ECMAScript ("Javascript") Version 4 - FALSE ALARM
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Oct 30 15:04:55 UTC 2007
On Tue, Oct 30, 2007 at 03:18:26AM -0400, Ian Petersen wrote:
> The parts that I've snipped raise some very valid concerns regarding
> the security hole that is Javascript in the browser. What I fail to
> see is how adding optional static typing and some syntactic sugar to a
> Turing-complete language makes this problem any bigger than it already
> is. There are lots of reasons not to allow Javascript to run in your
> browser and you've done an excellent job of explaining them to all of
> us, but the implication that these language revisions will lead to
> more problems, bigger problems, or problems that are harder to solve
> seems to me to be nothing more than fear mongering.
>
> Walter, I don't know your background, so sorry if you already know
> this, but once a language reaches Turing completeness, the only way to
> make it "more powerful" is to make it aesthetically better in some
> dimension. Maybe you make it more expressive so the same algorithm
> takes less code. Maybe you make the interpreter better so the same
> code runs faster. Maybe you make the language easier to read so it
> takes less time to get back into the code a month after you first
> wrote it. In the case of Javascript in the browser, the only change
> these three things implies is that something will be faster--if the
> code is more compact, it'll download faster; if the interpreter is
> better, your credit card numbers will be stolen more quickly; if the
> code is easier to read, then a computer forensics person will
> understand the exploit more quickly after his honey pot gets owned.
> Nothing new will happen, old stuff will just happen faster.
>
> I guess what I'm trying to say is that the problem is merely
> different. It's not bigger or smaller, it's different. For the
> people that prefer to experience a script-enabled web, the new
> language will make it easier for script writers to provide a rich
> experience. For the people who prefer to run NoScript, they can
> continue to run NoScript and still have the script-disabled web. For
> the people, like me, that think Javascript is a nifty language with
> uses outside the browser, the new tools in the new language will make
> database migration tools and code generators and build scripts easier
> to write.
New language version implies new version of code in browser with new
features added and hence new places for bugs and security holes to be
created. It may not be the new language causing security holes, but it
is the new language being added that causes them to have a chance to be
made in the first place.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list