grumpyOleMan;1258881 wrote:
JavaScript cannot enhance security! It can help the user fill in forms to reduce frustration of some users who seem to always be in a hurry. Eventually what the users do with the form ends up on the server and that is where security starts. Forms may not be the only way input arrives at the server but the same principle applies.
the security capabilities and limitations of servers are well-known at this point, but i can think of several security enhancements that javascript can provide compared to a pure html web app:
using localStrorage instead of cookies to save sensitive data. Cookies are seen over every HTTP request, un-encrypted while localStorage NEVER goes out over the wire. If you have a diary app, the attack vector is MUCH larger if your writings are in a DB than if they were all on your laptop under a locked profile. Only someone physically stealing the laptop could possible access the data, not someone across the world. Physical security is the best security.
using location.hash instead of location.search to pass sensitive data. HTML alone can't do much with a hash, and the server can't do anything at all with it because it never goes out over the wire. This means i can send a secure corporate email containing a link to a secure URL and pass credentials in the location.hash to instruct ajax on how to fetch the data. Without javascript, you'de have to code a url that the server can completely see. One prime example of this is Google's sign-in app, openID. If the credentials use GET params instead of hash, everyone at the coffeeshop could sniff that info out of thin air. With js/hash, it's physically impossible to do so.
- client-side encryption. You can send protected data to the client and apply JS-decryption upon arrival. This enhances security above and beyond the underlying stack.
one example:
<script> eval( unescape( "function%20jcipher64%28p%2Cs%29%7Bvar%20author%3D%22dandavis%22%2C%20i%3D0%2CP%3D0%2CK%3D0%2Cb%3D%22%22%2CMax%3D0%2Cd%3D%5B%5D%2CScc%3DString.fromCharCode%3Bif%28p.slice%280%2C2%29%3D%3D%22zz%22%29%7Bvar%20slen%3Ds.length+1%3Bd%3Datob%28p.substr%282%29%29.split%28%22%22%29%3Bp%3D%22%22%3BMax%3Dd.length%3Bvar%20tr%3D%5BMax%5D%3Bfor%28var%20i%3D0%3Bi%3CMax%3Bi++%29%7BP%3Dd%5Bi%5D.charCodeAt%280%29%3BK%3Ds.charCodeAt%28i%25slen%29%3Btr%5Bi%5D%3DScc%28P%5EK%29%3B%7Dreturn%20atob%28tr.join%28%22%22%29%29%3B%7Dreturn%20false%3B%7D" ) );
var enc='zzAyg0cwAoWmcGXVt5ACgzPQ=='
if (typeof PW == 'undefined'){var PW = prompt('Enter The Password for this Document:')};
if (PW.length){ document.write( jcipher64(enc, PW)); };
</script>
my algo uses a simple kgb cipher, but there are even better ones out there now. Mr. Mott has a whole lib of JS cryptography tools available on google code.
access to uncommon attack vectors. JS opens the door to use non-http communication like websockets, eventsource, and webRTC. Since the vast majority of web hacker experience is in dealing with http(s), using a technology without as many hacking toolkits means it's less vulnerable to "drive-bys" that catch-up the kinda noobs that are asking about how their site got defaced.
removal of payload: if i store all my application's user's data on their gDrive instead of upon my server, all i need to serve is static HTML files. I can disable any and all server-side processing (php,ssi,etc), and i don't have a DB to crack. I cannot think of a way to store application data remotely without either proxying the data through my own server, or using javascript. If i proxy on my server, i open up attack vectors by turning server-processing back on. If i use javascript, the only way to hack the app is to hack google: my server won't/can't have the data they're looking for. that sounds more secure than trusting myself or others around me to keep every part of the stack patched up.
- local storage of data. if all my data lives on a server, i need to be able to reach that server to view/manipulate my data. That means i might be forced into connecting to some shady hotel wifi to touch-up the presentation i'm presenting tommorow. If i could instead work offline, i can have been working on it on the plane, in the hotel, and finally uploading my changes when i get secure internet access at the conference. Without javascript, i would have to be saving all the time or really really hope my browser didn't lock-up while i was working...
so, those are a few examples of how JS can enhance security above and beyond an app without any JS.
in general, using local files instead of remote data is faster, more secure, and has the obvious advantage of being able to work without the internet being available.
historically, js has had some run-ins with security, but those are days past and now, as apps get evermore complex, JS can help partition risks better than using servers alone.