Sitting amongst us all, every moment of every day, rests a trojan that has been neglected for as long as I can recall. It quietly lay dormant waiting for the opportune moment to rise up and cause havoc across the globe. Over the last six years it rarely has shown its face to anyone; except those who poke and prod to prove its capability. However, with the rise of Web 2.0, the ugly head of this trojan turns and is gradually rising.
The horror I mention is dubbed, Javascript. The language in which internet users have come to admire and consider a mere toy to add a little extra pop or spice to their internet applications and websites. Our internet browsers rely on this language and there is no way to turn back from it now. Over the years the language has been accepted as a vital member of our internet community and is often worshiped. It receives large amounts of praise from its blood brother: Ajax.
The true nature of these languages are beginning to write tales of horror as they begin to become obvious. We have allowed these languages to penetrate our computers, laughing at our ignorance for allowing a stateless protocol infect us with it; HTTP.
Netscape Communications Corporation’s implementation of the ECMAScript standard was named Javascript, based on the concept of prototype-based scripting languages. The language is best known and witnessed for its implementation within websites, known as client-side Javascript, designed primarily by Brendan Eich, however, also enabling scripting access to objects embedded within other applications. Javascript is designed to execute arbitrary server provided code on a client computer. It has been given permission to bypass many barriers and execute nearly anything imagineable on a client.
Content creation should not be recondite. It should not be this bizarre arcana that only experts and gold-plated computer science gurus can do.
Brendan Eich, Innovators of the Net, primary designer of JavaScript.
May I say wrong? Absolutely! Personally, I completely disagree with Brendan’s statement, a programming language should be simplified, thereby its security follows suit. The so-called experts knew of the dangers long before and are now witnessing as users fall in the realm of insecure applications. We are now utilizing cross-site scripting and javascript shells which are slowly taking over our computers. No lessons learned and all bullshit aside; security’s biggest nemesis is the usability of it. A secure system is extremely difficult to manage, there is a good reason for it; security deals with a large amount of complexity and obscurity which cannot be put into practice with simplicity in mind. It simply implies, to secure your computer, integrate with a firewall to control access.
Getting through the city gates
Imagine for a moment, a language in which was permitted to freely travel through the gates of your computer; travel without question through your firewall. What if someone developed such a language in C, would we have any objections? Obviously not, it was created and we know it as Javascript. Javascript is permitted to travel through the firewall and executed on your local computer by all internet browsers. It is allowed to execute and send data back to remote servers through the HTTP protocol stream. Ajax is the new trojan, in plain view and very strong. Java, the virtual machine, acts as a sandbox for code to be executed, however, Javascript has none. Javascript is allowed to pass through because of our permissions. Ajax isn’t less secure than Javascript, it relies on Javascript.
Javascript is not a toy, respect it..
Javascript has been treated as a toy language for years. Mistaking this language as nothing more than a quick enhancement to HTML for web pages. It was typically utilized to add popups, interactive functionality and even effects to boring sites. Most have ignored the power behind Javascript, most are still oblivious to its strength. With power comes responsibility and inherently exploiting and vulnerabilities is born. I feel as though Javascript is not a toy language and we should stray from these ideas and face the facts about the language. Cross-site scripting opened a whole new world for vulnerabilities. Giving malicious hackers backdoor access to your computer and honestly the opportunity to own your computer. Disabling Javascript could be a quick fix, however, most websites require Javascript to be enabled to enhance the viewing of their particular pages. Online banking systems, social networking, and web mail interfaces all utlize Javascript and who wants to miss the beloved pop-up windows?
Aftermath:
As the internet evolves, especially with Web 2.0 really taking off. A new generation of internet applications and enhancements are being made. These applications are going to take Javascript, especially Ajax to a new level. It will begin to flourish like we have never thought possible. Real-time content fetching, less browser refreshing; almost as if our clients are becoming more and more dependant upon remote servers. They’re beginning to grow closer and closer together, nearly attaching themselves to one another for operation. Until, at some point everything breaks, fails and falls to the conclusion thats Javascript is dangerous.
My prediction and conclusion..
I feel as though the situation cannot be avoided. We have attached ourselves, our browsers and our applications around the concepts provided from Javascript. It is a little too late to drop the beloved language in which our websites depend upon so much. The trojan is amongst us, breathing and evolving with our workstations, applications and community. We must embrace the trojan and live beside it, treat it with extreme care and occasionally provide a little dance to praise the wonderful features it adds.
Browser producers should develop new security techniques and implement technologies to provide a sort of sandbox for Javascript code to be executed within before it is allowed onto the local file system. It is up to our browser counter-parts to not allow Javascript to become the worst trojan we know. A sandbox, virtual machine would prevent Javascript from becoming a logical bomb, destroying all that we have built.
2007 will bring about the real aftermath. Personally, with Web 2.0 being as big as it is, I am going to sit back and watch the show. Hopefully there won’t be fireworks caused by harm but celebration for our new advances.
Jan 11
This entry was posted on Thursday, January 11th, 2007 at 5:15 amand is filed under everyday, rants, techwire. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.Sponsors
10 Comments The Real Trojan Threat, Stop Ignoring It
Shane
January 11th, 2007 at 11:01 am
1I wouldn’t go to quite the depths as you have, however, I do agree that javascript isn’t quite as secure as we wish. Not only that, but it hasn’t seen a significant update in SEVERAL years. Sadly, it is stuck in the same rut as HTML standards. Even if there was a large update to javascript itself, what forces browser developers to adopt it. If IE can’t adopt something as simple as HTML standards, I don’t see them accepting a new, more secure, feature-rich javascript for years.
Enough of my rambling, the world is going to come to an end.
jimmy
January 11th, 2007 at 11:07 am
2AJAX is not a language. AJAX is just some fancy buzz word which was created, to describe a method which has been available to javascript for a long time.
Sure, javascript could be looked at as some kind of ‘Trojan Horse’ or malicious programming language. One may say to excercise caution when visiting sites that you’re really not sure about - but then no one would go anywhere on the web. Most browsers incorporate security features which do not allow javascript to directly access your machine. Example - you can not show an image preview to any user who is uploading an image, before they upload it. This is because (at least in FF) the browser does not allow javascript access to things on the local machine like that. So, like you would with your anti-virus clients, keep your web browsers up to date to protect yourself from a malicious security hole which exists.
mavier
January 11th, 2007 at 12:20 pm
3Well, just like with any freedom, there will always be those who abuse it. So the question is, do we punish everyone because of a few? Sounds communistic to me. :-) To call it a trojan is about as unfair as the people who blame guns solely for deaths. Nevermind the fact that it takes someone to point and pull the trigger.
Personally, I like javascript and I enjoy the power that it has over browser and form objects, etc. I’ve done a lot of projects that just couldn’t have been done feasibly without client-side scripting. I push the limits of it a lot and I’m still impressed with what others are able to do with it.
So my stance on it is, if you’re going to surf the web, you’re going to run the risk of coming across something you don’t want. So if you’re scared of a virus, a naked boob or Nigerian Princes needing your financial help, then log out.
Justin
January 11th, 2007 at 12:26 pm
4@Mavier: On the same note, should we dissolve all of our armed forces, public servants and protectors of our cities? I feel as though protecting clients from some of javascripts harms is vital. I never stated I didn’t like javascript. In fact, I recall stating to embrace it, we have to use it, its bad ass.. no way around it. But at the same time, I think Aston martin’s are totally killer too — and even they come with seat restraints and air bags…
jason
January 11th, 2007 at 2:06 pm
5I’m with Jimmy — we’re mostly relying on the browsers to protect us from malicious javascript, and there are many standards (already implemented) to help protect a computer from the type of doom you predict.
Initially Javascript (or Live Script, for us old-timers) was quite innocuous and powerless: “wow, rollover!”. IE 3, and the connection to the Windows OCXs and the like were a wake up call, probably only now dealt with in successful manner with myriad security settings on the browser. AJAX itself also relies heavily on using making HTTP requests — loading data, holding state, etc, all necessary for application-like functionality. The potential for abuse is, in theory, there — but not readily available, in my mind. Yes, I’ve tried. For research. Just for research.
The real threats end up being stupid people falling to stupid tricks out of greed — installing zombie software that promises of free anything that sends data back to a central server, or SPAMs the internet. And Sony distributing rootkits in the name of DRM and marketing. So, yeah, stupid corporations, too….hmm. Maybe we are doomed.
JavaScript King
January 11th, 2007 at 4:08 pm
6You are all doomed! Muhahaha
Strange Pants
January 12th, 2007 at 12:29 am
7Is this really about JavaScript? Or about the fact that it’s so easily accessible and everyone thinks they can use it?
I doubt most developers would be able to securely handle a DOM in their chosen language (C++, Python, or whatever it might be) without a good dose of training and sensitisation to the issues.
Good web developers learn the parameters of their craft and learn how to handle their tools skilfully. JavaScript is not a trojan, it’s the equivalent of a carpenter’s electric saw: an indispensable tool in the hands of a professional, but quite capable of amputating careless amateurs.
GateKeeper
January 14th, 2007 at 1:02 pm
8Justin is right, y’all. Strange Pants is promoting what security people call “Security by Obscurity” — “I don’t get it, so not many others will either”. Be careful. It only takes ONE person to WRITE the code and post it on the ‘net for many to find and use it. Don’t assume all the people with problem code on their servers were the ones to put it there. At least 50% of all the routers on the ‘net still use their default passwords — probably the same percentage still have NO password on their default computer admin account — and you think this is about communism? Dude, wake up. If somebody gets on ANY trusted computer and adds problem code, everybody that visits that site gets violated.
Sarah Pack
January 15th, 2007 at 1:53 am
9I’m not sure if this is the right venue for this kind of comment. If it’s not, I apologize. Last night I sat next to the Sr. Manager of Business Development (or something like that) of Redken on a flight from Dallas to Tulsa. I, of course, mentioned you, but felt slightly ashamed that I really have no idea what you do other than it is something online and has to do with Loreal, which I knew owned Redken because of the trivia question you asked me at Slainte in New York. That took longer than it should have. Sorry. No one has ever accused me of being concise.
I’m looking for a South American travel partner, for a very short trip in the very near future. Interested?
BilleeD.
January 19th, 2007 at 10:59 pm
10Honestly, I think that folks should understand that Justin is simply stating (correct me if I am off here, Justin) that most average web users are oblivious to JavaScript’s capabilities and that the browser companies should implement some sort of virtual machine for JavaScript to execute code within for an added security layer other than the built-in JavaScript features (e.g. no direct access to the client file system).
The whole AJAX thing is based on a what I remember being, at first, a proprietary Microsoft extension;
XMLHttpRequest(). This certainly has inherent security issues (e.g. http://en.wikipedia.org/wiki/XMLHttpRequest#Security) that need to be addressed more closely by the browser manufacturers who implemented this extension without first extensively testing it’s security implications. Microsoft has always been prone to commit “oopsy!” style programming mistakes (or rather not always seeing things from the “dark side” when necessary) so this would have been where I would have focused my own R&D before adding this new functionality to my browser’s code base. I have to agree with GateKeeper’s comment regarding “Security by obscurity” in that ignoring things won’t make them better. We need to be really aware of the pitfalls any time we do things online; no-brainer. But we all love how these zippy new sites function; catch-22.What I feel needs to be discussed is that the average user needs to be made aware of the issues and/or the browser companies need to re-think how we are trying to use their products today. Or…we could all just ask W3C to re-write HTTP as a stateful protocol using encrypted keys. Nah, it would never work, right? ;-)
RSS feed for comments on this post · TrackBack URI
Leave a Reply The Real Trojan Threat, Stop Ignoring It