[kwlug-disc] DuckDuckGo.com -- an alternate search engine

[Chris Frey]

On Tue, Jul 27, 2010 at 09:15:57PM -0400, Ralph Janke wrote:
> Well, it still does not explain why networking is ok, but Javascript is not. 
> Javascript is not the only security issue exposed in networking.
> 
> Hence: Javascript in and of itself should not be bad! :)

Not necessarily bad, just more risky.

To me, there is a world of difference between TCP/IP and Javascript.
The one is data interpreted by known code.  The other is unknown code
interpreting unknown data.

By "unknown" I mean that the data and the code is not something I've
vetted before it hits my browser.

Secure code treats data as an untrusted payload.  Something to be parsed
and analyzed, where sizes and lengths are double checked at all times,
etc.  The data might indicate some action to be taken, but it is the code
that is already on my system, installed by known means, that does the
work.

Javascript pushes that a little too far for my liking.  Yes, it is data,
but it is data in the form of Turing complete code.  It is one thing to
double check that the TCP header size field is correct.  It's a whole
lot more complicated to check that every permutation of legal Javascript
code is safe.

I'm not saying it's impossible, just that the level of difficulty is
orders of magnitude higher, and therefore so is the risk.

It's not just Javascript.  Whenever programmable content is added to pure
data, there's more risk: VB script in Word documents, ActiveX controls,
Flash games, rm commands in man pages, embedded SQL in application code,
scripts in PDF files (Adobe has had its share of headaches with this), etc.

- Chris