Develeper

This site is best viewed in a modern browser with JavaScript enabled.

abaue562

I dont know where to put this, I am looking for Pro web and app developers that have the know how of top security, The project which i speak of will need alot of security top almost unbreakable, If this fits you message me, This is a paid job

grumpyOleMan

abaue562;1258853 wrote:
..........
If this fits you message me, This is a paid job

I am not going to message you and not because of the money.

What you are asking for has been demonstrated to be allusive if not unobtainable and the proof is the many important web sites that have been breached over the last several months. There are many factors to line up to get a system to a point approaching your unbreakable.

JavaScript and security cannot be in the same sentence due to JavaScript being included in the web browser which in turn is used by the user and they tend to manipulate it themselves.

Security is enhanced by use of a server and appropriate technologies to boot. All the hardware you can muster to help protect the web site is moot once you include PEBCAK.....

Microsoft is addressing the issue with windows 8 and the app system of development but time will tell how it performs.

Do not be put off by the security concerns because there are many web sites in existence that survive without a major problem. That being said if you do have stuff to hide that requires the almost unbreakable concept then this is not the place to ask....

sorry gang but do you see the bank of England putting forward a request like this on the forum...

rnd_me

grumpyOleMan;1258865 wrote:
JavaScript and security cannot be in the same sentence due to JavaScript being included in the web browser which in turn is used by the user and they tend to manipulate it themselves.

not sure what your point is here.
there are many ways javascript can enhance website security for everyone from basic sites to large-scale enterprise applications.

javascript has nothing to do with major websites getting compromised, those breaches are ALWAYS failures of server-side code, not client-side JS.
Server-side JS like Node.js has FAR fewer known problems than something like a common LAMP stack running PHP, making it less-vulnerable to the most common of attacks; the port/url scan drive-by.

At any rate, the JS-based Open/social logins are used by millions everyday and have shown no wide-spread lapses, afaik.

maybe i misunderstood your point, but it seems a bit silly to claim that JS detracts from security instead of enhancing it.

grumpyOleMan

rnd me;1258873 wrote:
not sure what your point is here.
.............

My point is elementary to any web development. Do not trust user input. Better still do not trust any input. JavaScript within the browser is part of the user interface and is never to be trusted hence my statement which I stand by.

JavaScript cannot enhance security! It can help the user fill in forms to reduce frustration of some users who seem to always be in a hurry. Eventually what the users do with the form ends up on the server and that is where security starts. Forms may not be the only way input arrives at the server but the same principle applies. Volumes of this concept have been published and talked about but it seems to be always placed in the too hard basket.

JavaScript may not be the direct culprit when attacks occur but to some degree they can enhance it. Rogue scripts can infiltrate a web page that collects data in weird and wonderful ways which aids in the problem escalating. Ever thought about those adverts that pop up?

Majority of web sites do not have trouble with security and that is NOT solely due to web development practices regarding security but the case of who wants to waste time on Joe Blows antics. Meander over to any server side scripting site/forum and peruse the posts of people wanting to know why there web pages are defaced or the database is corrupted. It all comes down to trusting user input.

JavaScript has an important place in web development and a great deal of the wiz bang stuff would not exist otherwise. All developers need to understand there are horses for courses.

rnd_me

grumpyOleMan;1258881 wrote:
JavaScript cannot enhance security! It can help the user fill in forms to reduce frustration of some users who seem to always be in a hurry. Eventually what the users do with the form ends up on the server and that is where security starts. Forms may not be the only way input arrives at the server but the same principle applies.

the security capabilities and limitations of servers are well-known at this point, but i can think of several security enhancements that javascript can provide compared to a pure html web app:

using localStrorage instead of cookies to save sensitive data. Cookies are seen over every HTTP request, un-encrypted while localStorage NEVER goes out over the wire. If you have a diary app, the attack vector is MUCH larger if your writings are in a DB than if they were all on your laptop under a locked profile. Only someone physically stealing the laptop could possible access the data, not someone across the world. Physical security is the best security.
using location.hash instead of location.search to pass sensitive data. HTML alone can't do much with a hash, and the server can't do anything at all with it because it never goes out over the wire. This means i can send a secure corporate email containing a link to a secure URL and pass credentials in the location.hash to instruct ajax on how to fetch the data. Without javascript, you'de have to code a url that the server can completely see. One prime example of this is Google's sign-in app, openID. If the credentials use GET params instead of hash, everyone at the coffeeshop could sniff that info out of thin air. With js/hash, it's physically impossible to do so.

client-side encryption. You can send protected data to the client and apply JS-decryption upon arrival. This enhances security above and beyond the underlying stack.

one example:

 <script> eval( unescape( "function%20jcipher64%28p%2Cs%29%7Bvar%20author%3D%22dandavis%22%2C%20i%3D0%2CP%3D0%2CK%3D0%2Cb%3D%22%22%2CMax%3D0%2Cd%3D%5B%5D%2CScc%3DString.fromCharCode%3Bif%28p.slice%280%2C2%29%3D%3D%22zz%22%29%7Bvar%20slen%3Ds.length+1%3Bd%3Datob%28p.substr%282%29%29.split%28%22%22%29%3Bp%3D%22%22%3BMax%3Dd.length%3Bvar%20tr%3D%5BMax%5D%3Bfor%28var%20i%3D0%3Bi%3CMax%3Bi++%29%7BP%3Dd%5Bi%5D.charCodeAt%280%29%3BK%3Ds.charCodeAt%28i%25slen%29%3Btr%5Bi%5D%3DScc%28P%5EK%29%3B%7Dreturn%20atob%28tr.join%28%22%22%29%29%3B%7Dreturn%20false%3B%7D" ) ); 
var enc='zzAyg0cwAoWmcGXVt5ACgzPQ=='
 if (typeof PW == 'undefined'){var PW = prompt('Enter The Password for this Document:')};
 if (PW.length){  document.write( jcipher64(enc, PW)); };
</script>

my algo uses a simple kgb cipher, but there are even better ones out there now. Mr. Mott has a whole lib of JS cryptography tools available on google code.

access to uncommon attack vectors. JS opens the door to use non-http communication like websockets, eventsource, and webRTC. Since the vast majority of web hacker experience is in dealing with http(s), using a technology without as many hacking toolkits means it's less vulnerable to "drive-bys" that catch-up the kinda noobs that are asking about how their site got defaced.
removal of payload: if i store all my application's user's data on their gDrive instead of upon my server, all i need to serve is static HTML files. I can disable any and all server-side processing (php,ssi,etc), and i don't have a DB to crack. I cannot think of a way to store application data remotely without either proxying the data through my own server, or using javascript. If i proxy on my server, i open up attack vectors by turning server-processing back on. If i use javascript, the only way to hack the app is to hack google: my server won't/can't have the data they're looking for. that sounds more secure than trusting myself or others around me to keep every part of the stack patched up.

local storage of data. if all my data lives on a server, i need to be able to reach that server to view/manipulate my data. That means i might be forced into connecting to some shady hotel wifi to touch-up the presentation i'm presenting tommorow. If i could instead work offline, i can have been working on it on the plane, in the hotel, and finally uploading my changes when i get secure internet access at the conference. Without javascript, i would have to be saving all the time or really really hope my browser didn't lock-up while i was working...

so, those are a few examples of how JS can enhance security above and beyond an app without any JS.

in general, using local files instead of remote data is faster, more secure, and has the obvious advantage of being able to work without the internet being available.
historically, js has had some run-ins with security, but those are days past and now, as apps get evermore complex, JS can help partition risks better than using servers alone.