Let me start by saying that Lobste.rs is a great community that I enjoined for more than an year. Several very smart guys hungs there, and I got great conversations with them about operating system design, programming languages, artificial intelligence and machine learning, security, privacy and so on.
I also tried to be a constructive member of such community, posting there interesting documents I came across.
NOTE In the url above the two submission marked as "[Story removed by original submitter]" have been removed by the administrator after my ban.
I didn't remove them. I have nothing to hide.
One was my recent article documenting an exploit that let any website you visit to tunnel into your private network (bypassing many corporate firewalls and proxies).
The other was the related bug report that I wrote to Mozilla (than reported to Chromium too) before disclosing such Proof-of-concept exploit.
Something went wrong after these submissions, because despite the fact Lobste.rs was suggested by a Mozilla Security developer as a place to continue the discussion about the HTTP/JavaScript vulnerability I reported, nobody answered to my question "are Firefox users vulnerable to this wide class of attacks?".
Yet I got downvoted so much that an administrator (after writing me on August 30 for the first time) decided that I do not suit to the community's culture.
The official reason of the ban was: "Constant antagonstic behavior and no hope for improvement".
Now let's be clear, I'm fine with Peter's decision, even if I don't agree with it. Your server, your rules.
But I think that my ban is a very nice example of Statistics misuse.
Indeed, since the first private message I got from Peter, he asked me to explain why I was downvoted 18 (and later 22) standard deviations more than the average.
Note, I was also upvoted enough to get a positive ranking on most of my comments and posts, but he was just looking to the downvotes, in isolation.
As one who knows how to lie with statistics this was a bit of a smell, but since my private explanations were not enough I carefully explained how most of those downvotes did not complied with the Lobste.rs own guideline about downvotes (sorry, due to the downvotes, you have to expand this comment to see the explaination).
To get a clue about my bad behavior you can give a look to my recent comments on Lobste.rs (some of the comments have been censored, but Peter has kindly sent me a CSV containing a full export from the DB).
Here some examples of the missing contents (beware, 18+ only! :-D):
I feel very uneasy about the safe browsing thing.
For most people (those using WHATWG browsers like Firefox, Chromium, IE/Edge and derived such as Tor Browser, Safari or Google Chrome) there is not such a thing like "safe browsing".
I mean: if any website you visit can enter your private network or check in your cache if you visited a certain page... or upload illegal contents into your hard disk... calling it safe is rather misleading!
HTTPS protects users by certain threats, by reducing the number of potential attackers to CA and those who have access to certificates (which is a varying and large number of people anyway, if you consider CDN or custom CA you might have to install on your work pc).
As for this being anticompetitive... maybe.
But some of the issues here are rooted in Copyright protection, so... it might just be one of the many problems of a legal system designed before information technology.
NOTE: every browser executing JavaScript and honouring HTTP cache controls headers is equally vulnerable.
I'm seriously concerned by this attitude among IT people.
My question is simple and have a boolean answer.Are the attacks described in the bug report possible, or not?
Okay, I’ll bite.
+1! I'm Italian! I'm very tasty! ;-)
Bugzilla is not a discussion forum.
Indeed this is a bug report.
Ah, here’s where we disagree. I understand that a bug is an ambiguous concept. This is why we have our Bugzilla etiquette, which also contains a link to Mozilla’s bug writing guidelines.
I'm pretty serious with netiquette, and I checked your before writing the report.
I'm very sorry if I violated one of your etiquette rule, but honestly I cannot see which one.
Even about Bug writing I tried my best, what exactly I got wrong?
Note that this is not a single RCE, but a whole category of them.
And the problem are not just the JavaScript attacks themselves, but the fact that they can remove all evidences.
Furthermore, what you seek to discuss is not specific to Mozilla or Firefox.
True. Several other browsers are affected too, but:
- This doesn’t means that it’s not a bug in Firefox
- As a browser “built for people, not for profit” I think you are more interested about the topic.
Please elaborate, I am not sure what you mean to imply.
As a Firefox user (and "evangelist") from version 0.8 I know Mozilla as a brand that cares about people.
Even the word you used, "people" instead of "users", has always been inspirational to me.
Now, the issue here is specifically dangerous because not all people live under the same law.
Thus I think (and hope) that Mozilla is more interested to the safety of such people than other browser vendors that are led by profit.
I agree with what @callahad@wandering.shop says right away: If you browse to a website. It gives you JavaScript. The browser executes it. That’s by design! Nowadays, the web is specified by W3C and WHATWG as an application platform. You have to accept that the web is not about hyper*text* anymore.
I worked (and still work) on such application platform for 20 years, I think I have understood that pretty well.
The point is if such application platform is broken at design level or not.
This is not a bug in Firefox.
Are you saying that these attacks are not possible?
I am saying that this is not specific to Firefox, but inherent to the browser as a concept.
Sorry if I ask it again, but I'm pretty dumb.
Are the attacks described in the bug report possible in Firefox, or not?
This is a just a sampling but if you find other censored contents that you are curious about feel free to ask.
Now, I still think that Lobste.rs is a great technical community and you should really join them. And even Peter is a good administrator: he just did an error.
But I'm a Data Science hobbyist myself, so feel free to ask me how an actual troll could fool such metric by downvoting others. Or why if you do not care about Internet points (and do not try to maximize them), you will obviously loose a lot of them.
Or well... ask me anything else! :-D
I'm not from Mozilla Security.
I will answer. I'm a hacker.
Top comments (23)
I think you mean well but I totally agree with the response you had on Firefox's and Chromium's bug trackers.
The first thing they said on Firefox's bug tracker:
And then on Chromium's:
I agree, you opened an issue on both bug trackers pasting tons of content (not an actual bug of the browser) and the recipe you gave is: disable JavaScript everywhere.
The rest of the page is you discussing your world view and potential threats in the wrong environment.
I'm not debating the validity of your argument but I think you raised it in the wrong places. As said by one of the people that responded to you (a security engineer at Mozilla!):
:-)
I think that if people can be attacked or leak personal informations through my software, it's a bug in such software.
I agree this is a bug in the very design of the Web that Mozilla promoted since the invention of WHATWG.
However expensive, though, it's a bug.
Now, given how WHATWG's Living Standards work, you have to fix the implementations to fix the standards.
Thus I started opening a bug report to the browser that (pretend to) care about their users' privacy.
Then I reported the issue to Chromium too because, to my knowledge, they are also affected.
Note: I was suggested to open these issues also by an Italian lawyer specialized in IT. Because, according to him, once the issue is known both organisations can be held accountable for breaches occurred through their softwares.
And, since they are members of WHATWG, the same should be true for WHATWG and each of their members.
That's why I think that those trackers were the proper place to describe this wide set of attacks.
What you're describing though is not a bug, it's a flaw in how the web works. That doesn't mean that your reasoning is wrong, it's just that you're barking up the wrong tree.
The fact I can die with riding in a car it's not a bug of the car maker (I can die in any car), it's an inherent flaw in transportation :D
I think there are more appropriate places to talk about it, before escalating that to the browsers:
Then when you get traction (and discussed possible solutions at length with other developers expert in the subject matter) you can open bugs in the browsers bug trackers with actual possible solutions.
Right now (there's nothing inherently wrong with that) you look like a person that is trying to get attention without actually doing the work. Sorry if I sound harsh.
This is almost science fiction though. You're describing, again, a flaw in how the web works and thinking about suing browser makers? Getting lawyers involved (based on what?) is sure a way to have a friendly discussion about something that might end up being really important for everyone...
Do you see where I'm going?
Still don't agree :D
The problem in your reasoning is that software is always the cheapest component to fix.
Opt-in and safer JavaScript is pretty easy to implement for a browser vendor.
And it would actually improve the web in many ways.
But AFAIK, there is no faster way to get it fixed.
And actually, I still think they will make JS opt-in it before a Law will force them to.
Harsh? Come on! Count how many times I've been called troll, absurd, bizarre, spammer... You are not even trying to be harsh! :-D
But you are wrong: I'm not trying to get attention for me, but for the attacks.
If you want to try to invent more exploits, you are welcome!
Do you want to write a nice Latex paper to publish somewhere? Please do it! You do not even have to cite me! Really!
I do not own that report.
I just want that issue fixed for everybody.
And it's possible (think how Flash and Java were opt-in in the past) and technically easy.
Fine!
But if you change your mind, or if you have more questions, you know were to find me! ;-)
Is it in this case? Are you totally sure? Did you have lengthy discussions with security experts and browser developers about this?
Remember the Smoosh gate ? Developers and vendors panicked for a while because someone proposed to change one single method name in a 11 year old JavaScript library because Firefox Nightly broke a german website.
I ask you in all honesty: are you completely sure that the change you ask for is cheap?
You talk about the technical ("hey, you just need to put an if in the code") but the issue here it's not how complicated is to change the code, the issue is totally different.
Sure, I've argued at length on the benefits of disabling JS for slow clients after reading the news about Chrome Android that it's thinking to implement that but again, there's a logical reasoning behind that.
You forget about something though: the common man has no idea what JavaScript is. Yeah there are many people who use adblockers which curb JavaScript usage but they know what advertising means and they install an addon to their browser promising to limit advertising. JavaScript is nowhere to be seen in this conversation.
Your request is totally different, your request is "my opinion is that we should break the entire world wide web because... hey please read this 50 different comments and blog posts and opinions I have disseminated around the web about it".
This will certainly result in millions of people installing any browser that leaves JavaScript on, again not because they know what JS is, but because the websites they like work with that but don't work with the others.
It tooks Microsoft decades to disable ActiveX, after probably spending years talking to partners and customers and discussing about a path away from that. They didn't write a Medium article, then broke the web just for the sake of winning an argument.
Well, you're a trolling a bit about this, because as I said in my previous comment you don't seem willing to do the actual work in furthering your idea, just spamming your links anywhere you can.
I don't think your idea is absurd, I think you're not grasping the enormity of what you ask.
Can the web survive without JavaScript enabled by default? Probably yes, but not overnight. It will take years, if not decades for developers and content owners to adapt.
That's my point, you should be the one doing it. If you managed to convince zero people in all this time this makes me think there's a fallacy in your proposal. If you manage to convince a single security or browser developer, why not writing a paper with them? Or writing it yourself?
This "hey I want to save the web but you do the work for me after you read all these links I disseminated on Mozilla, Chromium, lobters, medium and on and on" approach is definitely one of the reasons why they're not taking you seriously (also the fact that you totally ignore the part of my response when I asked you if you discussed it at length with experts in the industry)
The fact that is technically easy is totally irrelevant. Throwing away 3 billion smartphones is technically easy and can be done overnight (it just requires people open the trash can and drop the phone from their hands) but there are many reasons why we don't do it.
It might happen and probably we'll live to see it disable but I don't think it will be because someone opened an issue on the wrong bug tracker telling people about something they already know ;-)
Random ideas on how you could be taken more seriously quoted by my previous comment:
A lot of people are not convinced of climate change despite evidence, scientific consensus, feel good documentaries and visible effects.
If you truly believe in this, do the work and do it right, otherwise it's just words. You might be right (I'm not 100% convinced you are) but my opinion is that you're ineffective if this is your attitude (and the results are showing)
First, you cannot put on the same level this wide class of attacks with a single broken German Site.
Then, I think we should care more about people safety than about money.
I think this is the core of our disagreement here.
I said "cheapest" not "cheap".
It's pretty cheap compared to the risk for milions of people and companies around the world. And compared to the geopolitical hazard of giving US so much power.
If an attacker want to enter your data in an hospital or bank, this might be the simplest way to enter the network.
Compared to this, making JS opt-in and safer is the cheapest solution.
That's why we should protect him. To deserve his trust.
Also, as I said before, I REALLY think that Mozilla, Google, Microsoft, Apple and Opera have the right to pursuit their own priorities!
But, they should inform their users. That's it!
To me, this is the core issue here.
With all their copywriters, it should be easy to write a blog like this:
That's easy, don't you think? :-D
You should probably look at things in the obvious chronological order:
Here we are.
As you can see, it's not my fault if I have to move from a platform to another.
One might think I'm the victim, not the troll. But really, think as you like: I do not care much about strangers' opinions.
To me, instead, it's very important.
We have no excuse!
I refuse to do marketing for such kind of huge threats that affect millions of people world wide.
If people cannot trust the Information Technology as a whole to fix such a huge vulnerability as soon as possible, their trust is the true vulnerability, not JavaScript.
Somebody on #lobsters IRC channel said "Good luck fighting windmills!".
I thanked him. That's the whole point.
As a programmer, I want to deserve the trust of people around me.
And as a hacker, I feel disgust for this total lack of intellectual honesty.
Don't you want to prevent these attacks? Fine!
But you should inform your users.
My point was: people freaked because of a seemingly innocuous change, imagine what would happen if all browsers disabled JS tomorrow. You would have millions, possibly billions, of users complaining to customer care of their favorite websites saying the website is broken.
A lot of people do not understand the difference between Facebook and Web or Browser and Web. They are not stupid, they just don't care.
As any security risk you need to trade off actual risk and solutions. I'll quote what @kspeakman wrote here on dev.to:
You know that if I were to be targeted by a very skillfull hacker or an agency I would be hacked nonetheless right? JS in my browser or not.
I'm way more concerned about the security of the data I store on my phone or the fact that we're putting surveillance cameras in our homes than JS enabled in my browser. Again, it's a trade off.
Sure, and that's a valid point. But you're not arguing for them to add warnings and fix copy editing (warnings that nobody would read anyway but that's another story). You're arguing for them to disable JS everywhere.
Well, it didn't go like that exactly, did it? The first thing Dan Callahan (Mozilla developer) wrote you is:
and then he goes on a lengthy explanation about why he disagrees with your points: some of your premises are incorrect, cookies and HTML can be used to track behavior.
Then, Wladimir Palant (AdBlock CTO!!), responded with:
Only after this discussion then Callahan told you to open the bug to ask for additional opinions.
I'm starting to think you're a well meaning troll, because you're bending the truth ;-)
That's exactly what a troll would say.
It seems to me that Callahan and Palant have been honest with you discussing the limitations of your argument.
Even Frederik Braun (Security engineer at Mozilla) was part of the conversation!
So it's not true they ignored you, they simply don't agree with you.
I'm sorry Giacomo but I've run out of interest as well. I think you either need to reframe your entire argument or understand that, as they told you on Mastodon, it's not actually going to fix that much unless everyone decides to completely change how the web works.
I'm convinced you truly believe your argument is valid but you're really bad at making valid arguments (despite the fact that someone could be in disagreement) because you conflate many different things, drop blobs of text on everyone and expect them to read various discussions on at least 5 different websites and then... what?
Again: you need to do the work. You haven't convinced me and I'm not a security engineer working on browsers, just a random developer :-)
No.
That's the whole point. Since the very beginning.
Now, I've never said that they are ignoring me.
I've been banned from Lobsters, after all! ;-)
I've said that they didn't answer this simple question: "Are your users vulnerable to the wide class of attacks described in that bug report?"
They do not have to answer to me, but to their users.
As for me being a troll blending the truth, really: think what you want. :-)
To every body else: you can read the long and complex conversation from which those toots have been extracted here and here (two links, sorry... UI issue).
Just in case you wonder whether there is a troll here...
As for Wladimir Palant (AdBlock CTO!!): I'm sorry, but I was developing the Web, before AdBlock was thing. When JavaScript was a toy and Flash and Java applets were opt-in.
It was very usable. To many, it was more usable than it is today.
The issue you point out is totally valid. However, I would tend to agree that it is not a bug. It feels a lot more like a needed security feature to put on the backlog to implement. Software development is iterative after all, and with JS's initial release the world just settled for "getting it working". Then later has gone back to address various security issues that adding more features has created.
I believe the reason you come off as antagonistic is because you are passionate about a very real danger. But you seem to be missing the fact that most everyone (devs, users, everybody) is already aware of the current security problems, and that we generally accept the tradeoffs for now. Browsing the web has been risky for quite a while. Visiting an unknown site that no one has recommended to you is at your own peril. You can easily get viruses, malware, or hacked by doing so. Sites who are actually concerned about security can implement things in such a way to ensure better security. But ultimately the user has the only real choice in the matter.
So the feature request for browsers might be to grade site security based on the employed security features and vulnerabilities, and warn the user when the grade is below a certain threshold. Similar to the TLS warnings. But this kind of feature has a consequence that the barrier to entry in building websites just got a lot higher. Not to mention being pretty hard to implement checks across disparate and unstandardized features which provide a fair grade. But I would love the fact injected ads would probably bring a low score. :)
So anyway, my perspective is that things have to work this way necessarily to work at all for now. And it certainly has benefits... the good as well as the bad have a lower barrier to make web apps. (The barrier is already pretty high nowadays.) Frankly, it will likely take major incidents to catalyze support, standardization, and streamlining of security procedures such that sites could be accurately graded quickly enough to not disrupt the browsing experience. But I say keep fighting the fight to improve the situation. It's worth doing.
Thanks for sharing your opinion but I think we disagree at a very basic level, pretty summarized by this sentence:
I do not think people are aware that any site they visit could send them (but only to them, not to everybody) malicious JavaScript that can enter their private networks, probe and access the services available there.
Nor they are aware that any web site they visit could learn their political or sexual interests by timing the load time of specific third party pages or images (a trivial timing attack to the browser cache) and then blackmail them to extort money (or worse just disclosure them to hurt their reputation).
Moreover I do not think that any Government or company is aware or would accept these sort of risks. A single naive employee using WIFI to read an article like this, could open a breach.
Not to talk about the fact that any CDN could do the same through third party sites.
I do not think people understand or accept all this.
On the other hand, most people would understand a simple browser that ask them to enable JavaScript execution on a per website basis, as they did years ago while enabling Flash or Java applets.
Opt-in JavaScript might hurts some business models that rely on the blind execution of code on your PC, but it would not change the usability of the web too much.
It would not break the Web, it would fix it.
Yes, I think the risks you mention are generally known or at least very unsurprising. But where we really disagree is in how close to reality those risks are. If someone wanted to target me personally and "ruin" my life, they probably could, sure. Even if they didn't use the tools you described, a determined attacker could do so in many other ways. But it makes no sense to live life in fear of conspiracies against single persons. Most (internet) attackers aren't doing that because it does not pay to do so. They want to cast a wide net to snare as many as possible before getting shut down. And if an attacker is targeting a specific person, then the reasons are probably localized to that situation. These are edge cases, not pandemic problems which are worth breaking the web until a rewrite can happen.
Asking users to enable Javascript on a site by site basis will not really solve any problem. Just like EULAs or EU cookie law notices, people will just click it without thought and be annoyed they had to do so.
I think it is clear that we are not going to agree. So, the last word is yours if you want to respond further.
Unsurprising to developers. But the world is large, there are many sensibilities, cultures, issues... trust me: for many many people, these are actual threats.
Sure. Still there are many "localized attacks" that most companies would like to avoid.
In many place around the world, all people who make Free Speech something useful are "edge cases".
Many users would execute every JavaScript they can reach anyway.
But trust me, banks' systems will have strong policy about what you can or what you cannot execute.
Also, do not forget that it's not just matter of making JS opt-in.
It would not be enough. It also need to be safer.
We do not need to. History will judge, with time... ;-)
Since you're newish here, what have you thought about dev.to thus far?
Well, so far it feels good. :-)
The core feature of a community, to me, is the curiosity of members.
To a hacker, curiosity means intellectual honesty, as you want to learn more than you want to win an argument. So far I've got good dialogues here and this is a good sign.
Also, I like that everybody can read dev.to with JavaScript disabled.
I'm a bit confused by the markdown flavor here, since I cannot use the usual "double spaces at eol" to put a BR tag. But I can live with it. :-)
Thanks for the feedback. Markdown flavors are really tough to get right, but we'll try to bring clarity and/or configuration as things progress.
Of course, as an administrator, we hope all members keep the dialog constructive, and I think this is a great approach.
What we try to encourage is the asking of questions rather than always just commenting on posts and articles. Usually, OP would love to elaborate on certain parts.
I think it's a good approach.
"Good question!" Is the best compliment an hacker can do.
Another little feedback about dev.to:
I think the fundamental problem is that most regular people who use the Web don't really care about security. They'll only care about security if they're personally affected in a serious way by a breach. So far, this has not affected enough people in a serious enough way for it to really matter to most regular computer and internet users.
Because of this, there isn't much pressure on browser developers to radically re-imagine browser security. There's a lot more pressure on them to make things convenient and easy.
True.
Most people do not understand networking enough to ponder the risks.
But why we setup SSL certificates?
Why we teach them to not execute programs they receive in email?
We try to protect them.
To some, it's just a matter of empty marketing.
Others do that as part of a strategy toward centralization or for fear of Law.
Others do that because... they cannot do otherwise.
This cannot be a justification, however.
And a safer JavaScript that people opt-in on a web site basis wouldn't make the web worse, but better: easier to use and more convenient to most people.
Except that in the fable everybody laugh at the king, not at the kid! :-)
Thanks for the suggestion I'll surely try your script.
Note however that I'm not afraid for my own security.
Even if nobody could prove the attack in a court, a simple logging proxy could detect it. Then it's just a matter of how to fight back! ;-)
The problem is for everybody else!
Thanks to Mozilla, Google and friends most people stay vulnerable because they are not aware of the risks!
Charming
hey Shamar, I made this as a result of our discussions rain-1.github.io/in-browser-localh...
Nice!
I really think you should add a reference to your hack to the bug report at bugzilla.mozilla.org/show_bug.cgi?...
(And maybe you could reference the bug report from your page so that people landing there can learn about a few other attacks they are vulnerable to)
Once you realize that you can gain control of the IPs, the bandwidth, the RAM, the CPU and the disk of your victims (and potentially other resources too) it's just a matter of fantasy to ideate attacks.