computer security

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Javascript: what it is and why you should be concerned Options
  There are currently too many topics in this group that display
first. To make this topic appear first, remove this option from
another topic.
There was an error processing your request. Please try again.
Standard view   View as tree
Proportional text   Fixed text

     13 messages - Expand all  -  Translate all to Translated (View
all originals)  -  Report discussion as spam
Reporting discussion
Messages reported

The group you are posting to is a Usenet group. Messages posted to
this group will make your email address visible to anyone on the
Your reply message has not been sent.
Your post was successful

      Send  Discard

Followup To:
 Add Cc | Add Followup-to | Edit Subject


 Validation: For verification purposes please type the characters you
see in the picture below or the numbers you hear by clicking the
accessibility icon.

Send  Discard

Bottom Line Computer    View profile
  More options May 17 2004, 7:05 pm

Newsgroups:,, misc.consumers
Date: Mon, 17 May 2004 09:05:40 -0500
Local: Mon, May 17 2004 7:05 pm
Subject: Javascript: what it is and why you should be concerned
Reply to author | Forward | Print | Individual message | Show original
| Report this message | Find messages by this author
What it is:

Javascript is a feature of browsers which is supposed to make
possible all sorts of interesting features in a Web site.
Unfortunately, few of these features are actually useful to the
end user, and many are undesireable.  It is what is called a
client-side scripting language.  Another such language is VBScript.

Usually, Javascript is enabled in your browser, unless you explicitly
turn it off.

What it's supposed to be good for:

Javascript is commonly used to implement flashy features of
marginal utility such as mouseovers.  Mouseovers are when you move
your mouse over something on a Web page and something happens, such
maybe that something changes appearance, or maybe a little menu pops

Javascript can be used to create highly interactive games on the Web.

Javascript is also used to do client-side validation of input in
The idea is your own browser checks that everything you typed in on
form is valid before it sends it to the server.

Javascript can be used to create guestbooks, calendars and the like.

Finally, Javascript is used to create popups and popunders.

What's wrong with it:

For starters, Javascript is used to create popups and popunders.
Advertizers love them, as a way of getting in your face.  But
users hate them, because they're annoying.  Also some malicious Web
sites use Javascript to fill your screen with hundreds of popups
that you can't get rid of.

Even worse, Javascript is full of security vulnerabilities.  Using
Javascript, a dishonest Web site can get your private information,
such as <em>passwords</em> and <em>credit card</em> information, off
your computer without your knowledge or consent.  When a crook grabs
credit card info, it's as bad as if he had stolen your credit card.
He can run up a huge bill and destroy your credit rating. ...
Here's a list
of some of the possible ways this can be done.  And below are some
quick links to reported vulnerabilities: ...
New Phishing Scam Prompts Warnings CERT? Advisory
CA-1997-20 JavaScript Vulnerability Adobe Acrobat does not
adequately validate Acrobat JavaScript WebBoard does not adequately
validate user input thereby permitting arbitrary JavaScript execution Lotus Domino Server R5
vulnerable to Cross-Site Scripting via passing of user input directly
to default error page

The list goes on and on, but you get the idea.

Javascript isn't the only way to create guestbooks, calendars and
the like.  These things can be done entirely on the server.

Javascript is one of the best ways to put highly interactive games
on the Web.  Is that really worth it?

Finally, Javascript really isn't the best way to do validation of
user input.  If a Web site expects the browser to validate the input,
then a malicious user can create a program to feed invalid input to
the site without using a browser.  No browser, no Javascript, and so
no validation.  So you really need to do the validation in the Web
server anyway.

Some people say that doing validation on the client with Javascript
will reduce net traffic.  Sorry, I don't buy it.  Every time you load
page with Javascript, you have to download that Javascript code over
net.  This happens even if you have Javascript disabled in your
A lot of these scripts are huge. They make up most of what gets
transmitted over the net.

In summary, everything Javascript can do can either be done better
other way, or is so trivial it's scarcely worth doing.
And it's ...
very dangerous .
It's just not worth it.

What to do about it:

It's possible to configure your browser not to support Javascript.
This sounds like it should solve everything.  But there's a catch.
There are a lot of sites out there that depend on Javascript to work
They're just put together that way.  There are ways to put together
these sites without needing Javascript,  but the people who put these
sites together didn't bother. Hotmail
is one offender.

So what you need is a strategy to cope with Javascript.
Here's what I suggest:<ul>
<li>Disable Javascript in your main browser.
<li>Avoid using sites that require Javascript, as much possible.
<li>Keep a second browser on your system that has Javascript enabled.
<li>Use the Javascript-enabled browser for those sites which require
and which you absolutely must use.  Use it <em>only</em> for these
<li>Try to set up your Javascript-enabled browser not to store its
cookies on disk.
Failing that, delete all cookies after every use of that browser.
<li><em>Raise a ruckus</em>.  Complain about every site that requires
If they ask why, point them to this page.
Remember, there is no good reason why any site has to be made to
require Javascript.
<li>Spread the word.

It's not just me: Anti-Javascript FAQ "This page optimized
for ..." - arguing with customers -

Final notes:

It's entirely possible to make a site that uses Javascript, but does
not require it.  Such a site will have some frilly extra features if
have Javascript enabled in your browser.  But if you disable
the site will still be perfectly usable.  I have no great objection
such sites.  But sites that <em>require</em> you to have Javascript
enabled in order to use them at all are inexcusable.

VBScript, the other client-side scripting language, ...
also has serious problems .
It's less widespread than Javascript, which is good.  But it's not a
substitute for Javascript.  It's just the same headache by a
name.  And it requires Internet Explorer, which is the most insecure
browser in common use. Home link

Southern New Hampshire residents: don't throw away that old broken
Call us first: 603-244-1652.  If we can't fix it cheap, we'll take it
off your hands.


Site Timeline