[3970] in WWW Security List Archive
Re: Javascript and Security
daemon@ATHENA.MIT.EDU (Kevin J. McMahon)
Mon Jan 13 20:51:41 1997
Date: Mon, 13 Jan 97 19:00 EST
From: "Kevin J. McMahon" <0003557428@mcimail.com>
To: www security <www-security@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
ocean5 wrote:
>Disable JavaScript if you will, but its a pretty helpful bit of
>technology at times. It seems a big trade, to loose the functionality
>of this Scripting language for the sake of "security". Esp. when
>there's so many other ways to get my info, if a hacker really wants it.
>My $.02...
I agree that it is pretty helpful. What we have done is to tell our
constituents that they should disable Java/Javascript by default.
When they access a site that uses Java, _and_ they have some reasonable
level of assurance that it is not compromised, they can then enable
Java(script) for use on that site. I know this is cumbersome, and
it is very hard to determine whether a site is secure or not. But
it is very dangerous to leave Java turned on by default -- esp. when
you are periodically checking out sites of dubious origin.
Kevin J. McMahon
MCI Technical Security
