Shostack + Friends Blog Archive


Manditory web client scripts analogous to CDOs


Let me compare the widespread and often mandatory use of client scripts in websites (e.g., JavaScript) to CDOs [Collateralized Debt Obligations] [link to no longer works]: they both are designed by others with little interest in your security, they leverage your resources for their benefit, they are opaque, complex, nearly impossible to audit, and therefore untrustworthy. They have also both caused a lot of damage, as having scripting enabled is required for many attacks on browsers. How much smaller would botnets be without scripting? Like CDOs, scripting is a financial affair; it is needed to support advertising and measure the number of visitors and click-throughs. Scripting will stay with us because there’s money involved, and if advertisers had their way, there would be no option to disable plugins and JavaScript, nor would there be extensions like NoScript. To be fair, there are beneficial uses for JavaScript, but it’s a tangled mess with a disputable net value.  [emphasis added]

By the way, here’s a beautiful set of animations explaining how CDOs went wrong.