[Cryptography] Crippling Javascript for safer browsing
Theodore Ts'o
tytso at mit.edu
Fri Jun 6 10:15:36 EDT 2014
On Thu, Jun 05, 2014 at 11:47:04PM -0400, Arnold Reinhold wrote:
>
> I think we are being a little too defeatist here. This is mostly a
> question of good marketing, not technology. A set of "security
> extensions" to Javascript that users could opt for might well be
> adopted if it had wide support from the security community. There
> are only a few major browser vendors and most have some interest in
> getting things right. The extensions would need to be well-thought
> out beforehand, and there is still the cat-herding problem, but
> getting organized is long overdue.
The important thing to keep in mind is that most users are, in
practice, not willing to trade the prospect of a potential avoidance
of future pain due to a security exposure, with the imminent decrease
in functionality. The reason why Noscript has adoption is that you
can whitelist sites you *want* to use that happen to require
Javascript.
The assumption that because Noscript has some amount of usage (but
mostly by more technical people who tend to care more about security)
that therefore people would be willing to deal with a wholesale
removeable of Javascript functionality, no matter that it might things
that sites that they *want* to use is not, I suspect, one that will
turn out to be a well-founded one.
If you at the same time can propose some addition a *functional*
extensions to substitute for desirable functionality that would
otherwise be curtailed by castrating some "dangerous" Javascript
feature, and those extensions would allow some highly desirable
functionality to be achievable, then maybe people would be more likely
to embrace it. Otherwise, it will have as much mass adoption as, say,
OpenPGP....
Regards,
- Ted
More information about the cryptography
mailing list