GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Last time I checked compiled programs use libraries which they often have no control over. Be that a standard executable using a bunch of .so files it has no control over, a flash "application" which could run in Flash or Gnash, a Java program which can run under Oracle's VM or an open source one or a .net (or whatever they call it this week) which can run under Mono. What makes Javascript so special and, more to the point, if my platform is already compromised what does it matter what I'm running? If I can't trust my OS then that means everything is compromised already -- running Flash instead of Javascript makes no difference.
JavaScript's power derives from the fact that it is a totally dynamic language, with run-time binding of everything. However, this means that there is no (true) compile-time, and no compile-time binding. I really don't feel the need to fully develop the case that it has significant architectural vulnerabilities
Vulnerable to WHOM?? How can you be vulnerable to yourself??? This makes no sense.
Libraries, like executables, can be digitallysigned to prevent alteration, and the operating system can validate this. OS/X does this by default, for instance, although it does allow you to disable this feature for libraries other than those which are part of OS/X itself.
Yes, you do have to think about "protecting software, so to speak, from yourself," because the entire environment in which "you" operate is both largely-unknown to you and by definition untrustworthy. If the runtime behavior of the software could be guaranteed by establishing the cryptographic integrity (thus, un-alterability) of the software and its libraries, and if(!) it was not possible to profoundly alter the behavior of the software without altering the thing that is loaded, then this would afford a reasonable amount of protection. But, JavaScript in particular does not work like this. It was, in fact, designed not to work like this.
And, mind you, I am not "bashing" what is arguably one of the most widely-used programming languages in the world today. I'm not suggesting that its designers were incompetent or rogue. But I am pointing out what is in fact a very fatal flaw. A "rogue ad-blocker," for example, could be devised to steal a password, or a credit-card number, from a known-target web site's JavaScript software. And it would not matter that the web site used encryption blah blah blah. Which happens to be why banks usually use Java components, which cannot be subverted in this way.
You have two languages which are usually enabled on a browser: JS, and Java. The two, despite the name-similarities that were chosen basically for marketing reasons, are entirely different in every way. Java does produce a bytecode executable, and it can sign the file. (Never mind the fact that it also stinks! ) To this day, I don't know why JS won the race.
Flash, also, has these characteristics, and I don't think that it ever had more intrinsic vulnerabilities than anything else did. It did land into the hands of a company that really doesn't know how to market anything, or how to build a respectable compiler, which is most unfortunate. But open-source products such as Haxe have essentially re-implemented the whole thing and have done it much, much better. IMHO, Flash's model for compiled graphics and graphics programming is light-years better than "the impossible wedge (IMHO)" which we now call "HTML-5 + JS." It just needs a little freshening up.
Last edited by sundialsvcs; 08-08-2017 at 07:39 AM.
A "rogue ad-blocker," for example, could be devised to steal a password, or a credit-card number, from a known-target web site's JavaScript software.
Yes. And malware written in C or whatever can steal your passwords & credit-card number as well by peeking into memory, logging keystrokes, etc. So what? There is no relation to JavaScript language features.
In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
Quote:
Originally Posted by sundialsvcs
Which happens to be why banks usually use Java components, which cannot be subverted in this way.
Java components can certainly be subverted by a process running on the same machine with the same user rights (think: debugger). Which banks use Java components on their web pages? Not mine.
Quote:
Originally Posted by sundialsvcs
You have two languages which are usually enabled on a browser: JS, and Java. The two, despite the name-similarities that were chosen basically for marketing reasons, are entirely different in every way. Java does produce a bytecode executable, and it can sign the file. (Never mind the fact that it also stinks! ) To this day, I don't know why JS won the race.
My guess would be that it's because Java applets take a user-noticeable time to load, during which resentment builds up against the Java logo with the spinner. Whereas JavaScript loading time is mixed in with the loading time of the page, so the user doesn't associate JavaScript with slow loading times.
For leagacy purposes though i do hope adobe considers opening flashes source code to everyone.
They would have nothing to lose as flashplayer was not really a financial asset anyhow, but I know how they are greedy and unwilling to go open source as its "mine mine mine!!!!!!" with them.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by MadmanRB
For leagacy purposes though i do hope adobe considers opening flashes source code to everyone.
They would have nothing to lose as flashplayer was not really a financial asset anyhow, but I know how they are greedy and unwilling to go open source as its "mine mine mine!!!!!!" with them.
As much as I malign Flash and as much as I wiull be glad when people stop using it for anything important* I relent a little and, yes, I'd like things like Fantastic Contraption, Flatland (I think it was called) and other fun Flash games to survive.
*It occurs to me now that the above discussion of Flash vs Java (as a plugin) vs ECMAScript kind-of misses my point anyhow -- my beef with Flash was that the browser was never meant to do all those things "securely" and native applications are generally best even if they need some porting. And the porting should be, in the main, GUI only as the intelligence should compile on any platform. Heck, for secure internet "apps" how about PHP over HTTPS -- only the data is transferred and all objects are defined server-side? It seems to be how my bank, secure mail providers and the like do it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.