ECMAScript ("Javascript") Version 4 - FALSE ALARM

Christopher Browne cbbrowne-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Tue Oct 30 16:14:29 UTC 2007 

On 10/30/07, Walter Dnes <waltdnes-SLHPyeZ9y/tg9hUCZPvPmw at public.gmane.org> wrote:
> > Sure, keep JS small in your hearts. But please, don't kid yourselves that
> > it has not reached the big-time, or that it and the open web standards it
> > works with to enable Ajax apps will survive the onslaught of proprietary
> > competitors, unless JS and other open standards evolve significantly.
>
>   Just to let you know where I stand in this battle, my position is
> neutrality... i.e. the Pox on both your houses.  Even in the case of
> the current ES3, I am unconfortable with the concept of Joe Random
> Webmaster (let alone Comrade Joe "Russian Business Network" Webmaster)
> being able to download code to, execute it on, my machine.  One reason I
> left Windows for linux (and why I run Firefox on my Windows machine at
> work) is to get away from from "Active-Hacks" downloading and
> auto-executing hostile code on my machine.
>
>   The concept of code from an even more powerful language (I don't care
> whether it's ES4, or Silverlight, or whatever) being downloaded to, and
> executed on, my machine has me very concerned.

In that case, you're fairly deeply misunderstanding the nature of the
security problem.

The security problem does NOT have much, if anything, to do with "how
powerful the language is."

Historically, consider that people have used stack-smashing attacks to
get machine code (which may be argued to be *less* powerful in the
relevant sense [1]) to run exploits.  Based on that, it may be clearly
seen that the "abstract power" of languages has ZERO to do with
whether or not they may be used to initiate security exploits.

That JavaScript may become "more powerful" than it is now is
essentially *irrelevant* from a security standpoint.

>2) do you believe the average person browsing the web is competent to
>run a javascript server and let anonymous, possibly malicious, websites
>run javascript on their machine?  Why isn't your answer "NO"?

With the widespread popularity of JavaScript-based application
frameworks, people *MUST* have support for it in their browsers in
order to be able to use the web-based services that they are CHOOSING
to use.

If you try telling people "You can't run the apps you want to run",
then you lose the argument on the basis of that very premise.

[1]  The "relevant sense" is that JavaScript provides additional
abstractions, notably in the form of fairly sophisticated data
structures, that make it easier to write more sophisticated programs.
-- 
http://linuxfinances.info/info/linuxdistributions.html
"...  memory leaks  are  quite acceptable  in  many applications  ..."
(Bjarne Stroustrup, The Design and Evolution of C++, page 220)
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list