Re: Active-content filtering (was RE: Buffer Overruns)

[Crispin Cowan <crispin () cse ogi edu>]

fernando_montenegro () hp com wrote:

> One or two messages in this thread mentioned some firewalls' ability to filter
> out Java[script]|ActiveX from the HTTP stream.
>
> Considering the current scenario, where lots and lots of sites with valid,
> business-need content, will use client-side scripting|code as fundamental for
> functionality (news/stock tickers, client-side input validation, etc...),

I VEHEMENTLY dispute that any of these scripting technologies are *legitimate*
business-need content.  On the contrary, they are symptoms of "lazy web developer
who doesn't understand the technology."  I have never, ever encountered a web site
that used Javascript in a way that was actually necessary to perform the business
function.  On the other hand, I have encountered many web sites that failed to
function properly without Javascript, but only used Javascript for "glitz", i.e.
every single Javascript function could just as easily been replaced with a normal
URL linking to a page of HTML.

The current trend towards *requiring* Javascript to be able to access a web site
horrifies me.  I don't mind if the glitz is there, but the entire site SHOULD work
properly without Javascript.  Cute little pages that tell the user to upgrade
their browser are wrong:  it is the web site that is broken, not the browser.
Using Javascript for cutsiness is fine, but *requiring* Javascript for
functionality is not fine.

So much for "busienss need".  Now what about the risks?  MOST of the browser
vulnerabilites that have been discovered this year have concerned Javascript
specifically.  The number two culpret has been Java and JVMs.  To me, these to
factors together make an EXCELLENT case for filtering Javascript.

They also make an excellent case for spanking majorly broken major web sites like
United Airlines ( http://www.ual.com ) and Continental Airlines (
http://www.continental.com/dash/build_dash.asp?vs_1999_11_22_00 ) because they are
a hazard to Internet security.  Not that they contain hazardous Javascript, but
just because they require Javascript they essentially force firewall admins to
admint Javascript in general to the site, exposing thousands of businesses to
major risks just for the convenience of some lame web developers.

Context:  I run with Javascript disabled in my web browser most of the time.  When
I encounter a Javascript site, I mostly just leave immediately and never return.
When I have a business need to use the site anyway, I grudgingly do so, but it
produces a *very* negative impression of that business in my mind.  Requiring
Javascript tells me that the business cares more about their convenience than my
security.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org