Security Corner

Nov 9 2009   1:27AM GMT

Javascript Must Die!

Ken Harthun Ken Harthun Profile: Ken Harthun

At least that’s what Mr. John Graham-Cumming says on his blog–and what he told attendees at Virus Bulletin 2009 in his presentation called, “JavaScript Security: The Elephant running in your browser:”

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

I’ve been recommending that everyone use NoScript with Firefox for quite some time. Here’s my article from more than a year ago: Software for Secure Computing: Firefox & NoScript. Recent security updates to Firefox tend to reinforce this view since most of the workarounds for security flaws recommend disabling Javascript.

What do you think? Should Javascript be killed? Would this break 99% of the web sites out there?

Maybe it’s time for a new technology.

2  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Michael Morisy
    I tried NoScript out again recently when helping a user troubleshoot some issues. The usability problems it presents when browsing a modern web apps just killed it for me: Sure, I'd build a white list up over time, but things would break and, unless I was familiar with the site, I'd never know they were broken. Are the security threats serious enough that this is necessary? Aren't there less extreme alternatives out there at this point?
    8,643 pointsBadges:
  • Arian Eigen Heald
    Michael, in my opinion the only other solutions to the problem are to run a browser sandboxed, in a virtual machine, or on a live CD. Our current browser model is so fundamentally broken that it's almost beyond repair. Your experience mirrors that of many others who have tried NoScript and that just points out how pervasive scripting has become. We are all at risk every time we connect to the Web.
    75 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: