Internet Privacy

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • Word
    Full Member
    • Jan 2011
    • 132
    #31
    Originally posted by kernelbogey View Post
    I'd be interested to know - if anyone cares to elaborate - on why Flash and Javascript are dangerous. (I thought they are needed to view video input.)
    At a very general level, the more plug-ins you run, the more code that is executed on your machine and therefore the larger the 'attack surface'. Flaws with the Adobe PDF viewer were always a favourite but the approach is generally applicable; a visitor to a compromised or fraudulent website would be served an appropriately crafted file (in this case a PDF) that would exploit the flaw to execute arbitrary code on the visitor's machine (install spyware, a trojan, etc.).
    (A special mention should be made for Microsoft's ActiveX, which was one big flaw. Microsoft's way of bringing the insecurity of early Windows to the web).

    More specifically, Adobe Flash Player has a history of leaking personal information.
    Unfortunately I can't find the demo page but it used to be possible (and may well still be) for a site using Flash to view the Flash-specific history and cookies of all other sites you have visited. There was also a problem with Flash allowing unchecked access to a user's webcam.

    Another privacy issue common to Flash and Java is that they can be used to retrieve your real IP address, which is a problem if you're sitting behind an anonymising proxy service that otherwise conceals your IP address from the site you're visiting. (n.b. The proxy server mentioned in my earlier post is not an anonymising proxy.)

    JavaScript is a little different. The implementations tend to be fairly well sandboxed, so I think there is less risk of your system being compromised, but they can still be used by rogue/infected sites to steal information (e.g. via cross-site scripting) or by 'legitimate' sites to track a user's actions. Depending on the level of 'analytics' that the owner of a site has signed up for, people with access to that data can see everything you enter into any text entry fields (even if you use backspace to delete/edit the content before submitting the page, where on a page you hover with your mouse and which part of a page you are viewing ('above/below the fold', which is a concept that web advertising has borrowed from the newspaper print world).

    Also when it comes to tracking, though most sites probably won't bother, just by analysing all the data sent with a page request (which includes browser and OS versions, versions of each plug-in installed, screen resolutions, fonts available etc.) it's frequently possible to uniquely identify visitors without using cookies.

    As they say, just because you're paranoid doesn't mean they're not out to get you
    Last edited by Word; 04-03-12, 23:17.

    Comment

    Previous 1 2 3 template Next
    Working...
    X