Here I show (with a trivial Proof-of-Concept) how to bypass corporate firewalls through any WHATWG browser.
It’s just one of the uncountably many attacks a competent developer could create, but should give a taste of the severity of the issue that Mozilla and Google will not fix.
@Shamar,
You’re right. But, your approach is flawed.
Can you extol the virtues of a non-executable web, instead?
To @arnt and the commenters on the article, whom talk about tricking users into clicking YES… How exactly is a website going to prompt when the allegorical NX bit is set?
Well I think it’s pretty easy to imagine a web without JavaScript:
<slide>or a<tree>tag)<advertisement>tag to make them less annoyingDISCLAIMER:
While I do think that the vulnerabilities we are talking are so severe and dangerous that they deserve the emergency fix I proposed in the bug report, I do not think that we should suddenly remove JavaScript from the web.
While it’s true that I do not like the JavaScript language, I just think that people should have the right to choose who can execute custom programs on their device.
IMHO, making JavaScript opt-in on a per site basis would not break the Web, it would fix it.
Many wouldn’t use such feature and run every script they can reach.
But many others would use such freedom and control. And now, they cannot.
Instead, their security is at risk. And they are unaware of such risk.
So, you want to load and view documents that are rendered from declarative source code rather than imperative source? I can get behind that!
You’re worried that high resolution micro-interaction data (mouse hover, scroll linger, etc) may reveal that I need eyeglasses? :) It may reveal that, but I’m more concerned that it would reveal my favorite color, or favorite body type. This type of data collection is my pet peeve. It’s nobody’s business which images or text I linger over in my idle time!
In the distant past of the late nineties, I used to teach fellow travelers that
.txt,.jpg,.gif, and.htmlfiles are safe and.exe,.com, and.batfiles were unsafe. It was a bright line and it helped users be responsible for their own online safety. That browser vendors decided to allow executable scripts inside otherwise declarative documents obliterated that bright line.The proposed fix isn’t: We already know that users can be made to click “yes” with a bit of social engineering. Not all users all of the time, but few attacks need to work against all users all of the time.
More generally, this attack seems to be just another instance of conflicting security models. Kudos to Google and Mozilla for accepting that they have to choose, and sticking with their choice.
And I really think that they have the right to choose!
Same for Microsoft, Apple, Opera.. all have the right to pursuit their own priorities.
But, IMHO, they should clearly inform their users about the risks of using their browsers.
Including corporate users, obviously. And governments…
I noticed you linked to my replies and called them condescending. I did not mean to be condescending. Please accept my apology :)
I find your writings and submissions somewhat interesting, but also quite tiring - mostly because of volume and frequency. Maybe we will meet each other in real life, and then I will find the time to respond to each of your points individually. But at the current rate, I won’t be able to keep up and reply to all of your writings in a timely manner :)
Apology accepted. :-)
Please, try to understand my concerns: AFAIK each site (or CDN) that each Firefox user visits could traverse/bypass their firewall and proxy, violate their privacy (cache timing attacks) and so on… leaving no evidences.
If I’m right, Firefox users should know this (and other browsers’ users too, if they are affected).
And they should know if and how you are going to fix this problem.
If I’m wrong, you should just say that (and possibly briefly explain how Firefox prevents such attacks).