[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mail admins?

On 4/23/20 4:40 PM, William Herrin wrote:
> On Thu, Apr 23, 2020 at 4:13 PM Scott Weeks <surfer at mauigateway.com> wrote:
>> --- mike at mtcc.com wrote:
>>> I'm not sure why the admins of nanog's site should
>>> particularly care about appeasing the js tinfoil hat
>>> set.
>> Not the tin foil hat crowd, security.
> Can't it be both?
> Mobile code (javascript) has a long a storied history of security
> disaster. So yes, I surf with javascript disabled and when I run in to
> a web site that I can't use without it about 75% of the time I back up
> to the search engine and pick a different web site because I don't
> want to let my computer run the horrid crapware the site author thinks
> I should allow him to run.
> Does controlling what I allow my computer to run make me a member of
> the tinfoil hat set? Watching folks around me use their equipment,
> it's apparent that it does. Is it good security hygiene? Why yes, it's
> that too.

Billions of people and by far the vast majority of users on the planet 
use js enabled sites. Would that it were that it was even in the top 1% 
of security problems we face.

The fact is, nobody in devland cares whatsoever about this non-issue. 
that the nanog site ran without the need of js is more of an accident of 
history more likely than not: if it ain't broke don't fix it.

If you want an actual verifiable current day problem which is a clear 
and present danger, you should be running as fast as you can to retrofit 
every piece of web technology with webauthn to get rid of over the wire 
passwords. that is infinitely more serious than some age-old js 
breaches. and it is especially critical for the equipment that nanog 
members run every day to configure, monitor, and manage. Ironically, it 
requires... javascript browser-side.

I think I posted about this before and got a collective ho-hum.