LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 07-27-2017, 05:51 PM   #16
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Arch
Posts: 3,163

Rep: Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370

Quote:
Originally Posted by sundialsvcs View Post
The root-cause vulnerability is that the client's computer is effectively "the compiler."

By definition, "the client is Untrustworthy." And yet, we send the client source(!) code, and expect the client to translate this source-code into "client-computer behavior" exactly as our test-machines did in our sanitized, safe, test-labs.
I don't know what threat model you're using, but this claim just seems like a strange non-sequitur. The client executes the source code, and the client obviously trusts itself...
 
Old 07-27-2017, 06:00 PM   #17
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: Slackware
Posts: 7,509

Original Poster
Rep: Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867
I'll put Sundialsvcs aside for now:

Quote:
Where will that leave people who've paid for ebooks that are accessed on-line? Some of the readers won't work without a flash plug-in in the browser.
Those people won't notice, because they're only interested in reading the books on their tablets.

Last edited by dugan; 07-27-2017 at 06:36 PM.
 
Old 07-28-2017, 12:50 AM   #18
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,766

Rep: Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933
Quote:
Originally Posted by dugan View Post
I'll put Sundialsvcs aside for now:



Those people won't notice, because they're only interested in reading the books on their tablets.
That, and if the producers of the e-books are still around then they will have the option of using the DRM module mentioned above though they may have some coding to do to display their books. Again though, that's their fault for relying upon a technology designed to make funny animations and games for something else.
 
Old 07-28-2017, 12:51 AM   #19
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,766

Rep: Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933
Quote:
Originally Posted by ntubski View Post
I don't know what threat model you're using, but this claim just seems like a strange non-sequitur. The client executes the source code, and the client obviously trusts itself...
Indeed and, nowadays, the move seems to be for the client to have the ability to execute in a sandbox to prevent other applications interfering and vice-versa.
 
Old 07-28-2017, 08:51 AM   #20
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,450
Blog Entries: 4

Rep: Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915
Quote:
Originally Posted by ntubski View Post
I don't know what threat model you're using, but this claim just seems like a strange non-sequitur. The client executes the source code, and the client obviously trusts itself...
It isn't meant as a non-sequitir, but as a statement of a basic ruling assumption: that the client environment should be presumed to be compromised at all times. And, the problem with JavaScript is that you can inject a "compromise" into the environment ... dynamically ... which can fundamentally alter the behavior of the code that you have so-carefully tested.

It is impossible(!) to certify that JavaScript code will, on the client's machine, actually do what the author intended and nothing more.

Whereas, you can do that with Flash and with Silverlight. You can furnish object-code to the client, digitally signed, and this object code's behavior will not be vulnerable to tampering or functional alteration by anything unknown-to-you in the client's environment.

But if "HTML5+JS" becomes the norm, and the Flash plug-in is discredited and finally driven off the field, Google Corporation through its unknown-to-you modified Chrome browser will be able to surreptitiously collect ... and sell ... even more information about you than they already do.

Last edited by sundialsvcs; 07-28-2017 at 08:52 AM.
 
Old 07-28-2017, 09:08 AM   #21
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Arch
Posts: 3,163

Rep: Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370
Quote:
Originally Posted by sundialsvcs View Post
Whereas, you can do that with Flash and with Silverlight. You can furnish object-code to the client, digitally signed, and this object code's behavior will not be vulnerable to tampering or functional alteration by anything unknown-to-you in the client's environment.
And whom do you trust to verify this digital signature? The client?
 
Old 07-28-2017, 11:15 AM   #22
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: Slackware
Posts: 7,509

Original Poster
Rep: Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867
Quote:
Originally Posted by sundialsvcs View Post
And, the problem with JavaScript is that you can inject a "compromise" into the environment ... dynamically ... which can fundamentally alter the behavior of the code that you have so-carefully tested.

It is impossible(!) to certify that JavaScript code will, on the client's machine, actually do what the author intended and nothing more.
Can you give us an example of a case where that would be a problem? And in that case, who is it a problem for?

And let's not get too ahead of ourselves, but: how universal is that case?

In a typical client-server architecture, the server is specifically designed to not care what the client does with its responses.

Last edited by dugan; 07-28-2017 at 04:07 PM.
 
Old 07-28-2017, 12:22 PM   #23
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,766

Rep: Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933
Quote:
Originally Posted by dugan View Post
Can you give us an example of a case where that would be a problem? And in that case, who is it a problem for?

And let's not get too ahead of ourselves, but: how universal is that case?

In a typical client-server architecture, the server is specifically designed to not care what the client does with its responses.
This being my thought process. If I'm the one using the client device and I don't trust my device not to inject code or spy then I can't use that device no matter how trutworthy the application is.
 
Old 07-28-2017, 12:29 PM   #24
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: Slackware
Posts: 7,509

Original Poster
Rep: Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867Reputation: 2867
Quote:
Originally Posted by 273 View Post
This being my thought process. If I'm the one using the client device and I don't trust my device not to inject code or spy then I can't use that device no matter how trutworthy the application is.
Unless it's code that I want to inject.

I think I mentioned that that's how ad blockers work?
 
Old 07-28-2017, 12:38 PM   #25
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,766

Rep: Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933
Quote:
Originally Posted by dugan View Post
Unless it's code that I want to inject.

I think I mentioned that that's how ad blockers work?
sorry, yes, I was being simplistic. Perhaps I should have typed "... not to inject code I do not approve of...". Apologies, my excus is I am on my Android device without a full-sized keyboard and mouse device.
 
Old 08-06-2017, 09:25 PM   #26
IFTTT
LQ Newbie
 
Registered: Aug 2017
Posts: 8

Rep: Reputation: Disabled
Flash EOL date announced

Adobe says that now, but things can change within those next three years. I'll believe it when I see it.

Last edited by IFTTT; 08-06-2017 at 09:28 PM.
 
Old 08-07-2017, 12:44 AM   #27
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 6,766

Rep: Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933Reputation: 1933
Do Adobe still sell any products relating to Flash? I tried to check their website for products but their website it, predictably, not working properly in my browser...
If they do sell products related to Flash then the sign that they're serious will be when they stop selling them.
 
Old 08-07-2017, 08:35 AM   #28
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,450
Blog Entries: 4

Rep: Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915
Quote:
Originally Posted by dugan View Post
I think I mentioned that that's how ad blockers work?
I think that e-v-e-r-y-t-h-i-n-g will "suddenly change" when a few legal cases are finally handed down. You cannot "secure" a JavaScript program, because you can fundamentally alter every aspect of its behavior, without altering it(!), by hooking into its prototype-based class structure.

There will be an enormous demand for an open source, compiled system which can produce encrypted, digitally-signed executables, which will be the only thing that the operating system will permit to run. (Apple's OS/X, nee MacOS, already has this capability turned-on by default.) The "loosey-goosey" days of the Internet will be forever gone.

Be advised: it is easy to foresee this turn of events, and to see that it is not a long time in coming! It will affect your fairly-immediate future (career). (And, if you are not a native-born citizen of the country in which you are now working, possibly-ugly side effects could occur which affect you further. History has some pretty-grim stories to tell.)
 
Old 08-07-2017, 03:23 PM   #29
ntubski
Senior Member
 
Registered: Nov 2005
Distribution: Arch
Posts: 3,163

Rep: Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370Reputation: 1370
Quote:
Originally Posted by sundialsvcs View Post
You cannot "secure" a JavaScript program, because you can fundamentally alter every aspect of its behavior, without altering it(!), by hooking into its prototype-based class structure.
You've asserted this multiple times, but never explained how the fact that I can alter a program which I run can possibly compromise "security". Therefore, I have to say this is total BS.
 
Old 08-07-2017, 08:47 PM   #30
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,450
Blog Entries: 4

Rep: Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915Reputation: 2915
Quote:
Originally Posted by ntubski View Post
You've asserted this multiple times, but never explained how the fact that I can alter a program which I run can possibly compromise "security". Therefore, I have to say this is total BS.
Didn't someone already point out that "this is how ad-blockers work?" The entire behavior of JavaScript is based on a prototype-based system of inheritance which in fact completely defines how every object within the system actually behaves. By altering these data structures, you can alter the behavior of any object and/or introduce new behaviors which the existing programming knows not of – and, cannot prevent.

JavaScript's power derives from the fact that it is a totally dynamic language, with run-time binding of everything. However, this means that there is no (true) compile-time, and no compile-time binding. I really don't feel the need to fully develop the case that it has significant architectural vulnerabilities – and is understood to be so – because so much discussion has been written about it already. Please "trust, but verify" me, however, that what I am saying is certainly not "total BS."

JavaScript would not be the language that it is, however, if it did not have these characteristics. Everything has its price.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Flash on Mint 18 not compatible with new medical web sites. Google Chrome or Mozilla not able to up date flash. Unable to register website travlstr Linux Mint 5 02-06-2017 08:06 PM
LXer: Total War: WARHAMMER release date announced for Linux, Tuesday 22nd of November LXer Syndicated Linux News 0 11-15-2016 09:20 AM
LXer: Tropico 5 Linux Release Date Announced, It's Very Close LXer Syndicated Linux News 0 09-04-2014 08:34 PM
LXer: Linux Mint 17 to Be Called “Qiana,” Release Date Announced LXer Syndicated Linux News 0 03-21-2014 11:00 AM
LXer: Ontario Linux Fest 2008 date announced LXer Syndicated Linux News 0 04-09-2008 08:20 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 06:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration