On 4/23/20 4:40 PM, William Herrin wrote:
On Thu, Apr 23, 2020 at 4:13 PM Scott Weeks <surfer@mauigateway.com> wrote:
--- mike@mtcc.com wrote:
I'm not sure why the admins of nanog's site should particularly care about appeasing the js tinfoil hat set. Not the tin foil hat crowd, security. Can't it be both?
Mobile code (javascript) has a long a storied history of security disaster. So yes, I surf with javascript disabled and when I run in to a web site that I can't use without it about 75% of the time I back up to the search engine and pick a different web site because I don't want to let my computer run the horrid crapware the site author thinks I should allow him to run.
Does controlling what I allow my computer to run make me a member of the tinfoil hat set? Watching folks around me use their equipment, it's apparent that it does. Is it good security hygiene? Why yes, it's that too.
Billions of people and by far the vast majority of users on the planet use js enabled sites. Would that it were that it was even in the top 1% of security problems we face. The fact is, nobody in devland cares whatsoever about this non-issue. that the nanog site ran without the need of js is more of an accident of history more likely than not: if it ain't broke don't fix it. If you want an actual verifiable current day problem which is a clear and present danger, you should be running as fast as you can to retrofit every piece of web technology with webauthn to get rid of over the wire passwords. that is infinitely more serious than some age-old js breaches. and it is especially critical for the equipment that nanog members run every day to configure, monitor, and manage. Ironically, it requires... javascript browser-side. I think I posted about this before and got a collective ho-hum. Mike