Home > Uncategorized > SSL/TLS Broken and Disabling Javascript Fixes It

SSL/TLS Broken and Disabling Javascript Fixes It

In a few days a flaw or attack on SSL/TLS (the stuff that protects your passwords and personal data as it goes across the internet) will be presented at Ekoparty.

The attack requires the attacker be in position to intercept and inject into the data between the client and server, otherwise known as a man-in-the-middle attack. The attack appears to use javascript to send out known plaintext over an encrypted channel and allow attackers to then crack the encryption key using that known plaintext.

The simplest solution to protect yourself is to disable javascript.

As a web developer I look at things like noscript, cross-site scripting, and exploits like this as reasons to believe that users of my web site may not have javascript enabled. Therefore it is vital that javascript not be a critical component to using any site I manage. That doesn’t mean never use it, it only means that your web site still be usable without it. Treat it like Flash, or Java, or any other function that isn’t explicitly defined in the HTML or CSS specs. These things can make life easier for the user, but should never be a requirement.

This latest exploit, with the immediate message to end-users being disable javascript until a fix is ready, puts those web developers who rely on javascript to provide critical function to their site in a bad position. Don’t be one of those developers.

Eventually the practice of at least a white-list approach (see noscript) to Flash, Javascript, etc., if not completely removing them from the browser, will become the norm for even basic web users. It may not happen this year, or even in the next five years, but it’s very likely to happen as attacks on the web layer continue to grow.

About these ads
Categories: Uncategorized
  1. Steve
    September 21, 2011 at 2:22 am

    I use NoScript. Unfortunately, more sites are becoming unusable without JavaScript, even to do basic things that shouldn’t require it. One big example of this is Twitter. Although I don’t use it, I sometimes get linked to it, and the pages aren’t viewable without JavaScript. Their pages couldn’t get any simpler, either, which makes this example stick out in my mind. It’s ridiculous that you need JavaScript to view them. They do give you a link to their mobile site, but it’s pretty bad because it’s not clear how to get to the page you want to go to from their mobile site.

    I don’t really see things turning around. I think we will see more dependencies on it.

    • September 21, 2011 at 3:01 am

      Got to think positive. The reality is far too depressing.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: