[Mapserver-users] JavaScript security

Jan Hartmann jhart at frw.uva.nl
Wed Jul 2 07:42:51 PDT 2003 

Hi Thorsten, Flavio,

I'm a bit averse to responding to something that looks like a starting
flame, but as I'm going to publish the MapClient application I presented
at the MUM a few days from now, I feel I should give my personal view on 
this. MapClient is a browser interface for MapServer, exclusively based 
on JavaScript, without any HTML at all. I would not like to give the 
impression of living dangerously, and certainly not of inducing others 
to do so.

There certainly are risks in using JavaScript in every browser. There is
an excellent recent article in the leading German computer journal C'T (
http://www.heise.de/ct/browsercheck/ ). It's in German; perhaps someone
from Germany on this list could translate or summarize it? It has many 
tests you can do with your browser to check for vulnerabilities, and 
some really are horrifying. However, if you have a modern browser with 
all recent updates, none of these vulnerablities will hurt you.

My personal view is that the standard reference browser (Mozilla) is at
the moment as safe as safe can be. Without any doubts security leaks
will be discovered in the future, but the Mozilla group has an excellent
security page (www.mozilla.org/security), and it combats the problem the
only  right way: by exposing its code and by publicizing every known leak.

I'm not so sure about IE, but even there the security risks are minimal 
compared to mail-propagated security problems. I won't say you can 
ignore them, but if you are really that security conscious, you should 
shut off your mail too. Just use the Windows Update facility on a 
regular basis. IMO IE will always be less secure than Mozilla for two 
reasons: its code is closed, and the browser is too much integrated into 
the rest of the operating system. That being said, I have no qualms at 
all using it at the moment.

AFAIK there are three fundamental risk areas: browsers reading and 
writing to local disks, browsers executing local programs, and browsers 
reading data from other concurrent browser windows. I'm not very afraid 
of the first two: as soon as someone uses such a leak it will be 
discovered and patched immediately. The third one is more insidious. 
Imagine doing your banking business in one browser window, and playing 
around with a malicious Javascript application in another. The second 
one should under no circumstance be allowed to read the contents of the 
first. Normally this is the case. However, aplications combining data 
from multiple servers, like WMS/WFS, are relatively new, so here I would 
expect problems in the future, especially in IE. Mozilla has a very fine 
grained security system, which is under active development, so I think 
it will keep up with this kind of security attacks.

For myself, this means that I will develop the MapClient application on 
the basis of W3C standards and Mozilla as reference browser. It will be 
compatible with IE 5.5 and up, as long as it is one-server or one-site 
based (which covers the great majority of all current applications). 
Multi-server access will be added only in the Mozilla version.

As I said, the three groupw of security leaks are potentially very 
serious, but I have not seen major accidents resulting from them in 
everyday practice. The most real security leaks are pages that try to 
register surfing behavior. This is certainly a breach of privacy and can 
be very annoying, especially from the resulting spam, but it is not a 
risk in the class of the three groups mentioned. Personally, I just 
ignore it. Mozilla has an excellent spam recognizing filter built into 
it, which can be trained on the actual spam you receive. After a few 
weeks of training it has a recogntion percentage of almost 100%.  I can 
recommend it to everyone.

I think the question is not so much whether the Internet is unsafe: it 
is. Neither is it whether you can live with it: millions of people can. 
You both are right. The question is: what can you do about it, and this 
depends on your situation. Speaking as a university person, almost 
nothing I do is really secret or indispensable. However, in the mapping 
business much has to be shielded, e.g. for financial or privacy reasons. 
Same goes for everything that has to do with money. There is no single 
security answer for all these situations, but every situation can be 
made as safe as you want. Concerning MapServer, for example, Steve Lime 
has recently added an excellent security mechanism, which makes it 
impossible to access the actual maps your application is based upon. 
However, you have to be aware of this mechanism and apply it. Same goes 
for PostgreSQL, which can be made very safe indeed, but you have to put 
some effort into it. Cryptography and certificates are very powerful 
tools too, once you have mastered them.

I think the greatest error is trying to solve every possible problem in 
the same way. If parts of your applications are vulnerable, shield them. 
If you are just retrieving information, go ahead. No reason at all to 
turn off JavaScript, just don't mix both kinds of web access. The last 
thing we need is that all technological progress is halted because of 
shady behavior in the margins of the Internet.

Jan

More information about the MapServer-users mailing list