Re: JS and security.

• From: osfwofujro <jwo@xxxxxxxxxx>
• Date: Thu, 01 Sep 2005 17:38:08 GMT

Jim Davis wrote:

"osfwofujro" <jwo@xxxxxxxxxx> wrote in message news:6_DRe.2718$x4.286@xxxxxxxxxxxxxxxxxxxxxxx

According to a financial website I tried to access without JavaScript: "the site uses JS for security reasons."

How would using JS improve security?

There might be several ways... but none particularly good.

Firs off for any of this to mean anything the sitew would have to only function with JavaScript enabled. Second for any of them to function it would have to operate on "soft" security - those little interface things that prod the user in a certiain direction but don't actually address any real "hard" security problems.

But still there are several things in that arena that might be done:

+) Many sites open their financial applications in secondary windows (usually chromeless). This has the benefit that once that window is closed the main browser window will not contain the history of the child window. (Of course you can open a new window without JavaScript, but we all know that JavaScript makes working with child windows a lot smoother.)

+) Using JavaScript/DHTML the site might, either automatically when it senses no activity or on user request, mask out (make invisilble or cover with an opaque element) the screen or mask out form field or other potentially sensitive information. Automatic systems might require the password to unmask the information although this isn't actual security of course it does prevent casual observers.

+) Using AJAX-style data aquisition into JavaScript variables means that your personal information isn't cached in the browser or the source code. So even, say, if somebody were to disable JavaScript and view your source code they couldn't actually see your data (which is abstracted into variables). Again this isn't real security but it prevents a more sophisticated class of potential thief. It also, of course means, that none of the information can be viewed with JavaScript enabled.

+) JavaScript is very useful at nudging the user in the right direction. Active reminders to close a browser window when leaving an application (using the onunload()) to prevent history mining) are often effective.

+) There is some thought that using onscreen keyboards (keyboards written in JavaScript or Flash or the like) will improve security. The idea (which has at least some merit) is that this will prevent keystroke sniffers from obtaining your password.

There are others but it should be clear that any option that would truly address softsecurity issues will also almost definitely affect accessibility for a site. Also none of them can address phishing campaings and the like (which can just use the same features to make their phony sites look that much more accurate).

There's no sense (although I'm willing to be conviced) in attempting to address hard security issues via JavaScript. Things like data encryption, key management, credential management, etc should all be centralized and rigidly controlled.

Also while, in theory, everything that can be done should be done (and there's legislation being written to enforce this idea in many countries) all of these solutions address the client-side completely. While this isn't a bad thing the vast (vast) majority of data compromise has occured on the corporate side. No matter how successful phishing and keystroke logging may be they pale in comparison to the loss of millions of records at a time through corporate security gaffs.

Still - if you know (and can accept) the limitations there are definately things to do with script which can _improve_ (aspects of) security. But script itself can't _provide_ real security in any way.

Jim Davis

Thanks - this was really useful and I learned a lot from it.
.

• References:
  • JS and security.
    • From: osfwofujro
  • Re: JS and security.
    • From: Jim Davis

• Prev by Date: Re: Test for Security Settings
• Next by Date: Re: JS and security.
• Previous by thread: Re: JS and security.
• Next by thread: Re: JS and security.
• Index(es):
  • Date
  • Thread

Relevant Pages Re: JS and security. ... > According to a financial website I tried to access without JavaScript: ... > How would using JS improve security? ... the main browser window will not contain the history of the child window. ... (comp.lang.javascript) Re: Javascript disabled in my browser? ... I have already enabled Active Scripting ... > Click "OK" to close the Security window. ... > JavaScript is now enabled for our web site. ... (microsoft.public.windows.inetexplorer.ie6.browser) [Full-disclosure] The state of JavaScript Hacking ... this than the security mailing lists. ... importance of JavaScript and other under appreciate web technologies ... As you might already know JavaScript is becoming more and more popular ... If you have less overhead with developing desktop and web applications ... (Full-Disclosure) Re: Javascript disabled in my browser? ... Type.com under "Add this Web site to the zone:". ... Click "OK" to close the Security window. ... JavaScript is now enabled for our web site. ... (microsoft.public.windows.inetexplorer.ie6.browser) Re: New IE security hole ... > Javascript for a month or two," both because it would break needed ... Security researchers in favor of full and immediate ... > Microsoft always takes at least 45 days to test and release a patch. ... saying Microsoft needs 45 days to fix this is a load of cow "flap". ... (microsoft.public.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint