7. CUIDAR Y PARTEAR EN VUELTA DEL RÍO
7.4. PRÁCTICAS CULTURALES DE CUIDADO
7.4.1. Cuidados durante el embarazo
It's also important to note that even though some Java implementations seem to have some security problems, this doesn't mean that the alternatives (JavaScript, ActiveX, VBScript, and so forth) are secure. If anything, the research community has been focusing on Java attacks because Java's creators claimed that it was designed with security in mind.
Currently, users who view security as a primary concern are well advised to disable the execution of Java programs by their browsers.
3.2 JavaScript
JavaScript, originally known as LiveScript, is a programming language that Netscape developed to make animation and other forms of interaction more convenient. JavaScript programs reside in HTML files, usually surrounded by both <script> tags (so that they will be recognized by JavaScript-enabled browsers) and HTML comment tags (so that they will be ignored by browsers that do not understand JavaScript).
Netscape's JavaScript allows HTML files to command the browser. JavaScript programs can create new windows, fill out fields in forms, jump to new URLs, process image maps locally, change the HTML content of the HTML page itself, compute mathematical results, and perform many other functions.
JavaScript is the native language of Netscape's web browser. For this reason, JavaScript has many functions specifically designed to modify the appearance of web browsers: JavaScript can make visual elements of the web browser appear or disappear at will. JavaScript can make messages appear in the status line of web browsers. Some of the earliest JavaScript applications displayed moving banners across the web browser's status line.
Because JavaScript programs tend to be small functions that tie together HTML files, GIFs, and even other programs written in JavaScript, many people call JavaScript a "scripting language." But JavaScript is a full- fledged general-purpose programming language, exactly like every other programming language. You could write an accounts receivable system in it if you wanted to.
3.2.1 JavaScript Security
JavaScript programs should be inherently more secure than programs written in Java or other programming languages for a number of reasons:
•
There are no JavaScript methods for directly accessing the client computer's file system.•
There are no JavaScript methods for directly opening connections to other computers on the network.But JavaScript, like most other parts of the Web, is changing. Netscape is reportedly developing a capabilities-based system that relies on code signing to determine which privileges a running JavaScript program should be allowed to exercise. Once this new system is in place, JavaScript is likely to be extended to allow signed JavaScript programs to have extensive access to the host machine.
Security problems have been reported with JavaScript. This is because security is far more than protection against disclosure of information or modification of local files. To date, JavaScript problems have occurred in two main areas: denial-of-service attacks and privacy violations, both described below.
3.2.2 JavaScript and Resource Management
JavaScript can be used to mount effective denial-of-service attacks against the users of web browsers. These attacks can be resident on web pages or they can be sent to users with JavaScript-enabled mail readers in electronic mail.
3.2.3 JavaScript and Privacy
Because a piece of downloaded JavaScript runs inside the browser itself, it potentially has access to any information that the browser has. Early JavaScript implementations featured a variety of problems that could lead to loss of confidentiality or privacy, including:
•
JavaScript could be used to create forms that automatically submitted themselves by email. This allowed a malicious HTML page to forge email in the name of the person viewing the page. ("Viewing this page automatically sends the President and his cat an electronic death threat from your web browser.") Alternatively, this feature could be used to collect the email addresses of people visiting a web page. ("Thank you for visiting our web page; your name and email address have automatically been added to the Flat Earth Society mailing list.")•
JavaScript programs had access to the user's browser "history" mechanism. This allowed a web site to discover the URLs of all of the other web pages that you had visited during your session. This feature could be combined with the previous feature to perform a form of automated eavesdropping.•
A JavaScript program running in one window could monitor the URLs of pages visited in other windows.These problems have all been corrected in newer versions of Netscape Navigator. Netscape's Eric Greenberg says that the real reason for the loss of privacy is not that JavaScript has access to sensitive information, but that this information can leave the user's computer.
If you are concerned with potential abuses of JavaScript, you should disable it in your browser.
3.3 Denial-of-Service Attacks
A significant security problem with both Java and JavaScript is the difficulty of preventing denial-of-service attacks.
A denial-of-service attack is an attack in which a user (or a program) takes up so much of a shared resource that none of the resource is left for other users or uses. Although the mainframe computers of yesteryear had some defenses against denial-of-service attacks,20 modern computer systems are notoriously poor at handling
such attacks.
Of course, any programming language or environment that allows systemwide resources to be allocated, and then places no limitations on the allocation of such resources, is subject to denial-of-service attacks. But Java and JavaScript seem to be especially sensitive to them, apparently because the authors of these languages have not considered denial-of-service attacks to be serious threats. Programs written in Java and JavaScript can easily command large amounts of system resources, and there are few avenues available for a user who is under attack to regain control of his system.
3.3.1 Do Denial-of-Service Attacks Matter?
Should we be concerned about denial-of-service attacks? Dennis Ritchie, one of the original creators of the UNIX operating system, didn't think so back in the 1970s when UNIX was first designed. When Simson interviewed Ritchie in 1988, Ritchie said that UNIX wasn't built to withstand denial-of-service attacks because most of these attacks were either launched "by accident, or it was relatively easy to figure out who was responsible. The individual could [then] be disciplined outside the operating system by other means." These days, many programmers seem to feel the same way. Protecting against denial-of-service attacks is very difficult. Instead of trying, most programmers simply don't bother. After all, it's usually relatively easy to determine who is responsible for a denial-of-service attack. It's usually easier to deal with these people by nontechnical means.
Unfortunately, denial-of-service attacks are becoming more prevalent on the Internet today, and it's growing increasingly difficult to determine where they are coming from. Furthermore, some denial-of-service attacks have been designed to be executed to hide another, parallel attack of a more sinister nature.
One of the best examples of a successful attack happened on Friday, September 6, 1996, when an Internet service provider in New York City was attacked using a technique called SYN flooding. In this attack, a series
20