
Agreed.
But we can still largely mitigate the leaks without it. Or at least, make the users aware.
You can do it without JS. While it's overkill, one could use CSS media queries that track user screen size when they click a link. POC.
+1
Cool trick I didn't think about.
Much less precise though, and requires a user interaction (the link click) that JavaScript doesn't need.
Also it could leaves small evidences in all proxy logs (both in the link URI and in the size of the CSS downloaded).
I wonder if Mozilla has ever been served something under the Patriot Act that mandates they do something. We'll never know, this is just speculation. But what a sad state of affairs when some such speculation could be true. Having a browser able to alter the dynamics of the machine it is running on is pure folly and an invitation for compromise.
Technology is a prosecution of Politics by other means.
While everybody pretends that the Internet is a safe place for freedom, it is still strongly in the hands of the U.S.A. and serves their geopolitical objectives.
Through the strict control of Pentagon (DIUx at Mountain View) and CIA (In-Q-Tel at Palo Alto) on companies that pretend to be libertarian and to support the free/neutral Internet, the States knows, monitor and (potentially) manipulate the citizens of other nations more than their governments can do.
The article analyses the history of the Internet and the Web to outline two powerful but overlooked weapons of this cyber war: the DNS roots and the WHATWG browsers.