Home > IT Blogs > Security Corner > Javascript Must Die!
>>VIEW ALL POSTS  

Security Corner

«
»
Nov 9 2009   1:27AM GMT

Javascript Must Die!



Posted by: Ken Harthun
Exploits, insecure, javascript, Opinion, Security, Vulnerabilities

At least that’s what Mr. John Graham-Cumming says on his blog–and what he told attendees at Virus Bulletin 2009 in his presentation called, “JavaScript Security: The Elephant running in your browser:”

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

I’ve been recommending that everyone use NoScript with Firefox for quite some time. Here’s my article from more than a year ago: Software for Secure Computing: Firefox & NoScript. Recent security updates to Firefox tend to reinforce this view since most of the workarounds for security flaws recommend disabling Javascript.

What do you think? Should Javascript be killed? Would this break 99% of the web sites out there?

Maybe it’s time for a new technology.

  Bookmark and Share     Comment     RSS Feed     Email a friend

Comment on this Post

Leave a comment:

Michael Morisy  |   Nov 9, 2009  4:48 PM (GMT)

I tried NoScript out again recently when helping a user troubleshoot some issues. The usability problems it presents when browsing a modern web apps just killed it for me: Sure, I’d build a white list up over time, but things would break and, unless I was familiar with the site, I’d never know they were broken.

Are the security threats serious enough that this is necessary? Aren’t there less extreme alternatives out there at this point?


 

Ken Harthun  |   Nov 9, 2009  11:36 PM (GMT)

Michael, in my opinion the only other solutions to the problem are to run a browser sandboxed, in a virtual machine, or on a live CD. Our current browser model is so fundamentally broken that it’s almost beyond repair. Your experience mirrors that of many others who have tried NoScript and that just points out how pervasive scripting has become. We are all at risk every time we connect to the Web.