[3954] in WWW Security List Archive
Re: Javascript and Security
daemon@ATHENA.MIT.EDU (Jacob Rose)
Sat Jan 11 10:56:32 1997
Date: Sat, 11 Jan 1997 09:33:59 -0500 (EST)
From: Jacob Rose <jacob@whiteshell.com>
To: Ocean5 <ocean5@ix.netcom.com>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <32D726EB.686A@ix.netcom.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Javascript might be an aide to someone trying to spoof a site, but
remember that the fundamental structure of the Web is really the problem.
All someone would really have to do to watch a large number of people as
they use the web would be to build a web filter (like the infamous Zippy
the Pinhead filter) that works quietly and has a promising looking front
door ("New search engine!" for instance), or to crack someone else's
popular site that has links often followed.
Perhaps the thing to do would be to build an uncopyable symbol on the top
level of a site with a statement that indicates that that symbol should be
visible throughout the site, and if it goes away, security may have been
breached. A java applet that talks to the server might be one way.
Another might be to use server pushes. Any ideas on how it could be done?
------------------------------------------------------------------------
Jacob Rose All you and I must agree upon is peace.
------------------------------------------------------------------------
