Oh it's you again. Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters. This kinda crap is best left in like a blog article where you can have your M...
Oh it's you again. Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters.
This kinda crap is best left in like a blog article where you can have your M Night twist ending that "the bug was inside us all along." When you're dealing with people on an allegedly serious issue it's disingenuous to be introducing the issue like this. It's not a bug. The web is working as intended. It has consequences and yes, people should be more aware of those consequences and there should be additional mechanisms to prevent them.
But you are shooting yourself in the foot when you behave this way. Everyone who figures out what you're actually getting at will immediately dismiss you when things click into place. Cut the dramatics, come at the issue from a sane angle. Please. I like the idea but you are killing it. You're working against your own cause here by being obnoxious like this.
Hi Diff, did we talked before? Yes, there is: "Constant antagonstic behavior and no hope for improvement". You are welcome to read my posts and comments there to see how antagonistic I was (some...
Oh it's you again.
Hi Diff, did we talked before?
Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters.
Yes, there is: "Constant antagonstic behavior and no hope for improvement".
You are welcome to read my posts and comments there to see how antagonistic I was (some of the censored comments are readable here).
But note: blaming me for this attacks is a bit pointless.
Cut the dramatics, come at the issue from a sane angle.
Hum... to me, the bug report was clear, descriptive and only mention technical stuffs that can be verified.
If you think the reactions were insane, why you tell me to change angle?
Please. I like the idea but you are killing it.
If so, please: help informing people.
If you agree that these attacks are possible, informing people can't harm.
If you think I did a bad work with the bug report, feel free to integrate it. Or to create a new one. Or...
To my eye is not a matter of how (or who). All it count is
informing people, organizations, companies and governments about the attacks they are vulnerable to
mitigate such attacks.
Really: if you can do better than I did, you are welcome!
Probably not enough to make an impression but I've seen you around the net quite a bit now. That's the thing. You're not technically wrong, you're just disingenuous. Purposefully misrepresenting...
Hi Diff, did we talked before?
Probably not enough to make an impression but I've seen you around the net quite a bit now.
Hum... to me, the bug report was clear, descriptive and only mention technical stuffs that can be verified.
That's the thing. You're not technically wrong, you're just disingenuous. Purposefully misrepresenting things. For example instead of saying "There's a vulnerability with a handful of headers and some remote code execution and yep big browser doesn't want you to know," just come out and say what you mean off the bat instead of obfuscating it. "Javascript can be used to stab users in the back. How do we fix it without breaking it?" And that last bit is important. The solutions you propose will break the internet as it exists today. That's never going to get off the ground. Nobody will accept any solution that has that kind of cost. If you actually want anything fixed like you say you do, you need to work in ways that go with the grain.
This is the kind of arguments that people debating the qualities of JavaScript as a language would propose. I'm talking about a severe security issue that you say exists! In the number of people...
"Javascript can be used to stab users in the back. How do we fix it without breaking it?"
This is the kind of arguments that people debating the qualities of JavaScript as a language would propose.
I'm talking about a severe security issue that you say exists!
In the number of people affected, it's equivalent to Meltdown.
But not being an hardware issue, it could have been already fixed.
The solutions you propose will break the internet as it exists today.
Diff, please note that I didn't proposed any mitigation until asked for solutions.
I just reported the vulnerability describing the attacks.
If you (or Mozilla) have other effective mitigations to propose (or implement) you are totally welcome to!
The only thing that I cannot understand as a developer myself is closing the issue pointing to a forum and never tring to address the attacks! They didn't dared to negate the attacks, they are just leaving users vulnerable!
If you actually want anything fixed like you say you do, you need to work in ways that go with the grain.
I'm just trying to inform people.
The fact that informing people is fought (here like elsewhere) is not a good sign about our field, don't you think?
If the bug report is "not technically wrong", if people are vulnerable to these attacks, those who write that broken code (and those broken Standards) should find the proper way to mitigate the risks.
I'm really sorry I don't know how to explain this to you, but the reason for this isn't because of anything to do with the issues themselves, it's the way you present the issues and yourself.
The fact that informing people is fought (here like elsewhere) is not a good sign about our field, don't you think?
I'm really sorry I don't know how to explain this to you, but the reason for this isn't because of anything to do with the issues themselves, it's the way you present the issues and yourself.
Mm... I appreciate the frankness. I think there is some language barrier here or something, as I carefully try to stay polite and focused on the matter. Fine. Can you please open another report...
Mm... I appreciate the frankness.
I think there is some language barrier here or something, as I carefully try to stay polite and focused on the matter.
Fine.
Can you please open another report where this issue can be discussed in a more effective way?
Use your words and style. Really... I don't know how to write it more clearly so it's pointless to try again.
Then you're going to run into a lot of problems and push people away from your cause. Whether you like it or not, diplomacy matters. I mean, ffs, even Linus Torvalds apologized for shitty behavior...
To my eye is not a matter of how.
Then you're going to run into a lot of problems and push people away from your cause. Whether you like it or not, diplomacy matters. I mean, ffs, even Linus Torvalds apologized for shitty behavior despite being notorious for it, because even he realized its importance.
Methods matter just as much, if not more, as the end goal. You need to either accept that or accept that this will forever be an uphill battle for you.
Thanks for your suggestion, but it's not an uphill battle. It's not a battle at all. Not for me. I just want to inform people they are vulnerable to these undetectable attacks. And that the...
Thanks for your suggestion, but it's not an uphill battle.
It's not a battle at all. Not for me.
I just want to inform people they are vulnerable to these undetectable attacks.
And that the organizations they trust omit to inform them about such attacks.
And that such organizations don't want to mitigate the risks.
Despite the mitigations are relatively simple and cheap.
You're intentionally twisting my words here. You know perfectly well what I mean by "uphill battle". At this point it's clear that you have no intention of engaging in a good faith discussion of...
You're intentionally twisting my words here. You know perfectly well what I mean by "uphill battle". At this point it's clear that you have no intention of engaging in a good faith discussion of this issue and, quite frankly, I'm less inclined to listen to any criticism about JavaScript purely because of this sort of antagonistic behavior that seems to be the norm among anti-JavaScript advocates. Less so than ever because of how extreme your antagonism is.
Good luck with your cause. You're going to need a lot of it.
You didn't say anything about the issue, you just talked about "methods" and how "diplomacy matters". If you have any question on how these attacks can be performed, I'm glad to help. Fun fact:...
you have no intention of engaging in a good faith discussion of this issue [...]
You didn't say anything about the issue, you just talked about "methods" and how "diplomacy matters".
If you have any question on how these attacks can be performed, I'm glad to help.
this sort of antagonistic behavior that seems to be the norm among anti-JavaScript advocates
Fun fact: I'm a JavaScript programmer myself.
And this issue is not only about JavaScript: any Rust program compiled to WebAssembly and distributed over the Web would expose the visitors to the exact same attacks (but made worse by the compiler's optimization).
Good luck with your cause.
Thanks, but it's not "my cause". Really!
It's just a severe security vulnerability affecting billions of people and organizations.
It was closed on Bugzilla because you cannot change wide‐reaching internet standards with a bug report. This “vulnerability” is the equivalent of a Windows user filing a bug report with Microsoft...
It was closed on Bugzilla because you cannot change wide‐reaching internet standards with a bug report.
This “vulnerability” is the equivalent of a Windows user filing a bug report with Microsoft because they allow people to write and run arbitrary code on the operating system. That’s not a problem—it’s how modern computing works.
I guess you don't know much about the "wide-reaching internet standards" you are talking about. I opened a bug report because these are Living Standards that follow the implementations. To fix...
I guess you don't know much about the "wide-reaching internet standards" you are talking about.
I opened a bug report because these are Living Standards that follow the implementations.
To fix these "Standards" you need to fix at least one implementation before.
Also, I challenge you to find a line in the Standards we are talking about stating that JavaScript cannot be OPT-IN on a per website basis.
Different person, hello! I'm a web developer by profession, including JS. You are correct that there is no line in the web standard that requires a browser to enable JS execution by default....
Different person, hello! I'm a web developer by profession, including JS.
You are correct that there is no line in the web standard that requires a browser to enable JS execution by default. However, there is also no line that requires any browser to disable JS execution by default. This is, by definition, not a bug!
What you have here is a change request, or perhaps a web standards proposal. The correct channels to go through for this are detailed quite helpfully here for Chrome, and to a degree here. I'm afraid I don't know the Mozilla process but Bugzilla isn't the place for it, as, again, it's not a bug, and issues will be correctly closed as some variation of "Working as Intended".
I would recommend not framing it as a bug at all, as currently the entire thing can be summed up as "Javascript can perform code execution", to which the response is, quite rightly, "Yeah. It's meant to."
Hi Nephrited, web developer by profession (including JS) here too. To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug. Would you leave...
Different person, hello!
Hi Nephrited, web developer by profession (including JS) here too.
You are correct that there is no line in the web standard that requires a browser to enable JS execution by default. However, there is also no line that requires any browser to disable JS execution by default. This is, by definition, not a bug!
To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug.
Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?
As a software developer you should then be aware that a risk is not a bug. They are distinct issue types, and are tracked separately. A bug is a problem with software not performing as expected...
To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug.
As a software developer you should then be aware that a risk is not a bug. They are distinct issue types, and are tracked separately. A bug is a problem with software not performing as expected when compared with the specification.
What you have is a problem with the specification itself. Concepts cannot have "bugs", but they can be flawed.
Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?
No, I would not. I would go through the correct channels, noting the risk and filing a change request, pointing out the issues. You can do the same, and I strongly encourage it!
Out of curiosity, do you think a dangling pointer is a risk or a bug? That's true for the specified parts. Do you really think that bugs happen only in the parts covered by a specification? :-)...
As a software developer you should then be aware that a risk is not a bug.
Out of curiosity, do you think a dangling pointer is a risk or a bug?
A bug is a problem with software not performing as expected when compared to the specification.
That's true for the specified parts.
Do you really think that bugs happen only in the parts covered by a specification? :-)
Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?
No, I would not. I would go through the correct channels, noting the risk and filing a change request, pointing out the issues.
And meanwhile you leave your user vulnerable to these attacks.
Do you have an idea of the time required to get a new standard approved by W3C?
And, again, you cannot get a standard approved by WHATWG without an implementation working.
You can do the same, and I strongly encourage it!
I'd say it's a bit naive of an expectation, but I'm very happy if you are going to try it yourself!
Yes, the process was detailed clearly in the links I provided. I'm afraid it doesn't matter what your opinion of the process is. If you wish to make a change, you have to follow the correct...
Yes, the process was detailed clearly in the links I provided. I'm afraid it doesn't matter what your opinion of the process is. If you wish to make a change, you have to follow the correct procedures.
This security report, closed by Mozilla without saying wherther Firefox's users are vulnerable to the wide class of undetectable attacks described, was issued on September 29, 2018. It was cross...
2
votes
This security report, closed by Mozilla without saying wherther Firefox's users are vulnerable to the wide class of undetectable attacks described, was issued on September 29, 2018. It was cross posted to the Chromium team roughly 24 hours later (publicly visible here)
Neither Mozilla nor Google have yet confirmed or denied the vulnerabilities, but two PoC attacks have been published already (here and here), showing at least one more severe vulnerability: the trust of people in Mozilla.
All browsers from the other WHATWG members are likely vulnerable to these attacks as well.
I don't think you're framing this in a way that helps your case at all. It's not an attack, it's not a bug, it's the way that we have agreed for the the web to work. Starting a conversation about...
I don't think you're framing this in a way that helps your case at all. It's not an attack, it's not a bug, it's the way that we have agreed for the the web to work.
Starting a conversation about flaws in that agreement and pointing out that the tradeoffs made might have harmful consequences is a reasonable thing to do. Looking at the consensus behaviour, declaring it's a bug, and refusing to accept that the vast majority disagrees with you, is not going to get anyone on your side.
Nor is attempting to put this blame on any particular browsers when literally all of them that adhere to the web standards are "vulnerable" to the same "bug". Not only that, but like one of the...
is not going to get anyone on your side.
Nor is attempting to put this blame on any particular browsers when literally all of them that adhere to the web standards are "vulnerable" to the same "bug". Not only that, but like one of the commenters in bugzilla stated, this "vulnerability" is exactly why the subresource integrity specification exists.
And furthermore, what exactly is the proposed "solution" to this "problem"? Prevent any code from executing on browsers without explicit permission, essentially forcing every user to use a uMatrix/NoScript like system? Yeah, I can surely see the vast majority of users on the web figuring out how to do that. /s
The fearmongering tone of the bugzilla post certainly doesn't help either.
I opened the issue to Mozilla because I trusted them to put their users' security before their profit. As an advocate of Firefox from version 0.8, I believed in their twitter tag line "Made for...
I opened the issue to Mozilla because I trusted them to put their users' security before their profit.
As an advocate of Firefox from version 0.8, I believed in their twitter tag line "Made for people, not profit."
I was naive, actually. But I was suggested to open such issue by a Mozilla developer.
But it's not a matter of blame. It's just trying to spread the word.
They are responsible for their own brand. If they feel shame for their actions they can easily fix it.
And furthermore, what exactly is the proposed "solution" to this "problem"?
When requested, I proposed a few mitigations (not solutions):
Page Refresh though META tag and JavaScript are disabled by default
Both can be enabled on a per website basis, but
No script or CSS is requested with Cookies or other HTTP headers;
Look, I largely agree with you in that more can be done and most of your proposals are not bad (e.g. mandatory SRI is a decent standard which should probably be adopted eventually), however IMO...
Look, I largely agree with you in that more can be done and most of your proposals are not bad (e.g. mandatory SRI is a decent standard which should probably be adopted eventually), however IMO you are hopelessly naive if you think Javascript can suddenly be made opt-in without completely breaking the web. The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit and so would very likely just find a way to permanently enable javascript immediately again anyways, so then what would you have gained by making it opt-in other than annoying people?
And as I said previously, it certainly doesn't help that you are going about this by intentionally fearmongering. Cool it on the anti-government, anti-weborgs rhetoric and maybe then you can actually win some people to your side instead of constantly getting your posts removed and getting banned from places.
You mean the way they do with push notifications? ;-) First you raised awareness about the topic, instantly improving the security of users and organisations. Then in less than a year you will get...
The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit
You mean the way they do with push notifications? ;-)
what would you have gained by making it opt-in
First you raised awareness about the topic, instantly improving the security of users and organisations.
Then in less than a year you will get a faster and more accessible Web, since the site owners will stop using JavaScript when they don't need to.
You will also see faster progress on declarative alternatives to JS, such as CSS and new HTML elements.
Finally, fine grained user interaction wont be so easy to track.
Cool it on the anti-government, anti-weborgs rhetoric
Government agencies are affected by these attacks like any other users.
As for web organisations, I was surprised by Mozilla reactions until somebody pointed me that the vast majority of their budget comes from Google.
Google that people would probably trust in a opt-in JavaScript world but that would lose precious data collected through Analytics.
maybe then you can actually win some people to your side
To be fair, the fact that we need marketing or politics to get such a wide variety of attacks mitigated is dangerous by itself.
I don’t want to play this game. It is a burden on the credibility of our whole sector.
And I don't want to win allies, I just want to inform people.
Yes, exactly the same. Which is the point of the very next part of that same sentence, "and so would very likely just find a way to permanently enable JavaScript immediately again anyways", which...
The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit
You mean the way they do with push notifications? ;-)
Yes, exactly the same. Which is the point of the very next part of that same sentence, "and so would very likely just find a way to permanently enable JavaScript immediately again anyways", which you conveniently avoided addressing by quoting only the immediately preceding and proceeding parts. People would treat having to explicitly enable JavaScipt on every site exactly the same as they do push notifications, which is to say they will see it as an annoyance, set it once and then forget it... unless you continue to annoy them every time the JavaScript changes in which case they will simply find a way to permanently enable it or migrate to browsers that don't constantly annoy them with explicit permission requests and don't artificially limit functionality for no good reason, and then you're right back to square one. "Don't throw the baby out with the bathwater."
You will also see faster progress on declarative alternatives to JS, such as CSS and new HTML elements.
Without JavaScript any new alternatives would likely wind up having the exact same "vulnerability" as you are falsely attributing to JavaScript since code execution is a fundamental part of the functionality of the web. You can argue about how browsers should make more of an effort to limit the abuse potential (which I would argue they already are) and do a better job of informing the users of said potential abuses, but demanding that all browsers cease allowing code execution without explicit permission is incredibly impractical.
As for web organisations, I was surprised by Mozilla reactions until somebody pointed me that the vast majority of their budget comes from Google.
Following my criticism of your anti-weborgs rhetoric with even more anti-weborgs rhetoric isn't helping you at all. Their (and everyone else's) response to your "bug" report likely has nothing to do with their source of funding and everything to do with the hyperbolic language you keep using and way in which you are behaving.
The changes you are "suggesting" here would break such a significant percentage of the web the idea is not even worth entertaining. When TLS 1.3 was in draft stage and it turned out that 1-1.5% of...
The changes you are "suggesting" here would break such a significant percentage of the web the idea is not even worth entertaining. When TLS 1.3 was in draft stage and it turned out that 1-1.5% of users were having trouble with it, IETF abandoned their approach and added tons of compatibility stuff with TLS 1.2, because everyone agreed breaking 1% of requests was huge.
So I believe you know nobody is going to pick you up on this, and you are not really seeking change, just grandstanding.
Yes, but TLS 1.3 was not a bug fix. What I proposed would fix a severe security vulnerability that affects 90% of users. Maybe there are better fix, but it's something that fix not break. Well......
everyone agreed breaking 1% of requests was huge
Yes, but TLS 1.3 was not a bug fix.
What I proposed would fix a severe security vulnerability that affects 90% of users.
Maybe there are better fix, but it's something that fix not break.
you know nobody is going to pick you up on this
Well... actually a few people are moving in the underground... ;-)
You are right, as explained in the report, it's not one single attack, but a whole class of them. It is a bug in the architecture of the web as designed and distributed by WHATWG's members. Even...
It's not an attack
You are right, as explained in the report, it's not one single attack, but a whole class of them.
it's not a bug
It is a bug in the architecture of the web as designed and distributed by WHATWG's members.
it's the way that we have agreed for the the web to work.
Even if you were right on this, it wouldn't make these attacks less dangerous or the users less vulnerable.
However, the responsibility is not on everybody.
It's on those organizations who turned the Semantic Web into what it is today.
Fortunately, they could easily fix it with trivial changes to the browsers that would then been adopted as Living Standard. Unfortunately they don't want to. So they should be held accountable for any breach done through one of this attacks.
The fact is that while when you play a 3D game in the browser you might suspect that you are executing a custom program that can compromise your machine and your network, when you read an article in an online magazine or look a video, there's no need to execute custom programs provided by strangers, thus most people are not aware of the risks.
Also, due to the HTTP Cache-Control headers, all evidences of these attacks can be easily removed: do you really think that everybody understand and agree to take this risks?
pointing out that the tradeoffs
Given the variety and the severity of these attacks, I don't think there is much to trade off.
The suggested mitigations are fast and cheap to implement and would not affect much the user experience while increasing their security a lot.
is not going to get anyone on your side
It's not a war to me. It's not me against them.
It's just a matter of time: when an hospital or a bank network will be hacked this way, they will have to respond for having covered up these attacks to their users.
Meanwhile, I just try to inform the users to let them understand the risks and improve their security.
i have no stake in this and computer security is not my thing but i think it's a bit laughable to call the lobste.rs thread here censored. having taken a gander through that thread and others you...
The Lobste.rs' thread suggested by Frederik Braun to continue the discussion has now been censored, but it has been cached here
i have no stake in this and computer security is not my thing but i think it's a bit laughable to call the lobste.rs thread here censored. having taken a gander through that thread and others you shared on lobste.rs, i can absolutely see why they would remove you from the premises. you seem to take a very fire-and-brimstone, bible thumping attitude to this issue which, while understandable i suppose, gets really fucking annoying if it's basically all you ever do and the bulk of what you ever talk about, especially when people have repeatedly reiterated to you that while your claims are valid, this is ultimately a trade-off that people made which would be bordering on impossible to fix without a radical upending of the system that will almost certainly never happen.
at some point, it is not productive to have a conversation with you if you're never willing to see the other side, never willing to take a step back, never willing to cede ground, and ultimately never willing to stop preaching fire-and-brimstone when people repeatedly tell you why things are this way. that is seemingly why the lobste.rs thread was removed, that is seemingly why you got banned, and in my judgement that's not censorship, that's just people getting tired of you not being willing to productively contribute to any potential conversations on the subjects you've brought up.
Well... thanks for your opinion! :-D I hope others will go through the comments to see if you are right or not. Anyway you are wrong on something: nobody from Mozilla said "Firefox users are...
Well... thanks for your opinion! :-D
I hope others will go through the comments to see if you are right or not.
Anyway you are wrong on something: nobody from Mozilla said "Firefox users are vulnerable to these attacks, but there are trade-offs that we value more than their security".
Ultimately I just asked: "Are Firefox users vulnerable to this wide class of undetectable attacks?".
Is this "antagonistic behaviour" to you?
yes, if you literally never stop talking about it after continually being told the same things over and over and over again by both familiar and unfamiliar faces alike. at some point if you are...
Ultimately I just asked: "Are Firefox users vulnerable to this wide class of undetectable attacks?".
Is this "antagonistic behaviour" to you?
yes, if you literally never stop talking about it after continually being told the same things over and over and over again by both familiar and unfamiliar faces alike. at some point if you are either unwilling or unable to take the hint people have been laying pretty thick on you, you're basically doing nothing but concern trolling by continually bringing things like this up and expecting people to have any more answers than what they've already given. that is antagonistic, and absolutely a cause for people telling you to fuck off from their website, whether you like it or not or think it's censorship or not.
So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding. (in the thread they suggested to discuss the issue)
So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding.
(in the thread they suggested to discuss the issue)
yeah. take the fucking hint. from your AMA on dev.to to lobste.rs to your bug report on mozilla to here and no doubt other places, people have all given you the exact same answer. this is a...
So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding. (in the thread they suggested to discuss the issue)
yeah. take the fucking hint. from your AMA on dev.to to lobste.rs to your bug report on mozilla to here and no doubt other places, people have all given you the exact same answer. this is a trade-off that has been made, fixing it is a highly impractical measure at this stage in the game and would most likely only occur in circumstances that are basically unprecedented, and your fire-and-brimstone attitude toward this issue and the people who respond to you comes off as obnoxious, asshole-ish, and concern troll-y.
you have a point, yes, and people recognize that. but it's really not difficult to see why people would deplatform you and consider you antagonistic, willfully ignorant, and somewhat of a troll, because even now you give that vibe off to me, and i'm trying giving you the benefit of the doubt here and assuming you're operating in good faith.
Just like I don't care about being defined a troll on internet, I don't care about having a point. I just care about these issues been fixed and people being informed. From the very beginning....
you have a point, yes, and people recognize that
Just like I don't care about being defined a troll on internet, I don't care about having a point.
I just care about these issues been fixed and people being informed. From the very beginning.
assuming you're operating in good faith
What could I gain from this?
What could Mozilla lose from this?
What JS developers (like I am) are afraid to lose from this?
I think the answers to these questions explain pretty well who is in good faith and who is not.
i'm not really interested in repeating my points since i've already made them, but i think this conversation demonstrates exactly why you are something of an internet vagabond when it comes to...
i'm not really interested in repeating my points since i've already made them, but i think this conversation demonstrates exactly why you are something of an internet vagabond when it comes to proselytizing about this subject and will probably continue to be for the foreseeable future. i would ordinarily ask that you self-reflect on why absolutely nobody is supporting you on this in any capacity (to the point where your comments in this topic have garnered no votes at all when literally any other response might have garnered just as many as my comments), but realistically i doubt self-reflection will work any better than lobste.rs banning you, mozilla all but ignoring you, and countless people demonstrating to you why you are barking up the wrong tree and why what you are suggesting is impractical. all i can offer is hope that at some point in the future you will recognize that what support and sympathy you may have otherwise garnered on this subject has evaporated because of the manner in which you participate in discussions like this.
i do wish you luck in your endeavors but, judging by your demeanor, i suspect that you will continue to be unsuccessful in pursuing them.
The complainant's point resonates with me. Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised? I'm starting...
The complainant's point resonates with me. Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised? I'm starting to think: no, they are not and harken back to the day when web sites were very simple: text and binary images without the threat of someone compromising your computer. (My statement does not take into account possible security issues in JPEG files.)
IMO, yes... unequivocally yes. And if your answer to that is "no", then you can always install uMatrix or NoScipt and block all remote script execution, or use Lynx or a Lynx-based browser which...
Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised?
IMO, yes... unequivocally yes. And if your answer to that is "no", then you can always install uMatrix or NoScipt and block all remote script execution, or use Lynx or a Lynx-based browser which doesn't support that to begin with. Voilà, you have now effectively opted out of all "remote sites manipulation" of your computer... and also opted out of the vast, vast majority of web functionality, including being able to participate on Tildes. But expecting/demanding that be the default browser behavior, like OP is doing, is incredibly unrealistic and naive (again, merely IMO).
Fine. But is having all these wonderful technologies that let remote sites manipulate any user experience worth the risk of your private banker's computer being compromised? What about your doctor?
Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised?
IMO, yes... unequivocally yes.
Fine.
But is having all these wonderful technologies that let remote sites manipulate any user experience worth the risk of your private banker's computer being compromised? What about your doctor?
If they follow any security practices, my doctor or banker don't use a PC with sensitive data for just browsing the web, but instead, for example, an semi-air-gapped system. Doing otherwise would...
If they follow any security practices, my doctor or banker don't use a PC with sensitive data for just browsing the web, but instead, for example, an semi-air-gapped system.
Doing otherwise would be neglegient in this age of cryptolockers and spyware.
For these specific attacks, the sensitive data in their browsing PC are totally irrelevant. They just need to connect through their DMZ network with their smartphone.
For these specific attacks, the sensitive data in their browsing PC are totally irrelevant.
They just need to connect through their DMZ network with their smartphone.
Could you clarify that second statement, please? It sounds like you just said "If a user willingly breaches security protocols, a security breach will occur".
Could you clarify that second statement, please?
It sounds like you just said "If a user willingly breaches security protocols, a security breach will occur".
A doctor is not a security expert. Nor is a private banker. Do you really think all companies, all over the world, spent the money required to train all of their emplyees about the risks for their...
A doctor is not a security expert. Nor is a private banker.
Do you really think all companies, all over the world, spent the money required to train all of their emplyees about the risks for their customers when they read an apparently harmless text article over the Web?
In any case, these are just some of the possible attacks.
Do you like to stay vulnerable? Fine!
Do you want other people to stay unaware AND vulnerable? Be honest and tell them.
Jesus, dude give it up already with the hyperbolic, fearmongering bullshit. All that it and your scaaaaary bold text does is make you that much harder to take seriously.
Jesus, dude give it up already with the hyperbolic, fearmongering bullshit. All that it and your scaaaaary bold text does is make you that much harder to take seriously.
Oh it's you again. Dude, you're not gonna win anyone over like this, there's a reason you were banned from Lobsters.
This kinda crap is best left in like a blog article where you can have your M Night twist ending that "the bug was inside us all along." When you're dealing with people on an allegedly serious issue it's disingenuous to be introducing the issue like this. It's not a bug. The web is working as intended. It has consequences and yes, people should be more aware of those consequences and there should be additional mechanisms to prevent them.
But you are shooting yourself in the foot when you behave this way. Everyone who figures out what you're actually getting at will immediately dismiss you when things click into place. Cut the dramatics, come at the issue from a sane angle. Please. I like the idea but you are killing it. You're working against your own cause here by being obnoxious like this.
Hi Diff, did we talked before?
Yes, there is: "Constant antagonstic behavior and no hope for improvement".
You are welcome to read my posts and comments there to see how antagonistic I was (some of the censored comments are readable here).
But note: blaming me for this attacks is a bit pointless.
Hum... to me, the bug report was clear, descriptive and only mention technical stuffs that can be verified.
If you think the reactions were insane, why you tell me to change angle?
If so, please: help informing people.
If you agree that these attacks are possible, informing people can't harm.
If you think I did a bad work with the bug report, feel free to integrate it. Or to create a new one. Or...
To my eye is not a matter of how (or who). All it count is
Really: if you can do better than I did, you are welcome!
Probably not enough to make an impression but I've seen you around the net quite a bit now.
That's the thing. You're not technically wrong, you're just disingenuous. Purposefully misrepresenting things. For example instead of saying "There's a vulnerability with a handful of headers and some remote code execution and yep big browser doesn't want you to know," just come out and say what you mean off the bat instead of obfuscating it. "Javascript can be used to stab users in the back. How do we fix it without breaking it?" And that last bit is important. The solutions you propose will break the internet as it exists today. That's never going to get off the ground. Nobody will accept any solution that has that kind of cost. If you actually want anything fixed like you say you do, you need to work in ways that go with the grain.
This is the kind of arguments that people debating the qualities of JavaScript as a language would propose.
I'm talking about a severe security issue that you say exists!
In the number of people affected, it's equivalent to Meltdown.
But not being an hardware issue, it could have been already fixed.
Diff, please note that I didn't proposed any mitigation until asked for solutions.
I just reported the vulnerability describing the attacks.
If you (or Mozilla) have other effective mitigations to propose (or implement) you are totally welcome to!
The only thing that I cannot understand as a developer myself is closing the issue pointing to a forum and never tring to address the attacks! They didn't dared to negate the attacks, they are just leaving users vulnerable!
I'm just trying to inform people.
The fact that informing people is fought (here like elsewhere) is not a good sign about our field, don't you think?
If the bug report is "not technically wrong", if people are vulnerable to these attacks, those who write that broken code (and those broken Standards) should find the proper way to mitigate the risks.
Not me.
I'm really sorry I don't know how to explain this to you, but the reason for this isn't because of anything to do with the issues themselves, it's the way you present the issues and yourself.
Mm... I appreciate the frankness.
I think there is some language barrier here or something, as I carefully try to stay polite and focused on the matter.
Fine.
Can you please open another report where this issue can be discussed in a more effective way?
Use your words and style. Really... I don't know how to write it more clearly so it's pointless to try again.
Then you're going to run into a lot of problems and push people away from your cause. Whether you like it or not, diplomacy matters. I mean, ffs, even Linus Torvalds apologized for shitty behavior despite being notorious for it, because even he realized its importance.
Methods matter just as much, if not more, as the end goal. You need to either accept that or accept that this will forever be an uphill battle for you.
Thanks for your suggestion, but it's not an uphill battle.
It's not a battle at all. Not for me.
I just want to inform people they are vulnerable to these undetectable attacks.
And that the organizations they trust omit to inform them about such attacks.
And that such organizations don't want to mitigate the risks.
Despite the mitigations are relatively simple and cheap.
Simply stating the Truth is not a battle.
You're intentionally twisting my words here. You know perfectly well what I mean by "uphill battle". At this point it's clear that you have no intention of engaging in a good faith discussion of this issue and, quite frankly, I'm less inclined to listen to any criticism about JavaScript purely because of this sort of antagonistic behavior that seems to be the norm among anti-JavaScript advocates. Less so than ever because of how extreme your antagonism is.
Good luck with your cause. You're going to need a lot of it.
You didn't say anything about the issue, you just talked about "methods" and how "diplomacy matters".
If you have any question on how these attacks can be performed, I'm glad to help.
Fun fact: I'm a JavaScript programmer myself.
And this issue is not only about JavaScript: any Rust program compiled to WebAssembly and distributed over the Web would expose the visitors to the exact same attacks (but made worse by the compiler's optimization).
Thanks, but it's not "my cause". Really!
It's just a severe security vulnerability affecting billions of people and organizations.
It was closed on Bugzilla because you cannot change wide‐reaching internet standards with a bug report.
This “vulnerability” is the equivalent of a Windows user filing a bug report with Microsoft because they allow people to write and run arbitrary code on the operating system. That’s not a problem—it’s how modern computing works.
I guess you don't know much about the "wide-reaching internet standards" you are talking about.
I opened a bug report because these are Living Standards that follow the implementations.
To fix these "Standards" you need to fix at least one implementation before.
Also, I challenge you to find a line in the Standards we are talking about stating that JavaScript cannot be OPT-IN on a per website basis.
Guess what?
You don't need to violate any WHATWG's standard to implement these mitigations.
Different person, hello! I'm a web developer by profession, including JS.
You are correct that there is no line in the web standard that requires a browser to enable JS execution by default. However, there is also no line that requires any browser to disable JS execution by default. This is, by definition, not a bug!
What you have here is a change request, or perhaps a web standards proposal. The correct channels to go through for this are detailed quite helpfully here for Chrome, and to a degree here. I'm afraid I don't know the Mozilla process but Bugzilla isn't the place for it, as, again, it's not a bug, and issues will be correctly closed as some variation of "Working as Intended".
I would recommend not framing it as a bug at all, as currently the entire thing can be summed up as "Javascript can perform code execution", to which the response is, quite rightly, "Yeah. It's meant to."
Hi Nephrited, web developer by profession (including JS) here too.
To me, if the people using my software are vulnerable to such wide class of undetectable attacks, it's a bug.
Would you leave your users vulnerable just because no line in the "standards" you (wrote and) implemented say that you have to protect them?
As a software developer you should then be aware that a risk is not a bug. They are distinct issue types, and are tracked separately. A bug is a problem with software not performing as expected when compared with the specification.
What you have is a problem with the specification itself. Concepts cannot have "bugs", but they can be flawed.
No, I would not. I would go through the correct channels, noting the risk and filing a change request, pointing out the issues. You can do the same, and I strongly encourage it!
Out of curiosity, do you think a dangling pointer is a risk or a bug?
That's true for the specified parts.
Do you really think that bugs happen only in the parts covered by a specification? :-)
And meanwhile you leave your user vulnerable to these attacks.
Do you have an idea of the time required to get a new standard approved by W3C?
And, again, you cannot get a standard approved by WHATWG without an implementation working.
I'd say it's a bit naive of an expectation, but I'm very happy if you are going to try it yourself!
Yes, the process was detailed clearly in the links I provided. I'm afraid it doesn't matter what your opinion of the process is. If you wish to make a change, you have to follow the correct procedures.
Good luck!
This security report, closed by Mozilla without saying wherther Firefox's users are vulnerable to the wide class of undetectable attacks described, was issued on September 29, 2018. It was cross posted to the Chromium team roughly 24 hours later (publicly visible here)
The Lobste.rs' thread suggested by Frederik Braun to continue the discussion has now been censored, but it has been cached here
Neither Mozilla nor Google have yet confirmed or denied the vulnerabilities, but two PoC attacks have been published already (here and here), showing at least one more severe vulnerability: the trust of people in Mozilla.
All browsers from the other WHATWG members are likely vulnerable to these attacks as well.
I don't think you're framing this in a way that helps your case at all. It's not an attack, it's not a bug, it's the way that we have agreed for the the web to work.
Starting a conversation about flaws in that agreement and pointing out that the tradeoffs made might have harmful consequences is a reasonable thing to do. Looking at the consensus behaviour, declaring it's a bug, and refusing to accept that the vast majority disagrees with you, is not going to get anyone on your side.
Nor is attempting to put this blame on any particular browsers when literally all of them that adhere to the web standards are "vulnerable" to the same "bug". Not only that, but like one of the commenters in bugzilla stated, this "vulnerability" is exactly why the subresource integrity specification exists.
And furthermore, what exactly is the proposed "solution" to this "problem"? Prevent any code from executing on browsers without explicit permission, essentially forcing every user to use a uMatrix/NoScript like system? Yeah, I can surely see the vast majority of users on the web figuring out how to do that. /s
The fearmongering tone of the bugzilla post certainly doesn't help either.
I opened the issue to Mozilla because I trusted them to put their users' security before their profit.
As an advocate of Firefox from version 0.8, I believed in their twitter tag line "Made for people, not profit."
I was naive, actually. But I was suggested to open such issue by a Mozilla developer.
But it's not a matter of blame. It's just trying to spread the word.
They are responsible for their own brand. If they feel shame for their actions they can easily fix it.
When requested, I proposed a few mitigations (not solutions):
Obviously all this leaves the door open for pages that:
thus I would also mark as “Not Secure” web pages visited for the first time that require JavaScript.
The one that scares so many JavaScript developers, is battle tested for near 20 years: both Java applets and Flash were opt-in without much drama.
Except that it is NOT mandatory on scripts, so it's basically useless.
Did you tried the exploits?
Did you tried to tunnel into a properly firewalled and proxied private network?
I might suggest you to try with your bank. You will understand the risks, then.
Look, I largely agree with you in that more can be done and most of your proposals are not bad (e.g. mandatory SRI is a decent standard which should probably be adopted eventually), however IMO you are hopelessly naive if you think Javascript can suddenly be made opt-in without completely breaking the web. The vast majority of internet users are not technically literate enough to handle script micro-management on all the websites they visit and so would very likely just find a way to permanently enable javascript immediately again anyways, so then what would you have gained by making it opt-in other than annoying people?
And as I said previously, it certainly doesn't help that you are going about this by intentionally fearmongering. Cool it on the anti-government, anti-weborgs rhetoric and maybe then you can actually win some people to your side instead of constantly getting your posts removed and getting banned from places.
You mean the way they do with push notifications? ;-)
First you raised awareness about the topic, instantly improving the security of users and organisations.
Then in less than a year you will get a faster and more accessible Web, since the site owners will stop using JavaScript when they don't need to.
You will also see faster progress on declarative alternatives to JS, such as CSS and new HTML elements.
Finally, fine grained user interaction wont be so easy to track.
Government agencies are affected by these attacks like any other users.
As for web organisations, I was surprised by Mozilla reactions until somebody pointed me that the vast majority of their budget comes from Google.
Google that people would probably trust in a opt-in JavaScript world but that would lose precious data collected through Analytics.
To be fair, the fact that we need marketing or politics to get such a wide variety of attacks mitigated is dangerous by itself.
I don’t want to play this game. It is a burden on the credibility of our whole sector.
And I don't want to win allies, I just want to inform people.
Yes, exactly the same. Which is the point of the very next part of that same sentence, "and so would very likely just find a way to permanently enable JavaScript immediately again anyways", which you conveniently avoided addressing by quoting only the immediately preceding and proceeding parts. People would treat having to explicitly enable JavaScipt on every site exactly the same as they do push notifications, which is to say they will see it as an annoyance, set it once and then forget it... unless you continue to annoy them every time the JavaScript changes in which case they will simply find a way to permanently enable it or migrate to browsers that don't constantly annoy them with explicit permission requests and don't artificially limit functionality for no good reason, and then you're right back to square one. "Don't throw the baby out with the bathwater."
Without JavaScript any new alternatives would likely wind up having the exact same "vulnerability" as you are falsely attributing to JavaScript since code execution is a fundamental part of the functionality of the web. You can argue about how browsers should make more of an effort to limit the abuse potential (which I would argue they already are) and do a better job of informing the users of said potential abuses, but demanding that all browsers cease allowing code execution without explicit permission is incredibly impractical.
Following my criticism of your anti-weborgs rhetoric with even more anti-weborgs rhetoric isn't helping you at all. Their (and everyone else's) response to your "bug" report likely has nothing to do with their source of funding and everything to do with the hyperbolic language you keep using and way in which you are behaving.
The changes you are "suggesting" here would break such a significant percentage of the web the idea is not even worth entertaining. When TLS 1.3 was in draft stage and it turned out that 1-1.5% of users were having trouble with it, IETF abandoned their approach and added tons of compatibility stuff with TLS 1.2, because everyone agreed breaking 1% of requests was huge.
So I believe you know nobody is going to pick you up on this, and you are not really seeking change, just grandstanding.
Yes, but TLS 1.3 was not a bug fix.
What I proposed would fix a severe security vulnerability that affects 90% of users.
Maybe there are better fix, but it's something that fix not break.
Well... actually a few people are moving in the underground... ;-)
You are right, as explained in the report, it's not one single attack, but a whole class of them.
It is a bug in the architecture of the web as designed and distributed by WHATWG's members.
Even if you were right on this, it wouldn't make these attacks less dangerous or the users less vulnerable.
However, the responsibility is not on everybody.
It's on those organizations who turned the Semantic Web into what it is today.
Fortunately, they could easily fix it with trivial changes to the browsers that would then been adopted as Living Standard. Unfortunately they don't want to. So they should be held accountable for any breach done through one of this attacks.
The fact is that while when you play a 3D game in the browser you might suspect that you are executing a custom program that can compromise your machine and your network, when you read an article in an online magazine or look a video, there's no need to execute custom programs provided by strangers, thus most people are not aware of the risks.
Also, due to the HTTP Cache-Control headers, all evidences of these attacks can be easily removed: do you really think that everybody understand and agree to take this risks?
Given the variety and the severity of these attacks, I don't think there is much to trade off.
The suggested mitigations are fast and cheap to implement and would not affect much the user experience while increasing their security a lot.
It's not a war to me. It's not me against them.
It's just a matter of time: when an hospital or a bank network will be hacked this way, they will have to respond for having covered up these attacks to their users.
Meanwhile, I just try to inform the users to let them understand the risks and improve their security.
i have no stake in this and computer security is not my thing but i think it's a bit laughable to call the lobste.rs thread here censored. having taken a gander through that thread and others you shared on lobste.rs, i can absolutely see why they would remove you from the premises. you seem to take a very fire-and-brimstone, bible thumping attitude to this issue which, while understandable i suppose, gets really fucking annoying if it's basically all you ever do and the bulk of what you ever talk about, especially when people have repeatedly reiterated to you that while your claims are valid, this is ultimately a trade-off that people made which would be bordering on impossible to fix without a radical upending of the system that will almost certainly never happen.
at some point, it is not productive to have a conversation with you if you're never willing to see the other side, never willing to take a step back, never willing to cede ground, and ultimately never willing to stop preaching fire-and-brimstone when people repeatedly tell you why things are this way. that is seemingly why the lobste.rs thread was removed, that is seemingly why you got banned, and in my judgement that's not censorship, that's just people getting tired of you not being willing to productively contribute to any potential conversations on the subjects you've brought up.
Well... thanks for your opinion! :-D
I hope others will go through the comments to see if you are right or not.
Anyway you are wrong on something: nobody from Mozilla said "Firefox users are vulnerable to these attacks, but there are trade-offs that we value more than their security".
Ultimately I just asked: "Are Firefox users vulnerable to this wide class of undetectable attacks?".
Is this "antagonistic behaviour" to you?
yes, if you literally never stop talking about it after continually being told the same things over and over and over again by both familiar and unfamiliar faces alike. at some point if you are either unwilling or unable to take the hint people have been laying pretty thick on you, you're basically doing nothing but concern trolling by continually bringing things like this up and expecting people to have any more answers than what they've already given. that is antagonistic, and absolutely a cause for people telling you to fuck off from their website, whether you like it or not or think it's censorship or not.
So, according to you the problem is me asking 3 or 4 times this question, not Mozilla Security NOT responding.
(in the thread they suggested to discuss the issue)
yeah. take the fucking hint. from your AMA on dev.to to lobste.rs to your bug report on mozilla to here and no doubt other places, people have all given you the exact same answer. this is a trade-off that has been made, fixing it is a highly impractical measure at this stage in the game and would most likely only occur in circumstances that are basically unprecedented, and your fire-and-brimstone attitude toward this issue and the people who respond to you comes off as obnoxious, asshole-ish, and concern troll-y.
you have a point, yes, and people recognize that. but it's really not difficult to see why people would deplatform you and consider you antagonistic, willfully ignorant, and somewhat of a troll, because even now you give that vibe off to me, and i'm trying giving you the benefit of the doubt here and assuming you're operating in good faith.
Just like I don't care about being defined a troll on internet, I don't care about having a point.
I just care about these issues been fixed and people being informed. From the very beginning.
What could I gain from this?
What could Mozilla lose from this?
What JS developers (like I am) are afraid to lose from this?
I think the answers to these questions explain pretty well who is in good faith and who is not.
i'm not really interested in repeating my points since i've already made them, but i think this conversation demonstrates exactly why you are something of an internet vagabond when it comes to proselytizing about this subject and will probably continue to be for the foreseeable future. i would ordinarily ask that you self-reflect on why absolutely nobody is supporting you on this in any capacity (to the point where your comments in this topic have garnered no votes at all when literally any other response might have garnered just as many as my comments), but realistically i doubt self-reflection will work any better than lobste.rs banning you, mozilla all but ignoring you, and countless people demonstrating to you why you are barking up the wrong tree and why what you are suggesting is impractical. all i can offer is hope that at some point in the future you will recognize that what support and sympathy you may have otherwise garnered on this subject has evaporated because of the manner in which you participate in discussions like this.
i do wish you luck in your endeavors but, judging by your demeanor, i suspect that you will continue to be unsuccessful in pursuing them.
The complainant's point resonates with me. Is having all these wonderful technologies that let remote sites manipulate my experience worth the risk of my computer being compromised? I'm starting to think: no, they are not and harken back to the day when web sites were very simple: text and binary images without the threat of someone compromising your computer. (My statement does not take into account possible security issues in JPEG files.)
IMO, yes... unequivocally yes. And if your answer to that is "no", then you can always install uMatrix or NoScipt and block all remote script execution, or use Lynx or a Lynx-based browser which doesn't support that to begin with. Voilà, you have now effectively opted out of all "remote sites manipulation" of your computer... and also opted out of the vast, vast majority of web functionality, including being able to participate on Tildes. But expecting/demanding that be the default browser behavior, like OP is doing, is incredibly unrealistic and naive (again, merely IMO).
Fine.
But is having all these wonderful technologies that let remote sites manipulate any user experience worth the risk of your private banker's computer being compromised? What about your doctor?
If they follow any security practices, my doctor or banker don't use a PC with sensitive data for just browsing the web, but instead, for example, an semi-air-gapped system.
Doing otherwise would be neglegient in this age of cryptolockers and spyware.
For these specific attacks, the sensitive data in their browsing PC are totally irrelevant.
They just need to connect through their DMZ network with their smartphone.
Could you clarify that second statement, please?
It sounds like you just said "If a user willingly breaches security protocols, a security breach will occur".
A doctor is not a security expert. Nor is a private banker.
Do you really think all companies, all over the world, spent the money required to train all of their emplyees about the risks for their customers when they read an apparently harmless text article over the Web?
In any case, these are just some of the possible attacks.
Do you like to stay vulnerable? Fine!
Do you want other people to stay unaware AND vulnerable? Be honest and tell them.
Jesus, dude give it up already with the hyperbolic, fearmongering bullshit. All that it and your scaaaaary bold text does is make you that much harder to take seriously.
You didn't answer.