[Cryptography] Paranoia for a Monday Morning

Bill Frantz frantz at pwpconsult.com
Mon Nov 17 16:15:02 EST 2014

On 10/28/14 at 2:17 PM, hbaker1 at pipeline.com (Henry Baker) wrote:

>Huh?!?  Just because Javascript has garbage-collection and 
>array-bounds checking doesn't make it a 'secure' language.

The problem with this statement is the assumption that "secure" 
is binary. I don't think anyone would argue that Javascript is a 
more secure language than C, C++ or Assembler because Javascript 
is memory safe. In fact, Javascript is getting more secure with 
the addition of "use strict" which makes it easier for a web 
page to include untrusted Javascript code and control what it 
can and can not do. <http://en.wikipedia.org/wiki/Caja_programming_language>

There may be languages that prevent errors that Javascript 
allows. Compile-time type checking comes immediately to mind, 
but duck typing fans will probably argue that compile time type 
checking really isn't that valuable.

The bottom line is that there is a collection of language 
security features. There probably isn't a way to put languages 
on a linear scale and say that one is more secure than another 
without looking at the application domain.

Now, I do have concerns with the assurance that Javascript 
implementations actually implement the standard, and that the 
standard itself does not have bugs, but I have these concerns 
about every deployed system today.

Cheers - Bill

Bill Frantz        | Ham radio contesting is a    | Periwinkle
(408)356-8506      | contact sport.               | 16345 
Englewood Ave
www.pwpconsult.com |  - Ken Widelitz K6LA / VY2TT | Los Gatos, 
CA 95032

More information about the cryptography mailing list