New attack steals SSNs, e-mail addresses, and more from HTTPS pages


#1

Please stop or minimize usage of Javascript on sites that you build.

I use the NoScript addon to block javascript on most sites. I enable javascript only on a few sites that I trust, and on some sites that won’t work without javascript and I really need to access it.

For a good analysis of the dangers posed by javascript, see Mike Gerwitz’s libreplanet talk, Restore Online Freedom.


#2

Wow, very interesting read, thanks for sharing this! I hope they find a fix for this soon!

Having followed tweets related to this, and the related presentations here and here, the problems seems to be within the security implementation of the underlying protocol itself (HTTP and TLS, especially HTTP/2), and also within browsers. For example, Firefox does not have a ‘security sandbox’ for web content, so it’s more vulnerable to XSS Attacks and stuff (Read this - https://support.mozilla.org/en-US/questions/1111998). Few counter-measures also suggest randomizing/not revealing the TCP congestion window size within requests; so seems to me that JavaScript is not the real enemy here.

Also apparently even CSS can be used as a security exploit, and looks like only Firefox (again) allows it! Check this out - https://gist.github.com/cure53/1501bcb6aa6608b2af38fcafd68af219

Having said that, why would you want to ruin your browsing experience by completely stopping JavaScript? More than 90% of websites use JS, so making all of them non-functional just on the off-chance that you may run into maybe less than 2% of malicious websites seems so painful. It’s like choosing not to drive on roads on the off-chance that you might die in an accident.

I think you’ll find this plugin more useful than the NoScript plugin - https://www.mywot.com/. It shows a trust factor/rating next to links before you even click on them. Plus you can use their APIs in your own web app to protect your users too. A very good alternative, in my opinion.

:smile:


#3

Sure, the underlying problem is with HTTPS. But, javascript lowers the bar on the exploit by no longer requiring the attacker to be in a man-in-the-middle position.

90% and 2% – how did you arrive at those numbers? Please cite. Else, please refrain from cooking up data. :stuck_out_tongue:

About the problems of javascript

Not sure if you missed Mike Gerwitz’s talk, but I’ll highlight a few salient points here. Javascript is (often) proprietary software that is automatically downloaded by your browser and run without your permission. Proprietary javascript is just as problematic as any other proprietary software. Read Richard Stallman’s The Javascript Trap.

Javascript, the way it is implemented in today’s browsers, is ephemeral. It does not “stay installed” in your computer like other software. You cannot choose to upgrade or not upgrade it like other software. So, even if javascript were licensed under a free license, it is quite unlike other free software and poses practical problems to free software.

In his talk, Mike Gerwitz does a good analysis of these problems. Do watch it when free.

From mywot’s own about page,

The community-powered approach enables WOT to protect you against threats that only the human eye can spot such as scams, unreliable web stores and questionable content. It complements traditional security solutions that protect computers against technical threats such as viruses and other harmful software.

mywot is about human detectable threats. It is meant only to complement traditional security solutions, not replace them. So, mywot is not in the same domain as noscript, and is hardly a replacement for it.

Besides, I don’t feel too comfy about building my entire security model against the APIs of one company.

User experience

I’ve seen many websites that, due to incompetence or mailce, don’t load even static content such as images or sometimes even text without javascript. If anything, this is a user experience spoiler. I don’t understand why some people are in love with javascript. True there is great technology that javascript enables, but using it to load even text is taking it too far. Moderation and using javascript where it is really required is the key.

Noted. There are vulnerabilities in other non-javascript software too. This doesn’t change any of my points about the problems of javascript, though.


#4

My bad. Wasn’t trying to cook up data, but I did mis-interpret a piece of information from here, which mentioned something about approximately 12% of JS libraries having a vulnerability. I take back the statement made earlier. Apologies.

Of course, I never implied building the entire security model just using their APIs alone, no competent developer would do so. That would be foolish.

Absolutely true, but when I mentioned about user experience I was talking in a different context - not in terms of using JavaScript for such redundant stuff like loading text, but for plenty other things that websites on the internet use it for. Functionality wise - like app state, server requests, page performance and user interaction; plus non-functionality related stuff like animations / effects and likewise.

And that’s the reason I still maintain that blocking JS altogether on most of the sites that a person visits seems like a temporary fix than addressing the real issue. My take on this, anyway.


I appreciate the effort taken to reply, and thanks for the links :thumbsup: Was a good read.