"osfwofujro" <jw*@9ewutr.com> wrote in message
news:6_***************@newsfe4-gui.ntli.net...
According to a financial website I tried to access without javascript:
"the site uses JS for security reasons."
How would using JS improve security?
There might be several ways... but none particularly good.
Firs off for any of this to mean anything the sitew would have to only
function with JavaScript enabled. Second for any of them to function it
would have to operate on "soft" security - those little interface things
that prod the user in a certiain direction but don't actually address any
real "hard" security problems.
But still there are several things in that arena that might be done:
+) Many sites open their financial applications in secondary windows
(usually chromeless). This has the benefit that once that window is closed
the main browser window will not contain the history of the child window.
(Of course you can open a new window without JavaScript, but we all know
that JavaScript makes working with child windows a lot smoother.)
+) Using JavaScript/DHTML the site might, either automatically when it
senses no activity or on user request, mask out (make invisilble or cover
with an opaque element) the screen or mask out form field or other
potentially sensitive information. Automatic systems might require the
password to unmask the information although this isn't actual security of
course it does prevent casual observers.
+) Using AJAX-style data aquisition into JavaScript variables means that
your personal information isn't cached in the browser or the source code.
So even, say, if somebody were to disable JavaScript and view your source
code they couldn't actually see your data (which is abstracted into
variables). Again this isn't real security but it prevents a more
sophisticated class of potential thief. It also, of course means, that none
of the information can be viewed with JavaScript enabled.
+) JavaScript is very useful at nudging the user in the right direction.
Active reminders to close a browser window when leaving an application
(using the onunload()) to prevent history mining) are often effective.
+) There is some thought that using onscreen keyboards (keyboards written in
JavaScript or Flash or the like) will improve security. The idea (which has
at least some merit) is that this will prevent keystroke sniffers from
obtaining your password.
There are others but it should be clear that any option that would truly
address softsecurity issues will also almost definitely affect accessibility
for a site. Also none of them can address phishing campaings and the like
(which can just use the same features to make their phony sites look that
much more accurate).
There's no sense (although I'm willing to be conviced) in attempting to
address hard security issues via JavaScript. Things like data encryption,
key management, credential management, etc should all be centralized and
rigidly controlled.
Also while, in theory, everything that can be done should be done (and
there's legislation being written to enforce this idea in many countries)
all of these solutions address the client-side completely. While this isn't
a bad thing the vast (vast) majority of data compromise has occured on the
corporate side. No matter how successful phishing and keystroke logging may
be they pale in comparison to the loss of millions of records at a time
through corporate security gaffs.
Still - if you know (and can accept) the limitations there are definately
things to do with script which can _improve_ (aspects of) security. But
script itself can't _provide_ real security in any way.
Jim Davis