[Mapserver-users] JavaScript vs MapScript for interfacedevelopment...

[Thorsten Fischer]

Let's see. I will not answer to all posts seperately, but rather try to
sum it all up in a big one.

Please note that I did not ask to turn off your applications. More of
that in the last few paragraphs. Also I did not mean to advertise that
nobody should visit sites containing javascript anymore. I add this
because I received a couple of outright hostile (and mostly 'anonymous';
I put that in quotes because you people should take more care of your
emails' headers) emails stating that the 'stupid nonsense' i wrote would
put websites out of business. 

--

First off I would like to ask a question. People install virus scanners
on their desktop machines (virus scanners are a thing that can be argued
about too, but for the sake of the following let's assume they make
sense). They install them because they do not want a virus, which is
code written by a completely untrusted (and untrustable) stranger, code
that they cannot control, to be executed on their machine.

Next thing they do is firing a web browser, go to a site and have
javascript executed, which is code, written by a completely untrusted
stranger. Code they cannot control and that someone says is necessary
for a certain service.

Code that might have changed since last night for whatever reason.

Sounds weird to me.

--

There was pointed out that javascript was designed to be a sandbox
environment. This is not true. If you have a link to a design paper or
something similar, I would like to read more about a inherent security
model in javascript. But this will prove difficult, because there is
none.

Netscape, the inventors of JavaScript, developed a few models
_afterwards_ (same origin policy, data tainting, signed script policy).
Security put on top of a thing is no security. It has to be built in. I
recommend reading Bruce Schneier's 'Secrets & Lies', among others, for
more info on that problem.

IIRC, Microsoft one day said something about 'sandbox' and javascript,
but I think all of us are aware of MS's quality of security in their
software implementations.

By the way, contrary to what someone else said, Shockwave Flash does not
require an ActiveX control. Or at least my linux version for mozilla
does not need it.

Oh, and it is correct that active scripting and javascript can be seen
as different things; but I still have to find an IE setting that lets
the user turn off only one of the two.

--

I recommended asking your local cert for 'javascript'. The response was
questioning that I did this myself, because a search would only yield 8
results. Please allow me to question this result in return. I go to
www.cert.org, type 'javascript' in the search box and hit enter. I get
59 results. If you want I can post a screenshot somewhere.

Bugtraq: 109 hits

(securityfocus keeps on splitting up their lists and redesigning their
publication policies, and cert.org is not exactly famous for a full
disclosure policy, so the numbers possibly need to be adjusted in one
direction or the other)

--

Something that made me angry was the comment that 'driving a car' was a
risk as well, as would be everyday life, and that life would only be
enjoyable with a certain amount of risk involved.

As much as I do agree with that sentence :), it does not have the
slightest relation to our discussion. Apart from there being way too
many car/computer comparisons on the net ;), it moves the 'opponent' in
a debate (sorry, I cannot think of a better word at the moment) to a
slightly silly level.

But sticking to car-driving, let me point out that you have to acquire a
license to be allowed to drive a car; that you need to take lessons to
earn that license; that you have to follow a lot of security guidelines
to be in line with your local traffic laws; and that you are in trouble
explaining things to the insurance company in case something happens to
you even though you should have known better in that very situation.
Same goes for the people and companies who build and maintain streets
and roads.

There is no equivalent to this on the internet, so the car metaphor does
not hold.

And even if _you_ want to take a certain risk, others might not want to.
See the 'choice' consensus that I offer in the last paragraph (and that
I already offered in my original email).

Security is a binary thing; it's either there, or it is not. Taking 'a
bit of a risk' in a certain environment (a javascript mapserver
application) and hoping that it won't harm me on another does not work.

--

The BSI (german Department for IT Security, it defines security outlines
for companies and private people and publishes them) posted the
following press release on their website in September 1999:

http://www.bsi.de/fachthem/sinet/java99.htm

Sorry, it's in german. It says that there were numerous security
problems with 'active content' in WWW sites (ActiveX, JavaScript, Java
etc). They say that most problems are caused by implementation errors,
and that secure implementation of active content seems to be outright
impossible. They strongly recommend turning off active content. They
also point out that security-aware people are consequently left out
because of websites relying on javascript and so on, especially where
its use is completely unnecessary.

I think they make an important point here: The core problem is not that
JavaScript is inherently too insecure, but that almost every browser
security hole relies on it to be turned on.

The press release has been updated in january 2002 with the note that
all warnings are still valid. There is absolutely no indicator that the
errors in implementation are not there anymore.

--

I also want to point out that you assume - even though you are not
explicitely stating it - that every security problem in javascript is
public and can be fixed. This assumption is interesting. I would like to
invite you to join us on this year's Chaos Communication Camp near
Berlin (https://www.ccc.de/camp/) for the opportunity to meet people who
might be able to talk to you about the more creative uses of active web
browser content.

The JavaScript security problems were even more grave with Netscape and
IE versions up to versions 4.something, so the most notes and web pages
you will find are up to, say, 1999. They are more sparse now, but they
are still there.

Please also note that the sheer annoyance that a JavaScript site can
cause is not exactly a security hole but still a good reason not to
enable it at all. I still have the possibility to open hundreds of new
windows right in your face.

Another problem caused is that javascript leads to developers'
lazyiness. People parse form input using javascript, thinking that they
have control over the submitted content that way, and then skip this
important step on the server's side. But I can still type everything in
my web browser myself, or connect via telnet, or whatever, and send
abitrary input. Therefore advertising JavaScript as an all-purpose
programming language is wrong, because it is by no means an interface
that can control any input whatsoever, it's just a layer between me and
the application on the webserver, a layer that I can move away at will.

I admit that I am getting away from the possible harm for the user here,
but I think it's an important point.

--

Bottom line, again: I think my arguments are still valid. You may choose
to _assume_ a lot of things and base your application development on.
That is your choice. That your website needs javascript, or whatever
active content you like. That is your choice. But my choice - and the
choice of a lot of other people - is that javascript has to be turned
off, let it be only because of the annoyance it causes.

So the question is: why don't you want me to see that application?

As much as I see that most places in which JavaScript is used it also is
completely unnecessary, I do of course understand that our business of
making maps is a highly visual one. I think I already said that. I do
not ask you to optimize your sites for the users of 'links' and 'lynx',
which are unix command line web browser. And I see that there is
functionality that cannot be done in plain HTML, for example zoom boxes.
I mentioned that too. I also know Neapoljs, for example, which is made
by tydac, and I think that it is a very nice application, and I will
continue to point people to it. But JavaScript should only be excuted in
a trusted environment. The internet is _not_ a trusted or trustable
environment.

We are using free software here (MapServer), because we want to show the
users and developers that they have the ability to choose. To transport
that thought we have to let users make choices. This is an important
one. I do not ask you to turn your sites of. I ask you to let the people
choose between a javascript and a non-javascript version. If you cannot
do that or do not want to do it, I ask you to tell them the reason. Just
a few lines of explanation. And maybe add why you think that it's not at
all harmful for them to have javascript turned on.


hth,

thorsten


--

Links:

http://www.pivx.com/larholm/unpatched/
http://www.pivx.com/larholm/unpatched/6may03notes.html
(unpatched IE security holes)

http://www.juengling-edv.de/meinungen/webseitengestaltung.htm
(german site about web design. They say that no common store would ever
put a sign at the door saying 'only for people with Armani ties' or
'only for Porsche drivers'. But still people build websites saying 'only
viewable with javascript')

http://www.w3.org/Security/Faq/wwwsf2.html#CLT-Q8
(The w3c recommending not to use javascript. The FAQ is not exactly up
to date)

http://www.w3.org/TR/WAI-WEBCONTENT/
http://www.w3.org/TR/UAAG10/
(accessability and usability guidelines)

etc