Javascript: what it is and why you should be concerned

What it is:

Javascript is a feature of browsers which is supposed to make
possible all sorts of interesting features in a Web site.
Unfortunately, few of these features are actually useful to the
end user, and many are undesireable. It is what is called a
client-side scripting language. Another such language is VBScript.

Usually, Javascript is enabled in your browser, unless you explicitly
turn it off.


What it's supposed to be good for:

Javascript is commonly used to implement flashy features of
marginal utility such as mouseovers. Mouseovers are when you move
your mouse over something on a Web page and something happens, such as
maybe that something changes appearance, or maybe a little menu pops up.

Javascript can be used to create highly interactive games on the Web.

Javascript is also used to do client-side validation of input in forms.
The idea is your own browser checks that everything you typed in on the
form is valid before it sends it to the server.

Javascript can be used to create guestbooks, calendars and the like.

Finally, Javascript is used to create popups and popunders.


What's wrong with it:

For starters, Javascript is used to create popups and popunders.
Advertizers love them, as a way of getting in your face. But computer
users hate them, because they're annoying. Also some malicious Web
sites use Javascript to fill your screen with hundreds of popups
that you can't get rid of.

Even worse, Javascript is full of security vulnerabilities. Using
Javascript, a dishonest Web site can get your private information,
such as <em>passwords</em> and <em>credit card</em> information, off
your computer without your knowledge or consent. When a crook grabs your
credit card info, it's as bad as if he had stolen your credit card.
He can run up a huge bill and destroy your credit rating.
http://search.cert.org/query.html?rq...qt=+javascript Here's a list
of some of the possible ways this can be done. And below are some
quick links to reported vulnerabilities:

http://news.netcraft.com/archives/20..._warnings.html New Phishing Scam Prompts Warnings

http://www.cert.org/advisories/CA-1997-20.html CERT? Advisory CA-1997-20 JavaScript Vulnerability

http://www.kb.cert.org/vuls/id/184820 Adobe Acrobat does not adequately validate Acrobat JavaScript

http://www.kb.cert.org/vuls/id/255915 WebBoard does not adequately validate user input thereby permitting arbitrary JavaScript execution

http://www.kb.cert.org/vuls/id/642239 Lotus Domino Server R5 vulnerable to Cross-Site Scripting via passing of user input directly to default error page

The list goes on and on, but you get the idea.


Javascript isn't the only way to create guestbooks, calendars and
the like. These things can be done entirely on the server.

Javascript is one of the best ways to put highly interactive games
on the Web. Is that really worth it?

Finally, Javascript really isn't the best way to do validation of
user input. If a Web site expects the browser to validate the input,
then a malicious user can create a program to feed invalid input to
the site without using a browser. No browser, no Javascript, and so
no validation. So you really need to do the validation in the Web
server anyway.

Some people say that doing validation on the client with Javascript
will reduce net traffic. Sorry, I don't buy it. Every time you load a
page with Javascript, you have to download that Javascript code over the
net. This happens even if you have Javascript disabled in your browser.
A lot of these scripts are huge. They make up most of what gets
transmitted over the net.

In summary, everything Javascript can do can either be done better some
other way, or is so trivial it's scarcely worth doing.
And it's http://search.cert.org/query.html?rq...qt=+javascript very dangerous .
It's just not worth it.


What to do about it:

It's possible to configure your browser not to support Javascript.
This sounds like it should solve everything. But there's a catch.
There are a lot of sites out there that depend on Javascript to work properly.
They're just put together that way. There are ways to put together
these sites without needing Javascript, but the people who put these
sites together didn't bother. http://www.hotmail.com/ Hotmail
is one offender.


So what you need is a strategy to cope with Javascript.
Here's what I suggest:<ul>
<li>Disable Javascript in your main browser.
<li>Avoid using sites that require Javascript, as much possible.
<li>Keep a second browser on your system that has Javascript enabled.
<li>Use the Javascript-enabled browser for those sites which require Javascript,
and which you absolutely must use. Use it <em>only</em> for these sites.
<li>Try to set up your Javascript-enabled browser not to store its cookies on disk.
Failing that, delete all cookies after every use of that browser.
<li><em>Raise a ruckus</em>. Complain about every site that requires Javascript.
If they ask why, point them to this page.
Remember, there is no good reason why any site has to be made to require Javascript.
<li>Spread the word.
</ul>


It's not just me:

http://www.panix.com/~aahz/javascript.html Anti-Javascript FAQ

http://linuxmafia.com/faq/Web/opti.html "This page optimized for ..." - arguing with customers -


Final notes:

It's entirely possible to make a site that uses Javascript, but does
not require it. Such a site will have some frilly extra features if you
have Javascript enabled in your browser. But if you disable Javascript,
the site will still be perfectly usable. I have no great objection to
such sites. But sites that <em>require</em> you to have Javascript
enabled in order to use them at all are inexcusable.

VBScript, the other client-side scripting language,
http://search.cert.org/query.html?rq...t&qt=+vbscript also has serious problems .
It's less widespread than Javascript, which is good. But it's not a
substitute for Javascript. It's just the same headache by a different
name. And it requires Internet Explorer, which is the most insecure
browser in common use.


http://techsupp.blcss.com/#nojavascript Home link

Southern New Hampshire residents: don't throw away that old broken computer.
Call us first: 603-244-1652. If we can't fix it cheap, we'll take it off your hands.

..

Bottom Line Computer

On Mon, 17 May 2004 09:05:40 -0500, Bottom Line Computer
<> wrote:

<snip>

Yeah Javascript is one of those features of the Internet,

we would be much safer using command line interfaces
and avoiding connecting the Internet.

But thats not the way things are anymore.

Its now an integral part of web design.
--
Jim Watt
http://www.gibnet.com

Jim Watt

"Jim Watt" <_way> wrote in message
news:...
> On Mon, 17 May 2004 09:05:40 -0500, Bottom Line Computer
> <> wrote:
>
> <snip>
>
> Yeah Javascript is one of those features of the Internet,
>
> we would be much safer using command line interfaces
> and avoiding connecting the Internet.
>
> But thats not the way things are anymore.
>
> Its now an integral part of web design.

Unlike Usenet.. or was I the only one to notice the HTML touches in a plain
text message? ;o)

--

Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Hairy One Kenobi

"Bottom Line Computer" <> wrote in message
news:...

> Even worse, Javascript is full of security vulnerabilities.

This is the only statement in this shitty post that requires an answer. And
that answer would be that the problem is not javascript but ****-poor
implementations of a javascript engine which offer up full system access to
the script in question.

Phil Da Lick!

As a web developer since '95, I need to fix some of your incorrect
statements.

>>Finally, Javascript really isn't the best way to do validation of
user input. If a Web site expects the browser to validate the input,
then a malicious user can create a program to feed invalid input to
the site without using a browser. No browser, no Javascript, and so
no validation. So you really need to do the validation in the Web
server anyway.

No, you're wrong. I can easily tell whether you're trying to submit a
valid page, or if you've manipulated it in some way. It is by far
the best way for input, as it DOES reduct net traffic. I suppose an
ill-equipped programmer could make a page that you could submit, but
if written properly, you can't do it.


>>Some people say that doing validation on the client with Javascript
will reduce net traffic. Sorry, I don't buy it. Every time you load
a
page with Javascript, you have to download that Javascript code over
the
net. This happens even if you have Javascript disabled in your
browser.
A lot of these scripts are huge. They make up most of what gets
transmitted over the net.

Sorry, but validation scripts are NOT huge, and when you submit a page
and an error comes back, the ENTIRE PAGE is redownloaded to the
browser.


>>In summary, everything Javascript can do can either be done better
some
other way, or is so trivial it's scarcely worth doing.

Really? Write me an HTML page in which the user enters a series of
hours for the week (such as in a timecard), and the total is
automatically updated after the user changed focus to another control,
without using client side scripting.

I do agree that it can be used maliciously as in popups, so one must
protect one's self against that, but to disable javascript is to make
unusable many websites.

Larry Bud

Yep, blame the implementations. All of them. Not a true Scotsman in
the bunch. But if all the implementations of Javascript are awful, then
that's all the reason any rational person needs to avoid Javascript.

Or you could try to come with an implementation that doesn't have
serious security problems. Presumably it can be done. So put your
money where your mouth is and do it. And then figure out how to get
everybody to use your implementation instead of all the others floating
around. Good luck getting Microsoft to include yours in IE! And then
you'll only have to worry about all those other objections to javascript:

http://techsupp.blcss.com/#nojavascript


Phil Da Lick! wrote:

>"Bottom Line Computer" <> wrote in message
>news:...
>
>
>
>>Even worse, Javascript is full of security vulnerabilities.
>>
>>
>
>This is the only statement in this shitty post that requires an answer. And
>that answer would be that the problem is not javascript but ****-poor
>implementations of a javascript engine which offer up full system access to
>the script in question.
>
>
>
>


--
Spammers:




Check out my Java, SQL and Python samples at http://rowland.blcss.com/
For sale: Unique and energy efficient hobbit home in New Hampshire:
http://www.angelfire.com/ego/rowland/mm.index.html

Rowland

Larry Bud wrote:

>Sorry, but validation scripts are NOT huge, and when you submit a page
>and an error comes back, the ENTIRE PAGE is redownloaded to the
>browser.
>
>
>
>
The ones I've seen are huge. Ever have a look at what Hotmail sends
down the pipe.

>>>In summary, everything Javascript can do can either be done better
>>>
>>>
>some
>other way, or is so trivial it's scarcely worth doing.
>
>Really? Write me an HTML page in which the user enters a series of
>hours for the week (such as in a timecard), and the total is
>automatically updated after the user changed focus to another control,
>without using client side scripting.
>
>
>
I would characterise that as scarcely worth doing. The 'after the user
changed focus' part is what's not worth it. I really don't think a user
will be all that put out if he has to hit Enter or click a button, and
then we can just do it all on the server side.

But if you really, really insist that the user interaction work exactly
that way without Javascript, then you can use a client side Java
applet. I'm not saying I like Java applets. I'm just saying that's an
option.


--
Spammers:




Check out my Java, SQL and Python samples at http://rowland.blcss.com/
For sale: Unique and energy efficient hobbit home in New Hampshire:
http://www.angelfire.com/ego/rowland/mm.index.html

Rowland

"Rowland" <> wrote in message
news:...
> Yep, blame the implementations. All of them.

I'd blame any implementation that offers up full root access to any old
script that comes in. That doesn't mean I would blame the language itself,
only ****-porr implementations.


> the bunch. But if all the implementations of Javascript are awful, then
> that's all the reason any rational person needs to avoid Javascript.

Why that's a mighty big IF there.


> Or you could try to come with an implementation that doesn't have
> serious security problems. Presumably it can be done. So put your
> money where your mouth is and do it. And then figure out how to get
> everybody to use your implementation instead of all the others floating
> around. Good luck getting Microsoft to include yours in IE! And then

Even after repeated warnings MS refuse to run their scripting engine in a
proper sceurity context that doesn't offer up full access to the system.
That's their implementation. A shity one too. That is not the only
implementation that exists.

Phil Da Lick!

Phil Da Lick! wrote:

>"Rowland" <> wrote in message
>news:...
>
>
>>Yep, blame the implementations. All of them.
>>
>>
>
>I'd blame any implementation that offers up full root access to any old
>script that comes in. That doesn't mean I would blame the language itself,
>only ****-porr implementations.
>
>
>
Okay, Phil. Let's get specific. Name a Javascript implementation that
isn't **** poor. If it checks out, I'll modify my editorial to reflect
this information.

--
Spammers:




Don't throw out that broken computer yet! Call 603-244-1652
Check out my Java, SQL and Python samples at http://rowland.blcss.com/
For sale: Unique and energy efficient hobbit home in New Hampshire:
http://www.angelfire.com/ego/rowland/mm.index.html

Rowland

>> Yep, blame the implementations. All of them.
>
>I'd blame any implementation that offers up full root access to any old
>script that comes in. That doesn't mean I would blame the language itself,
>only ****-porr implementations.

Is it Javascript itself, or just a ****-poor implementation, that
permits the code from the server to open another browser window on
my screen? Is it Javascript itself, or just a ****-poor implementation,
that permits the code to open two windows when I close one? This
is a significant security hole. (There are reports of this being
exploited.)

From my limited understanding of Javascript, it's the language itself
that permits this. And it's an excellent reason for leaving it
turned off all the time.


>Even after repeated warnings MS refuse to run their scripting engine in a
>proper sceurity context that doesn't offer up full access to the system.
>That's their implementation. A shity one too. That is not the only
>implementation that exists.

I think there is a significant problem of MS refusing to see a
security problem which they'd rather call a "convenient feature".
I suspect this is also an issue with the designers of Javascript.

Gordon L. Burditt

Gordon Burditt