Sunday, 26 June, 2005
A lot of web-browser vulnerabilities are related to Javascript. Recently, there have been people advocating swithing off Javascript or white-listing web-sites that use Javascript. In this post I'm going to look at the question of whether disabling Javascript is a sensible security precaution.
In his book, Beyond Fear, Schneier identifies a simple five step process to follow when doing security analysis. All you have to do is answer five straight forward questions:
So without further adu, let's answer these questions.
What assets are you trying to protect?
I wish to protect both my personal data on my computer and the access passwords to eCommerce and online banking services.
What are the risks to assets?
The principle risks are that a virus may corrupt my data or a trojan may send personal information to Identity theives or other unauthorised third-parties. Pishers may wish to get my online banking passwordsto commit fraud or steal money from my accounts.
How well does the security solution mitigate those risks?
There are many different ways a virus or trojan could get on to a machine. There's flaws in the operating system, opening dodgy attachements in e-mails, delivery on removable media such as CD's or floppy disks, malicious code piggy-backed on innocent looking animations.. the list goes on. By itself, disabling javascript will make no impact on any of these other delivery channels. It's therefore important that this counter-measure is used in the context of other security counter-measures.
Even if we look at disabling Javascript in the context of a wider security program the merits of the counter measure are still a little suspect. Firstly, most malicious code that is delivered through a browser comes in the form of ActiveX controls; a technology that has nothing to do with Javascript.
Secondly, in order for a person to deliver malicious content to your machine the attacker has to convince you to go to their site. This might be possible if the attacker knows you well but the most likely form of attack comes in the form of a pisher or identity thief. They're not really interested in your data as an individual, they're looking for the details of lots of people. The best way to break in to a lot of people's machines is to place their malicious code on a high-traffic web-site.
Since most criminals don't have access to high-traffic web-sites in their own right it's much more likely they'd break in to a reputable, high-traffic web-site and plant their dodgy code in the site's pages. This fact is a real problem for people that advocate white-listing because the kind of sites you're likely to white-list, such as Google or Amazon, are exactly the kind of sites the criminals would target for hacking in to. You may white-list one of these sites only to find you get infected anyway.
There are no trojans written entirely in Javascript that I know of. This doesn't mean it's impossible to write a Javascript trojan; it just hasn't be done yet. This situtation might change as pishing attacks become more sophisticated.
At any rate, reports of criminals breaking in to web-sites and injecting dodgy javascript in to web-sites are almost non-existant. It's much easier for a criminal to go after the main database and get the information that way. While there is a clear threat of attack through Javascript the risk is pretty small.
What other risks does the security solution cause?
If you're blocking all Javascript on all sites with no exceptions then there aren't any security problems, that I can think of, that are created by using this counter-measure. If you're white-listing then you could be lulled in to a false sense of security because a pisher may be able to compromise any one of your white-listed sites and get the malicious code on to your machine that way.
What costs and trade-offs does the security solution impose?
It doesn't cost anything to disable Javascript, at least in the home environment, but there's certainly a large trade-off. Many web-sites depend on Javascript to provide critical functionality and some web-sites don't degrade gracefully when Javascript is turned off. The functionality that Javascript provides can be very rich and useful to an end user. You only have to look as far as Google's web-mail service to see the true power of Javascript when used creatively. Disabling it can dramatically reduce your browsing pleasure.
Coupled with the fact that there have been very few attacks that used Javascript as a delivery mechanism, I don't really think the trade-off is worth it. The risk is simply too small to warrent disabling such a rich piece of functionality.
Simon.