Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- ram charanthej
August 23, 2010, 7:15 pm
rate this thread
There are currently too many topics in this group that display
first. To make this topic appear first, remove this option from
There was an error processing your request. Please try again.
Standard view View as tree
Proportional text Fixed text
13 messages - Expand all - Translate all to Translated (View
all originals) - Report discussion as spam
The group you are posting to is a Usenet group. Messages posted to
this group will make your email address visible to anyone on the
Your reply message has not been sent.
Your post was successful
Add Cc | Add Followup-to | Edit Subject
Validation: For verification purposes please type the characters you
see in the picture below or the numbers you hear by clicking the
Bottom Line Computer View profile
More options May 17 2004, 7:05 pm
Newsgroups: alt.computer.security, comp.security, misc.consumers
Date: Mon, 17 May 2004 09:05:40 -0500
Local: Mon, May 17 2004 7:05 pm
Reply to author | Forward | Print | Individual message | Show original
| Report this message | Find messages by this author
What it is:
possible all sorts of interesting features in a Web site.
Unfortunately, few of these features are actually useful to the
end user, and many are undesireable. It is what is called a
client-side scripting language. Another such language is VBScript.
turn it off.
What it's supposed to be good for:
marginal utility such as mouseovers. Mouseovers are when you move
your mouse over something on a Web page and something happens, such
maybe that something changes appearance, or maybe a little menu pops
The idea is your own browser checks that everything you typed in on
form is valid before it sends it to the server.
What's wrong with it:
Advertizers love them, as a way of getting in your face. But
users hate them, because they're annoying. Also some malicious Web
that you can't get rid of.
such as <em>passwords</em> and <em>credit card</em> information, off
your computer without your knowledge or consent. When a crook grabs
credit card info, it's as bad as if he had stolen your credit card.
He can run up a huge bill and destroy your credit rating.
Here's a list
of some of the possible ways this can be done. And below are some
quick links to reported vulnerabilities:
New Phishing Scam Prompts Warnings
http://www.cert.org/advisories/CA-1997-20.html CERT? Advisory
http://www.kb.cert.org/vuls/id/184820 Adobe Acrobat does not
http://www.kb.cert.org/vuls/id/255915 WebBoard does not adequately
http://www.kb.cert.org/vuls/id/642239 Lotus Domino Server R5
vulnerable to Cross-Site Scripting via passing of user input directly
to default error page
The list goes on and on, but you get the idea.
the like. These things can be done entirely on the server.
on the Web. Is that really worth it?
user input. If a Web site expects the browser to validate the input,
then a malicious user can create a program to feed invalid input to
no validation. So you really need to do the validation in the Web
will reduce net traffic. Sorry, I don't buy it. Every time you load
A lot of these scripts are huge. They make up most of what gets
transmitted over the net.
other way, or is so trivial it's scarcely worth doing.
very dangerous .
It's just not worth it.
What to do about it:
This sounds like it should solve everything. But there's a catch.
They're just put together that way. There are ways to put together
sites together didn't bother. http://www.hotmail.com/ Hotmail
is one offender.
Here's what I suggest:<ul>
and which you absolutely must use. Use it <em>only</em> for these
cookies on disk.
Failing that, delete all cookies after every use of that browser.
<li><em>Raise a ruckus</em>. Complain about every site that requires
If they ask why, point them to this page.
Remember, there is no good reason why any site has to be made to
<li>Spread the word.
It's not just me:
http://linuxmafia.com/faq/Web/opti.html "This page optimized
for ..." - arguing with customers -
not require it. Such a site will have some frilly extra features if
the site will still be perfectly usable. I have no great objection
enabled in order to use them at all are inexcusable.
VBScript, the other client-side scripting language,
also has serious problems .
name. And it requires Internet Explorer, which is the most insecure
browser in common use.
Southern New Hampshire residents: don't throw away that old broken
Call us first: 603-244-1652. If we can't fix it cheap, we'll take it
off your hands.