Does Surfing Without JavaScript Make You Secure

Jan 09, 2015 · 3 mins read
Share this

Welllll, as it turns out, we actually can still do significant recon without the use of JavaScript or Java or Flash. I think Jeremiah is going to wait until Blackhat Japan, so I’m not going to spill the beans, but from what I’ve seen it really adds another route to doing some of the things I’ve been posting about over the last few months.

But it got me thinking about other issues that I can talk about. For instance, I was visiting what was essentially a hacked site that had a redirection built into a Flash movie. Here I was, with Flash and JavaScript and Java turned off and yet I was still getting redirected. What’s the deal? Well, after doing a little research it turns out that Flashblock requires that JavaScript is turned on. So to turn off Flash, I have to have JavaScript turned on - how is that helping me?

Sure, there are other much more annoying ways to turn off JavaScript and Flash at the same time, but the point being, just when I thought I was safe from certain vectors, they were re-opened by conflicts with one another. This reminds me of a project I worked on once to supply anti-virus software to customers for free, but because of potential liability issues we opted not to because of conflicts with existing software.

The short answer is, no, you definitely aren’t safe by simply turning off JavaScript. Java, Flash, VBScript, ActiveX, and a host of other forms of dymanic content can cause exploitation. Things are pretty broken right now.

Reading this the first time, I was getting desperate. Many, many risks. But we need all these tools, those are what make the web tick. Thinking along these lines, I think, all our problems come from one point.

That is the so called “PC-paradigm”.

Every single person, having a PC, is practically sitting on a “nuclear power plant”. The PC-paradigm, now over 35 years, was great. It was for the pioneers.

Now, it is over. On two accounts:

First, the common people have come in. They are in no need of knowledge, they only want to use features. They are excellent candidates to be captured and to be made zombies if they have a computer.

Second, there is an emerging new paradigm, IMHO, that is the new “supercomputer”, the WEB, itself. With the advent of the “new” technologies” and principles like AJAX and social networking - what we call generally the Web 2.0 - we may use the applications on the web not those on our computer. Also, we may be in a better position as we can use only those features that we actually need and do not have the minefield of the OS and the application, both crammed with unnecessary features and full of possible compromises.

The less intelligence what has had an “interfacing” device be it a handheld or mobile browser, reader, etc, th less prone to be compromised. The web itself was made with redundancy, invulnerability and distribution in mind. Distributing resources, functions, building up heavy redundancies and using trusted services like Akismet e.g. would make the web rather viable place to live in. That is, I think the Web is in a better position to defend itself than a single user with a personal computer.

Well, I understand this is a very broad subject. I tried to picture what I had in my mind, so bear with me :)


Best VPN
Join Newsletter
Get the latest post right in your inbox.