While Mozilla is addressing plug-in vendors and out of date plug-ins, is Javascript security being adequately addressed?
Hi,
I have been observing the ongoing struggle for the past while about web security and how to keep malware off user systems and to enhance user privacy. After seeing Mozilla implement 'Click to play' (which still is in infancy, but needs a lot of changes including potentially being able to set your own plugin update check server for enterprise environments) I concerns about this 'Plugins are dangerous' perspective:
While out-dated plugins are indeed often a security threat, there is no denying this, I believe there is far too much focus on plugin security and not enough 'get back to basics' security — that being within the Firefox suite itself. Consider: With "Apps" becoming increasingly prevalent with Javascript becoming more and more powerful to permit these apps to operate much like their desktop counterparts, what is Mozilla doing to improve and refine control over the Javascript engine?
With most browsers, javascript engines have access to various system variables that can be transmitted via callbacks, lists of fonts installed, OS in use, and so forth. A user can't effectively disable or remove these variables from the javascript environment without running an advanced setup. A data miner can easily bypass the user's preference on cookie opt-out and still use these variables to create a personally identifying ID of a user. For all you know some javascript callback could be transmitting information about your mouse movements, how you scroll the page and so forth silently without knowing.
The often touted solution to these kinds of scenarios is "Disable javascript". That is often a non-solution considering most websites require some form of it these days. It's a suggestion akin to on a computer operating system: "Disable all C-compiled programs" to solve malware problems. It does the job but renders the system unusable. The actual solution is to cracking open the black-box javascript engine (Yes, you can see the source code of the JS engine, but it's not effectively touchable while in execution) to provide more accountability and to block aspects of javascript on sites at will.
Many web developers will protest this "I want to control my users' experience to provide them what I want them to see", but ultimately it needs to be done in the name of security and bringing control back to where it should belong: the user.
KXeron trɔe
All Replies (5)
Hello,
We are not completely blocking plug-ins. Introducing Click to Play to our users is a good thing as you mentioned for security. Mozilla has many departments and have different people focusing on their products running on different platforms. The user is in control of plug-ins and so we allow them the opportunity to click to play or update them so they are aware that they may be at risk. Javascript at times may cause issues so we ask users to disable them but sometimes we ask users to ENABLE them because it may help them with their issue instead. The user is still in control, letting our users to be vulnerable is not what we want as Mozilla strives for privacy and security.
Thank you
Thank you for your reply,
I know that plugins aren't being outright disabled and that people need to be encouraged to keep up to date, it's just that there's a lopsided amount of focus on them as a security vector from Mozilla.
I must point out however, that javascript security at the moment seems to consist of an on-off switch on almost every browser in existence: there is no obvious way to set "I don't want that site to know where my mouse is for my privacy", "I don't want that site to dynamically load content because it slows my browser" or the sort.
While there is CAPS ( http://www.mozilla.org/projects/security/components/ConfigPolicy.html ) it is not configurable from within the browser (and its existence at all is obfuscated) and considering a lot of javascript is obfuscated to discourage run-time modification (say using web development toolbars) or discourage CAPS usage, there's little way to know what exactly to use CAPS on without reverse engineering. The average user would not be able to do this.
Javascript security needs to be more, much more than an on/off switch.
KXeron trɔe
There hasn't been anything in the public about Javascript and so there might not be much that can be done about it. This is not the right place for discussion. A more appropriate place would be Mozillazine.
Unfortunately you just missed this opportunity
See
- http://www.mozilla.org/about/forums/
- possibly your question would be on topic in https://lists.mozilla.org/listinfo/dev-security-policy
Or if you just want a general chat and background information then as already suggested maybe try one of the mozillazine fora.
To avoid confusion: