On 06/13/2015 12:11 PM, jd1008 wrote:> Why do you make such statements without knowing the intrinsics??? > How in tarnation do you explain this: > http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.comThat site doesn't say anything about Java or Javascript. Or cookies for that matter. You're connecting unrelated things. There are flaws in software. It's probably safe to say "all software" since we can't really prove otherwise. Browsers are software. Software flaws in browsers may be used to cause the download and execution of malware. That is not, however, an indication that Java or Javascript "allow" access to the filesystem or cookies. They do not. At least, not any more than images do. Several browser bugs have allowed code execution as a result of malformed images. Do you also disable image rendering in your browser? The justification for both is the same: bugs might allow arbitrary execution of code.> Malware is installed where it can be executed. > Since that is the case, what makes you think JS cannot > access your browsing history??You're connecting unrelated things.
On 6/13/2015 12:11 PM, jd1008 wrote:> How in tarnation do you explain this: > http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.comI see nothing there but a list of the status of that specific domain, which google has analyzed from their spidering activity, there's nothing there related to my web browser status or history or whatall. so whats your point? here's what I got from that URL for reference: Safe Browsing /Diagnostic page for/googleusercontent.com *What is the current listing status for googleusercontent.com?* This site is not currently listed as suspicious. Part of this site was listed for suspicious activity 370 time(s) over the past 90 days. *What happened when Google visited this site?* Of the 4006663 pages we tested on the site over the past 90 days, 3446 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2015-06-12, and the last time suspicious content was found on this site was on 2015-06-12. Malicious software includes 18440 exploit(s), 12470 trojan(s), 2399 scripting exploit(s). Malicious software is hosted on 13 domain(s), includingpowerade.com.ar/ <http://www.google.com/safebrowsing/diagnostic?site=powerade.com.ar/>,douglas.de/ <http://www.google.com/safebrowsing/diagnostic?site=douglas.de/>,maxtraffic.com/ <http://www.google.com/safebrowsing/diagnostic?site=maxtraffic.com/>. This site was hosted on 1 network(s) includingAS15169 (GOOGLE) <http://www.google.com/safebrowsing/diagnostic?site=AS:15169>. *Has this site acted as an intermediary resulting in further distribution of malware?* Over the past 90 days, googleusercontent.com appeared to function as an intermediary for the infection of 9 site(s) includingstartbusinesscoaching.com.au/ <http://www.google.com/safebrowsing/diagnostic?site=startbusinesscoaching.com.au/>,crpcoutreach.blogspot.com/ <http://www.google.com/safebrowsing/diagnostic?site=crpcoutreach.blogspot.com/>,businesscoachinstitute.com.au/ <http://www.google.com/safebrowsing/diagnostic?site=businesscoachinstitute.com.au/>. *Has this site hosted malware?* Yes, this site has hosted malicious software over the past 90 days. It infected 1206 domain(s), includingv4download.com/ <http://www.google.com/safebrowsing/diagnostic?site=v4download.com/>,vfastdownload.com/ <http://www.google.com/safebrowsing/diagnostic?site=vfastdownload.com/>,downloadmee.com/ <http://www.google.com/safebrowsing/diagnostic?site=downloadmee.com/>. *Next steps:* * Return to the previous page. <http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com#> * If you are the owner of this web site, you can request a review of your site using GoogleWebmaster Tools <http://www.google.com/webmasters/tools/>. More information about the review process is available in Google'sWebmaster Help Center <http://www.google.com/support/webmasters/bin/answer.py?answer=45432>. -- john r pierce, recycling bits in santa cruz
On 06/12/2015 01:40 PM, Gordon Messmer wrote:> On 06/13/2015 12:11 PM, jd1008 wrote: >> Why do you make such statements without knowing the intrinsics??? >> How in tarnation do you explain this: >> http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com > > That site doesn't say anything about Java or Javascript. Or cookies > for that matter. You're connecting unrelated things. > > There are flaws in software. It's probably safe to say "all software" > since we can't really prove otherwise. Browsers are software. > Software flaws in browsers may be used to cause the download and > execution of malware. That is not, however, an indication that Java > or Javascript "allow" access to the filesystem or cookies. They do > not. At least, not any more than images do. Several browser bugs > have allowed code execution as a result of malformed images. Do you > also disable image rendering in your browser? The justification for > both is the same: bugs might allow arbitrary execution of code. > >> Malware is installed where it can be executed. >> Since that is the case, what makes you think JS cannot >> access your browsing history?? > > You're connecting unrelated things. > _No!! I am not connecting unrelated things. Noscript shows you the NAME (ostensibly the domain name from which it comes) of the javascript. Many websites and even internet providers push javascripts from other domains. But, feel free to allow it on all of your browsing.
On 06/12/2015 01:01 PM, Gordon Messmer wrote:> On 06/13/2015 11:11 AM, jd1008 wrote: >> All your browsing history, all cookies ...etc are open books >> as far as many javascripts are concerned. > > Javascript can use CSS attributes to see if you've visited a specific > URL, which is unfortunate, but that's a long way from saying that your > history is an open book. Javascript cannot directly access your > history. A script cannot enumerate all of the sites you've visited, > it can only test specific, complete URLs. > > As far as cookies go, you're even further from the truth. A script > can only access cookies whose domain matches the origin of the script. >Why do you make such statements without knowing the intrinsics??? How in tarnation do you explain this: http://www.google.com/safebrowsing/diagnostic?site=googleusercontent.com Malware is installed where it can be executed. Since that is the case, what makes you think JS cannot access your browsing history??