Will sandboxing ever be improved enough? It's been 18 years already.

I've some hope though: I really liked eating lots of chocolate for many
years, but I discovered I'm intolerant of an ingredient in it and it was
causing me pain, so I soon rejected it.

People really like eating lots of javascript, but once they discover
that it's a huge attack vector for security problems and causes them
pain, they may be a bit more discerning. Hopefully, they will start to
reject the incompetent web developers and/or site owners who slam the
door in users' faces if they don't have javascript enabled
indiscriminately even when they're not doing anything that requires it.

Yes, javascript will be needed for some tasks, but it's currently
demanded (and permitted) far too widely. That should change and I
believe the universe will reward our honesty if we advise people to only
permit javascript when you trust the website.

What do we gain by hiding this inconvenient security *and freedom*
problem from our friends? Won't they think we're just like all the
others who would rather make it easier for people to develop whiz-bang
apps than help our friends take control of their computers?

Regards,

I'd rather promote free software web applications than take a position
against all web applications.

Which uses JS to switch languages and track the user; why?


Shalom-Salam,

Werner

I think most of that is thanks to javascript authors who just include
external libraries from many other domains without a thought for the
performance (more DNS lookups, less request pipelining possible) and
security (what if a registrant loses a domain?) implications.
I do that for a few very sensititive websites. Copy-paste lacks
comfort? Is it even possible?

Thanks,

Javascript is the future of the web, it makes no sense to fight it, it
has already won, but it is not all for the worst.

Major browser have good sandboxing technology and their security is
improved every day.

However should you not trust your browser and/or some website you want
to visit, then you can run OS level sandoboxing. I do it this way:

sandbox -i $HOME/.mozilla/extensions -i $HOME/.mozilla/plugins -i
$HOME/.mozilla/firefox/abcdefgh.sandbox -i
$HOME/.mozilla/firefox/profiles.ini -w 1024x900 -t sandbox_web_t -M -X
/usr/bin/firefox -P sandbox $*

It requires at least a basic SeLinux Policy installed and the sandbox
program, but it is really neat in that it completely isolates the
browser and crates a completely new environment for it to run.
The template you start from is copied from the referenced template and
superimposed via name spaceing, and the binary itself is prevented
access to anything in the user's home directory. This also means that
any configuration change is lost on closing it, but that is intentional
as it will erase any change an exploit may attempt to make as well.

Simo.

[ Then please set an MFT header and my MUA will comply. That discussion
is > 15 years old and we have since then a working solution.]
It is a blacklist: For example: The code loaded from external source may
not open a file on user's host. A whitelist would cleary state what the
code is allowed to do. But then it wouldn't be a useful language
anymore.
We are talking about security and thus free or non-free is just one data
point to evaluate whether it is secure. Even a non-free plugin may be
considered secure in some organizations. But right, free software is
much more useful in this regard.
That is a feature which needs to be evaluated during the audit. There
pros and cons for automated updated. But even such automated updates
are standard in that they have a defined version with the same code at
all sites. That can't be guaranteed by the usual use of JS which
commonly comes from a whole bunch of sites (and the reason why it is
virtually impossible to not use google).
That usually makes the audit easy: We can't audit it thus it shall not
be used.
Here in the sense that it is a well defined set of code which comes with
a signature and can be tracked back to an audit or a trusted source. it
can't: MitM attack on PKIX are commonplace. Does anyone really believe
that the NSA has no means to ask another secret service to have one of
their national CAs issue a malicious certificate? Come on: That system
has been corrupted by the PKI business ever since. Nobody can expect
that they ever withstood requests from the slouch hats.


Salam-Shalom,

Werner

Come one, Etherpad does much more than simply read and modify text,
and what it does can certainly not be done without JavaScript.

I think that the success of HTML5 and related technologies is great. I
really seems to have lead us out of the Microsoft lock-in world and
thanks to the early vice decisions on open standards and Free Software
the web is both technically, culturally and legaly a much more open
place than any of it's competitor. The web is not perfect and it is
still possible to publish proprietary programs with closed down and
obfuscated JavaScript code, but still, it is much better than the
competition in many regards.

I am not afraid of JavaScript. If we look at the security record of
many browser related technologies, almost all security issues where
somebody has managed to privilege them self up to the OS level from
the browser sandbox has been related to Active X, Java applets or
Flash. I don't allow my browser to automatically execute any of these,
and with Flashblock I control case-by-case when it is allowed. I don't
block JavaScript and I am not afraid of it. I've been doing web apps
coding JS both on the server side and client side for many years and
I've never come across any method to escape the browser sandbox, all
security issues I know are related to over-consuming resources and
service denial, cross-site scripting and traditional user-assisted
attacks. All of these have effective counter measures already and e.g.
cross-site post attacks can be done even without JS if the website
developer was clueless.

As Free Software supporters our biggest threats are the dominance of
Microsoft Office and their file formats with network effects, the
pre-installed Windows monopoly and source code hiding app stores on
mobile and desktop platforms. The success of HTML5 and friends
automatically helps defeat these and if we start campaigning against
JavaScript, we'll just end up helping closed app store ecosystems and
old monopolies.


Also in your discussion you seem to value security features
out-of-context. Security is always a trade-off between what you gain
and what you loose. If you want maximum security you can shut off your
computer or disconnect it from any networks, but that isn't the point.

The question here should be is it better to run apps locally or via
the browser? The simple answer to this is that it depends on what the
application does. In most cases if you are developing new end-user
software I'd recommend the browser based approach, simply because that
is the only way you'll get a truly cross-platform usable app.


--
Otto Kek?l?inen [] otto at fsfe.org
Finnish Team Coordinator [][][] finland at fsfe.org
Free Software Foundation Europe || +358 44 566 2204
Support FSFE! http://fsfe.org/support?otto