Good objections. Let me widen the perspective to explain my reasoning.
Technology is the continuation of Politics by other means.
(a full explanation would take a whole article about hackers' ethics, curiosity, humanity and love...)
To my eyes the original Medium post describes a few legal and geopolitical issues that are at least as dreadful as the attack you see here. I thought it was important to read them for Mozilla developers, to understand what a dangerous threat is JavaScript outside of the US not just to users' privacy and security, but to free speech.
The Medium article itself was not written for programmers, but for laymen. Yet the JavaScript attacks were described with enough details to make a competent web developer aware of the risks. At least that was my intending.
There are too many PoC to write
I described the bug as "Arbitrary Remote Code Execution" because I cannot stop thinking more ways these bugs can be exploited against people and companies. I do not know if there is a better definition in InfoSec that match these attacks, but I was unable to find one.
I couldn't write the "Steps to reproduce" because there are too many ways to exploit JavaScript. And if I had the time to write all PoC, I would use it to strip JavaScript from Firefox. Even worse: WHATWG members would try to stack patch over patch to avoid each single exploit, without fixing the core issue.
Actually I was convinced by a smart guy to write a PoC, since I considered it a waste of time. If the guys that closed these issues at Mozilla and Google were unable to foresee these exploits from the description I wrote, we have a huge problem. But I think they did actually understand the issue pretty well, they just don't want/don't care to fix it, despite the risks for their users.
CDN and SRI
Sure they can be used to mitigate the risks. But they are not enough and they should be mandatory.
was reading your post, and i had to sign up just to agree with you, and say <3 the von Clausewitz para-quote.
hadnt tried jehanne (more of a 9ants zealot :P) but will have to try now... well tomorrow.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Good objections. Let me widen the perspective to explain my reasoning.
Technology is the continuation of Politics by other means.
(a full explanation would take a whole article about hackers' ethics, curiosity, humanity and love...)
To my eyes the original Medium post describes a few legal and geopolitical issues that are at least as dreadful as the attack you see here. I thought it was important to read them for Mozilla developers, to understand what a dangerous threat is JavaScript outside of the US not just to users' privacy and security, but to free speech.
The Medium article itself was not written for programmers, but for laymen. Yet the JavaScript attacks were described with enough details to make a competent web developer aware of the risks. At least that was my intending.
There are too many PoC to write
I described the bug as "Arbitrary Remote Code Execution" because I cannot stop thinking more ways these bugs can be exploited against people and companies. I do not know if there is a better definition in InfoSec that match these attacks, but I was unable to find one.
I couldn't write the "Steps to reproduce" because there are too many ways to exploit JavaScript. And if I had the time to write all PoC, I would use it to strip JavaScript from Firefox. Even worse: WHATWG members would try to stack patch over patch to avoid each single exploit, without fixing the core issue.
Actually I was convinced by a smart guy to write a PoC, since I considered it a waste of time. If the guys that closed these issues at Mozilla and Google were unable to foresee these exploits from the description I wrote, we have a huge problem. But I think they did actually understand the issue pretty well, they just don't want/don't care to fix it, despite the risks for their users.
CDN and SRI
Sure they can be used to mitigate the risks. But they are not enough and they should be mandatory.
DNS
As far as I know, the DNS roots have been target of several successful DDoS already.
I do not like DNS-over-HTTPS for several reasons, but
was reading your post, and i had to sign up just to agree with you, and say <3 the von Clausewitz para-quote.
hadnt tried jehanne (more of a 9ants zealot :P) but will have to try now... well tomorrow.