LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 08-08-2017, 12:45 AM   #31
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373

Last time I checked compiled programs use libraries which they often have no control over. Be that a standard executable using a bunch of .so files it has no control over, a flash "application" which could run in Flash or Gnash, a Java program which can run under Oracle's VM or an open source one or a .net (or whatever they call it this week) which can run under Mono. What makes Javascript so special and, more to the point, if my platform is already compromised what does it matter what I'm running? If I can't trust my OS then that means everything is compromised already -- running Flash instead of Javascript makes no difference.
 
Old 08-08-2017, 07:06 AM   #32
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,774

Rep: Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081
Quote:
Originally Posted by sundialsvcs View Post
JavaScript's power derives from the fact that it is a totally dynamic language, with run-time binding of everything. However, this means that there is no (true) compile-time, and no compile-time binding. I really don't feel the need to fully develop the case that it has significant architectural vulnerabilities
Vulnerable to WHOM?? How can you be vulnerable to yourself??? This makes no sense.
 
Old 08-08-2017, 07:32 AM   #33
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Libraries, like executables, can be digitally signed to prevent alteration, and the operating system can validate this. OS/X does this by default, for instance, although it does allow you to disable this feature for libraries other than those which are part of OS/X itself.

Yes, you do have to think about "protecting software, so to speak, from yourself," because the entire environment in which "you" operate is both largely-unknown to you and by definition untrustworthy. If the runtime behavior of the software could be guaranteed by establishing the cryptographic integrity (thus, un-alterability) of the software and its libraries, and if(!) it was not possible to profoundly alter the behavior of the software without altering the thing that is loaded, then this would afford a reasonable amount of protection. But, JavaScript in particular does not work like this. It was, in fact, designed not to work like this.

And, mind you, I am not "bashing" what is arguably one of the most widely-used programming languages in the world today. I'm not suggesting that its designers were incompetent or rogue. But I am pointing out what is in fact a very fatal flaw. A "rogue ad-blocker," for example, could be devised to steal a password, or a credit-card number, from a known-target web site's JavaScript software. And it would not matter that the web site used encryption blah blah blah. Which happens to be why banks usually use Java components, which cannot be subverted in this way.

You have two languages which are usually enabled on a browser: JS, and Java. The two, despite the name-similarities that were chosen basically for marketing reasons, are entirely different in every way. Java does produce a bytecode executable, and it can sign the file. (Never mind the fact that it also stinks! ) To this day, I don't know why JS won the race.

Flash, also, has these characteristics, and I don't think that it ever had more intrinsic vulnerabilities than anything else did. It did land into the hands of a company that really doesn't know how to market anything, or how to build a respectable compiler, which is most unfortunate. But open-source products such as Haxe have essentially re-implemented the whole thing and have done it much, much better. IMHO, Flash's model for compiled graphics and graphics programming is light-years better than "the impossible wedge (IMHO)" which we now call "HTML-5 + JS." It just needs a little freshening up.

Last edited by sundialsvcs; 08-08-2017 at 07:39 AM.
 
Old 08-08-2017, 09:22 AM   #34
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Debian, Arch
Posts: 3,774

Rep: Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081Reputation: 2081
Quote:
Originally Posted by sundialsvcs View Post
A "rogue ad-blocker," for example, could be devised to steal a password, or a credit-card number, from a known-target web site's JavaScript software.
Yes. And malware written in C or whatever can steal your passwords & credit-card number as well by peeking into memory, logging keystrokes, etc. So what? There is no relation to JavaScript language features.

I wonder if you are aware of Same origin policy?
Quote:
In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
Quote:
Originally Posted by sundialsvcs View Post
Which happens to be why banks usually use Java components, which cannot be subverted in this way.
Java components can certainly be subverted by a process running on the same machine with the same user rights (think: debugger). Which banks use Java components on their web pages? Not mine.

Quote:
Originally Posted by sundialsvcs View Post
You have two languages which are usually enabled on a browser: JS, and Java. The two, despite the name-similarities that were chosen basically for marketing reasons, are entirely different in every way. Java does produce a bytecode executable, and it can sign the file. (Never mind the fact that it also stinks! ) To this day, I don't know why JS won the race.
My guess would be that it's because Java applets take a user-noticeable time to load, during which resentment builds up against the Java logo with the spinner. Whereas JavaScript loading time is mixed in with the loading time of the page, so the user doesn't associate JavaScript with slow loading times.
 
Old 08-10-2017, 11:53 AM   #35
MadmanRB
LQ Newbie
 
Registered: Oct 2015
Location: In your mind
Distribution: Linux Mint 19.1
Posts: 26

Rep: Reputation: Disabled
For leagacy purposes though i do hope adobe considers opening flashes source code to everyone.
They would have nothing to lose as flashplayer was not really a financial asset anyhow, but I know how they are greedy and unwilling to go open source as its "mine mine mine!!!!!!" with them.
 
Old 08-10-2017, 12:08 PM   #36
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680

Rep: Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373Reputation: 2373
Quote:
Originally Posted by MadmanRB View Post
For leagacy purposes though i do hope adobe considers opening flashes source code to everyone.
They would have nothing to lose as flashplayer was not really a financial asset anyhow, but I know how they are greedy and unwilling to go open source as its "mine mine mine!!!!!!" with them.
As much as I malign Flash and as much as I wiull be glad when people stop using it for anything important* I relent a little and, yes, I'd like things like Fantastic Contraption, Flatland (I think it was called) and other fun Flash games to survive.


*It occurs to me now that the above discussion of Flash vs Java (as a plugin) vs ECMAScript kind-of misses my point anyhow -- my beef with Flash was that the browser was never meant to do all those things "securely" and native applications are generally best even if they need some porting. And the porting should be, in the main, GUI only as the intelligence should compile on any platform. Heck, for secure internet "apps" how about PHP over HTTPS -- only the data is transferred and all objects are defined server-side? It seems to be how my bank, secure mail providers and the like do it.
 
Old 08-10-2017, 05:58 PM   #37
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Actually, projects like haXe (and OpenFL) basically did reimplement Flash and its compiler ... and more ... and did it better.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Flash on Mint 18 not compatible with new medical web sites. Google Chrome or Mozilla not able to up date flash. Unable to register website travlstr Linux Mint 5 02-06-2017 08:06 PM
LXer: Total War: WARHAMMER release date announced for Linux, Tuesday 22nd of November LXer Syndicated Linux News 0 11-15-2016 09:20 AM
LXer: Tropico 5 Linux Release Date Announced, It's Very Close LXer Syndicated Linux News 0 09-04-2014 08:34 PM
LXer: Linux Mint 17 to Be Called “Qiana,” Release Date Announced LXer Syndicated Linux News 0 03-21-2014 11:00 AM
LXer: Ontario Linux Fest 2008 date announced LXer Syndicated Linux News 0 04-09-2008 08:20 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 07:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration