Re: javascript Security... the official word

[vicnot@igc.net (Dan Petramala)]

On Fri, 1 Mar 1996 11:16:06 -0800, you wrote:

>"THE WORLD WIDE WEB SECURITY FAQ (Version 1.2.0, February 28 1996)"
>by Lincoln D. Stein <lstein@genome.wi.mit.edu>
>- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>   You should be extremely concerned about JavaScript, an integral part
>   of Netscape Navigator 2.0. It allows many types of private information
>   to be included in data submitted to remote sites by fill-out forms,
>   without the consent, or even the knowledge of the user. For example, a
>   recently published script showed how a JavaScript page could grab a
>   user's e-mail address from Netscape's preferences dialog and send it
>  user's e-mail address from Netscape's preferences dialog and send it
>   across the Internet.

I do not understand where being able to grab a user/visitor's email address is a
breach of privacy or a worry.   Actually I find it pretty darn useful... If
someone visits a site they DO leave a bunch of logs all over the place and they
could evenrutally be traced to a singular individual without that much work..

I know from reviewing my site logs that only the users domain info is stored...
I must say though that should Javascript prove to be able to do these items:

1) grab to the users complete info (username on their local system as well as
domain info)

2)grab the previous page they are coming from (aka referring page)

I would quickly add code to my page to use such features, since these items
allow me to :

1) keep track of who is actually visiting my pages
2) contact visitors later,  if needed or to notify them of updates...
3) keep track of referring pages so that I can contact the admins there to
notify/thank them for the posting....


>
>   This is just the beginning. Others have figured out how to exploit
>   JavaScript to make much more intrusive invasions of the user's
>   privacy. The scripts at:
>     * http://www.c2.org/~aelana/javascript.html and
>     * http://www.osf.org/~loverso/javascript/track-me.html
>
>   demonstrate how to take the following obnoxious actions:
>    1. Read the user's URL history list and transmit it to a remote site.
>    2. Read the user's disk cache (containing URLs of all frequently
>       visited sites) and transmit it to a remote site.
>    3. Invisibly monitor all the sites a user visits and transmit them
>       one by one to a remote site (the monitoring persists until the
>       user completely exits from Netscape)
>    4. Obtain a recursive directory listing of the user's local hard disk
>       and any network disks that happen to be mounted.

Now as for all of these things.... These need stopped as they definitely go far
beyond invasion of one's privacy...


-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

What happens when corporations turn to the government as
their professional bounty hunters.  Conspiracy read all about
AT&T's conspiracy to hide their own wrongdoing.

http://www.kmf.org

-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-
--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/