[Cryptography] Paranoia for a Monday Morning
Bill Frantz
frantz at pwpconsult.com
Mon Nov 17 16:15:02 EST 2014
On 10/28/14 at 2:17 PM, hbaker1 at pipeline.com (Henry Baker) wrote:
>Huh?!? Just because Javascript has garbage-collection and
>array-bounds checking doesn't make it a 'secure' language.
The problem with this statement is the assumption that "secure"
is binary. I don't think anyone would argue that Javascript is a
more secure language than C, C++ or Assembler because Javascript
is memory safe. In fact, Javascript is getting more secure with
the addition of "use strict" which makes it easier for a web
page to include untrusted Javascript code and control what it
can and can not do. <http://en.wikipedia.org/wiki/Caja_programming_language>
There may be languages that prevent errors that Javascript
allows. Compile-time type checking comes immediately to mind,
but duck typing fans will probably argue that compile time type
checking really isn't that valuable.
The bottom line is that there is a collection of language
security features. There probably isn't a way to put languages
on a linear scale and say that one is more secure than another
without looking at the application domain.
Now, I do have concerns with the assurance that Javascript
implementations actually implement the standard, and that the
standard itself does not have bugs, but I have these concerns
about every deployed system today.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | Ham radio contesting is a | Periwinkle
(408)356-8506 | contact sport. | 16345
Englewood Ave
www.pwpconsult.com | - Ken Widelitz K6LA / VY2TT | Los Gatos,
CA 95032
More information about the cryptography
mailing list