Hacker News new | ask | show | jobs
by Alupis 4323 days ago
> python/ruby ... in the browser

not a good idea. any fullfledged programming language that can operate in the browser becomes a significant security risk. even with sand-boxing, if you can break out of the sandbox, then you have access to a full-fledged language with all of it's power. This is the reason Java has got a bad rap; it's due to the use of Applets in the browser from which people have repeatedly broken out of the sandboxing and then can execute arbitrary code on your system (without your knowledge).

The only safe and secure way to have a language run in the browser, is if it just simply does not have the capabilities that could harm your system (ie. write directly to the disk, execute other local code, etc). If the language just can't do it, then there's no sandbox to break out of and due harm with. One of the (many) reasons Javascript has been successful. (I'm a Java developer)
3 comments
andreasvc 4323 days ago
What are you talking about? Javascript is a full-fledged programming language. You can argue that certain languages are more or less difficult to sandbox, but then I'd be interested in knowing why this is. I think what actually happened is that they gave up on the idea of Java applets, and that led to it becoming a security hazard, not any fundamental property of the difficulty of sandboxing it.
link
brazzy 4323 days ago
You think wrong. The inability to reliably restrict access to a rich API library full of dangerous stuff is a fundamental property of sandboxing as an in-language mechanism, or at least Java's sandboxing model.

There's been a steady stream of critical security bugfixes for the Java browser plugin coming out of Oracle for years, and it's never been enough.

link
andreasvc 4323 days ago
I'm not convinced there is such an inability, or why Javascript would be particularly better. Simply don't offer the dangerous libraries as part of the runtime. It's the runtime which has to be secured, not the language.
link
Alupis 4323 days ago
I'm afraid it's not that simple.

Vanilla javascript simply does not have the API's to make system calls. Java does, as does Python, etc. Removing from the runtime (like in a java browser plugin) is fine, until someone can break out of that sandbox and hook into the runtime installed on the system, or inject a runtime, etc.

The thing that makes javascript a "safer" web language is it just simply cannot make system calls, period. This was by design, as javascript was intended for solely residing in the browser. All other languages have had "web" bolted-on after the fact, and all have failed to be secure in the same way Javascript has been.

Node.js and derivatives have explicitly added this functionality, which is what we would then call a "general purpose programming language", aka. full-fledged language.

There's no debate here. ECMA Script's designers were very public about their logic in the design process, and the reasons stated here are exactly why they made the choices they did.

link
zo1 4323 days ago
A non-issue... All of those things/features you mention as problems could simply be removed from the python interpreter included with the browser.

Will some of it leak through? Possibly. Does that mean we should do it or try? Of course not.

link
Alupis 4323 days ago
This is a straw-man argument. You are not understanding the fundamentals of web safety and the design decisions behind ECMAScript and derivatives. Put the fanboyism down (i love python just as much as the next guy).

if it can be removed (features, api's, etc), then it can be added back in (maliciously or not) or hooked into via a system runtime or a program installed on the system. If it's just not there at all (the api's nor the facility for the api's), then it can't be added. that is really the boiled down version.

every other language that has tried to be a web language without being explicitly designed as a web language has failed. why do you think python would be any different? because python is just so awesome?

and to rebut your point in the other thread, i have stated explicitly the things that make javascript "safer" -- you have just chosen to ignore them or brush it off. I'll say it again -- javascript does not have the api's nor capabilities to make direct system calls. system calls are filesystem actions, threading actions, process manipulation, executing arbitrary code, writing to different outputs, manipulating memory, etc. these are all considered highly dangerous to run from a browser.

link
Alupis 4323 days ago
No, Javascript by design can't do certain things, such as write directly to your disk, read arbitrary data from the disk, control threading at the cpu level, etc.

This was part of the design process in order to make Javascript a "web browser safe" language. Other languages have been modified and browser support "bolted on" after the fact, which leads to the sandboxing, which means if one can escape the sandbox, they have a full language and all of it's features at their disposal. This is dangerous, and can lead, and has led to severe security issues.

Applets are very actively maintained by the OpenJDK and Oracle projects. They are used still today for a lot of things, especially in the banking sector.

link
andreasvc 4323 days ago
The number of sites that use Javascript is many orders of magnitude greater than those that use Java applets. This means that much more attention is going to keeping the Javascript runtime safe. If the same attention would go into making, say, a Python runtime for browsers, it would be just as safe (and removing the file writing and system call abilities would be the trivial part). Note that in HTML5, Javascript can read files (see e.g. http://www.html5rocks.com/en/tutorials/file/dndfiles/ ), so the point is not to exclude such functions from the language, but to adequately control when they can be used.

Critical security flaws can come from any C code, be it a Javascript runtime, a PNG library or a PDF viewer. There is nothing inherent in those things to make them unsafe (as opposed to say, running arbitrary executables), except maybe that they are written in C.

link
dragonwriter 4323 days ago
> not a good idea. any fullfledged programming language that can operate in the browser becomes a significant security risk.

JavaScript is as much of a full-fledged programming language as Python or Ruby. What makes the browser implementation of JS more limited than typical "native" Python or Ruby is exposed APIs, not language features. There's no reason a Dart/Ruby/Python in-browser environment would need to expose any more of the underlying system than the same browser's JS implementation.

link
Alupis 4323 days ago
Wrong. Vanilla javascript does not have access to system calls, nor is it sandboxed in the same sense as a java applet.

The problem comes down to the API's either being there or not.

In a java environment, the browser plugin does not allow calls to the system such as arbitrary writes to the disk, reading, etc. However, if one can break out of the sandbox, then they can make those system calls. The same would go for any desktop/server general purpose language that has been modified and/or sandboxed to run in a browser.

With vanilla javascript -- there is no ability to make the system calls even if one were to "break out of the sandbox".

That is the difference, and what I mean by a "full-fledged language".

(node.js is heavily modified javascript with the explicit intention of being (mostly) server-side and have sys call capabilities)

link
dragonwriter 4323 days ago
> Vanilla javascript does not have access to system calls, nor is it sandboxed in the same sense as a java applet.

Access to system calls is an API, not language issue. There is no reason python or ruby in the browser would have any more access to system calls than JS-in-the-browser does. (Nor is there any reason, for that matter, that Java in the browser should -- the particular way that applets were implemented isn't fundamental to the language, its just an implementation decision tied to a much earlier time.)

> The same would go for any desktop/server general purpose language that has been modified and/or sandboxed to run in a browser.

No, the same would go to any desktop/server general purpose VM that used a Java-style applet sandboxing approach and Java-style plug-in interface to run outside of, but interact with, a browser the way Java applets do.

A browser-specific implementation of a language that simply doesn't include the system-call features of the general purpose VM would have essentially the same security considerations as in-browser JS implementations (in fact, it could share the same in-browser VM with a different compiler in front of it.)

> That is the difference, and what I mean by a "full-fledged language".

The thing is, the difference you are pointing to has nothing to do with the language, but instead has to do with the implementation/runtime/VM used and how the language is exposed to the browser. The features of the applet model that are problmatic are particular to the applet model, and have nothing to do with Java-as-a-language.

> node.js is heavily modified javascript

No, its not. There's no language-level modifications at all (well, other than the ones that are made in the underlying V8 system, which is also used in browsers.)

There are additional APIs implemented in node that aren't implemented in in-browser V8, but you can do the same thing the reverse direction with Ruby or Python to get ruby or python in the browser with no greater security concerns than are posed by JS in the browser.

link
frowaway001 4323 days ago
For God's sake, you are wrong. Just stop it.
link
Mikeb85 4323 days ago
Witness Node.js - Javascript that does have access to system calls and whatnot.

Javascript is a full programming language, a pretty powerful one at that. The only thing that makes it safe in the browser is the browser implementations themselves, sandboxing, etc...

link
brazzy 4323 days ago
The difference is that vanilla Javascript does not HAVE facilities for system calls, filesystem access, etc. Node ADDS those, immediately making Javascript-on-Node as dangerous as anything. Java tried the opposite via sandboxing, at it failed.
link
Mikeb85 4323 days ago
Node.js IS vanilla JS, as much as V8 in Chrome is...

What you're describing is an implementation of a language, not the language itself. No language inherently has access to the system unless it's part of the specific implementation...

link
zo1 4323 days ago
"* Node ADDS those, immediately making Javascript-on-Node as dangerous as anything. "

You could do the same thing with python except "REMOVE those"*.

This discussion is a complete non-issue. No one is suggesting to put a full-fledged python interpreter into the browser and allow remote websites to execute arbitrary code on it. Of course it will be "sandboxed" and gimped to prevent malicious code from executing on the client machine.

link
Alupis 4323 days ago
> You could do the same thing with python except "REMOVE those"*.

You could -- as the java plugin does, but the problem is someone can inject a runtime, part of a runtime, or hook into a system runtime, or into another installed application's runtime, etc.

That is the core of the issue. If the language is capable in any sense of system level calls -- then it's dangerous to run in the browser -- someone can escape browser sandboxing, or language sanboxing and make direct system calls.

Any language that is not designed from the ground-up to be a web language is inherently going to be insecure. It's a lot like trying to bolt on threading into a language that was not designed to be threaded (look at php's struggles). It becomes almost impossible to make it work as intended.

Javascript was designed from the very beginning to be a web language -- it was designed from the very beginning to not be capable of certain things a web browser should not be capable of doing.

There's no debate here. ECMA Script's designers were very public about their logic in the design process, and the reasons stated here are exactly why they made the choices they did.

link
dragonwriter 4323 days ago
> > You could do the same thing with python except "REMOVE those".

> You could -- as the java plugin does

But the Java plugin doesn't. It uses the same platform for browser Java as local Java, which is why it is possible to break out and do things you shouldn't be able to do.

So, no, a browser-specific, limited-API version of Ruby or Python is nothing like running on a full Java VM but trying to constrain what web code can do via the Applet security model. Its exactly like (from a security perspective) in browser JS.

link
zo1 4323 days ago
You keep repeating stuff along the lines of "language is capable of system level calls". Define what you mean, otherwise it's hockus pockus argumentation that no one can rebut. It's like arguing with Peter Joseph.
link