Slashdot Mirror
Every Browser Hacked At Pwn2own 2015, HP Pays Out $557,500 In Awards
darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. The sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers $557,500. Is it reasonable to expect browser makers to hold their own in an arms race against exploits? "Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.
Along with FIrefox on the first day.
Is it reasonable to expect browser makers to hold their own in an arms race against exploits?
The problem is that browsers are trying to become an OS - with all the complexities associated with one.
If we want back to a world where HTML was mostly about content -- that could be displayed in everything down to things like the Lynx browser -- they coudl be made secure.
People wanted more, though -- so they decided to allow extensions like Java Applets, Flash Plugins, and ActiveX controls. Obviously more complex, those were not surprisingly insecure.
So now people decide to take all the complexity and insecurity and build it directly into the browser itself?!? WTF.
Makes me miss gopher clients. Maybe we should go back.
TL/DR: Javascript+HTML5 is the new Java applet + Flash Player + ActiveX control.
... getting their code airtight and less time constantly fucking about with GUI and javascript interpreter - sorry, "engine" - changes perhaps these exploits could become less of an issue.
According to the second link I only see 6 CVEs in 7 years. Oooh, so scary!
I'm glad HP is doing something nice for somebody because, without exception, their consumer products and software make me want to jump off of a building.
I built a better sword,
they built a better shield
i got a long bow
they got armor
i fortified a wall
they built a ballista
To successfully exploit such a vulnerability (other than to make the browser to simply crash), and attacker needs to craft the attack to place just the right content into memory.
By building the browser yourself (with CFLAGS, CXXFLAGS and even CC and CXX set to something unusual — such as to target only your specific -march) — rather than downloading prebuilt binaries — you make the attacker's job much harder. To successfully exploit your browser, he'll now need to make a custom exploit just for you.
And, if you include -fstack-protector or equivalent among your compiler-flags, you may even be able to make such attacks impossible for good.
In Soviet Washington the swamp drains you.
I want to know how vulnerable browsers are, not if they are. Always assume what you are using is vulnerable, if you feel completely safe with your software, then you are the one most likely to get hacked. But I want to know the level of effort it will take to perform such exploits. Some interestly coded HTML/XML /Javascript where you can drop the files on Any Web Server and perform the export. Perhaps it is in the HTTP protocol, where you need to write a Server Side application to perform the HTTP Calls. Or is it in in the level of special TCP/IP packets where you need to have the OS send funny data.
Is the exploit Just by going local and using local data, is it outside exploitable.
This is important. Not to excuse having a software vulnerability, but by having a priority for them to get fixed, and assessing how far such things can spread.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Are the majority of exploits due to bugs which would be trivially detected at compile time let alone runtime in a modern language as usual?
The article doesn't provide many details on what these exploits actually were, but in case anyone else is curious like I was they appear to be published on the ZDI site:
Broad strokes for new discoveries
Details for older exploits
Curious how much NoScript would mitigate the Firefox vulnerabilities. I find the mild annoyance of having to enable scripting occasionally is well worth it.
I wonder if anyone has made a hardened version of the original "www" browser.
Being text-only and lacking support for just about everything, it should be relatively easy to make almost bulletproof.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
There's nothing stopping you from going back.
Actually, there is. You can't use any of the popular plug-ins on a lot of mobile devices. Chrome is so buggy that even the most basic functionality doesn't work with some of the plug-ins now. As a developer, trying to actually produce a good user experience using any of the formerly popular plug-ins is futile with all the security warnings and all-but-invisible switches to override them in modern browsers.
And yet, after all their bitching about how insecurity is Java's fault or Flash's fault or whatever, it turns out that the browser writers aren't doing much better, because now they also have that complexity to deal with, and they are also trying to write secure software in unsuitable programming languages like C++.
So now we can't use tried and tested plug-in technologies to actually make stuff, and we all have to use HTML5+JS instead, even though in some areas they are still far inferior to what we had before with Flash or Silverlight or Java applets. This is not progress, unless your goal is not to actual provide better results for users but merely to kill off technologies that can threaten your native apps (Apple) or that are not ideal for your commercial model (Google).
At least there have been some moves in the right direction. For example, it will be interesting to see whether the first browser or browser components written in Rust do better.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The thing is, that was all true with even relatively early browsers, because it's the uniform access to information that was the radical improvement on what we had before.
Nothing about that necessarily means moving complex executable software to the browsers or making browsers a thin client for code running in the cloud is a similarly significant improvement. Plenty of us would argue that in many ways it has been a huge step backward, leading to dumbed-down software, security and privacy concerns, rent-seeking behaviours, inherent unreliability, and so on.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
[...] they are also trying to write secure software in unsuitable programming languages like C++.
Right. So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code in under 0.5 second? (200K == JQuery + few JQ plug-ins, 500K - JQuery + lots of JQ plug-ins.) Anyway, browsers already do resort to optimizations in assembler, because even C++ is not fast enough for what the web has become.
So now we can't use tried and tested plug-in technologies to actually make stuff, and we all have to use HTML5+JS instead, even though in some areas they are still far inferior to what we had before with Flash or Silverlight or Java applets.
Integration with 3rd parties is a bitch. That was and remains the main reason why plug-ins suck.
Portability is another big reason. Windows, iOS and Android do things in starkly different ways, making portable plug-ins even harder.
The problem are not plug-ins per se. The problem is that Google steers development of the Web toward its own goal which is to make the OSs obsolete. The short-sighted strategy resulted in overbloated browsers, with all the consequences for the security. Worse, they keep "optimizing" the browsers instead of e.g. integrating the JQuery/etc right into the browser to avoid repeating the loading of the same every time user clicks a link.
All hope abandon ye who enter here.
They're not even a browser maker. Why aren't Google, Apple, and Microsoft each paying out their own rewards.
WTF is this garbage?
I was at Pwn2own and NEVER ONCE experienced an exploit thanks to my browser of the future: Links.
now if youll excuse me i need to gloat...there are some arpanet users on gopher that are going to be mighty impressed by this.
Good people go to bed earlier.
But...but...it's all the fault of extensions!!! Firefox is flawless!!
Why is HP involved? What does hacking have to do with printer ink?
So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code in under 0.5 second?
It's not as if I have a handy JS engine implemented in every safer language to benchmark, but there are plenty of them out there that compile down to speeds close enough to C that the difference is mostly academic. The trouble is, every one of them is currently in the range of "obscure" to "extremely obscure" and lacks the surrounding ecosystem to be a viable alternative today.
This is a big general problem with the software industry right now. There is so much momentum behind the C and C++ ecosystem that creating an alternative language that is also relatively fast/low-level/compiled-to-native but has better safety properties and all of the tools and libraries to go with it is a huge challenge. It doesn't really matter if there's some great language out there, if you have to reinvent every wheel in it to get anything useful done.
This is why I'm optimistic about newcomers like Rust, which is the first language I've encountered in recent years that seems to be qualitatively better in safety, similarly or more expressive despite the low-level/compile-to-native form, and well enough supported that it might actually go the distance.
Integration with 3rd parties is a bitch. That was and remains the main reason why plug-ins suck.
But going back, say, a decade, all of the major browsers integrated with all of the major plug-ins just fine. The problems have been caused by deliberate decisions to drop support for various long-standing mechanism and/or an obvious lack of concern for even testing basic integration works. I don't for a moment believe that this was all done purely for technical reasons.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Just ignore him and he'll go away...
Firefox is working on Project Electrolysis (e10s) which will turn every tab in its own context and be more isolated.
Also Mozilla is working on the Servo engine written in Rust to replace the current Gecko engine.
They have big noses, amiright? I think secretly you're the CEO.
http://www.diceholdingsinc.com...
So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code
Why the fuck would anyone want to allow a browser to parse (let alone run) 500K of JavaScript, minified or otherwise? Fucking disaster waiting to happen.
If it's that big, download a fucking app. Once.
From the linked article:
"Overall, Brian Gorenc, manager of vulnerability research for HP Security Research, said that one of the surprises at the Pwn2Own 2015 event was the amount of Windows kernel vulnerabilities that showed up, though he noted that HP, in a way, expected it."
Although many exploits may be against vulnerabilities in the browser code, I have to wonder how we can expect a browser implementer to write secure code if kernel implementers can't. In my view the basic problem is that the goal for security in almost all software is that it be just "good enough", where "good enough" is a bar which is raised as a piece of code gets a reputation for being insecure. With the possible exceptions of governments and a few financial service companies, no one really wants to pay the cost of ensuring that software is secure. So we make a game of it, with prizes, like Pwn2Own, in an attempt to amortize the cost.
Why is it so hard to write secure software? Well, programming languages are an easy target. Most OS's and browsers are written in C/C++, which we know provide many, many ways to accidentally undermine security. But the complexity of the software also is a factor, and that is fed by the desire to continually add functionality over time. The evolution of the web is a textbook example of this. Rather than being satisfied with a nice, relatively secure textual browser, we had to turn it into an application platform. We used to have different application protocols for different applications. Now everything goes over HTTP, and so HTTP becomes ever more complicated. What we ought to have is a browser application that only browses and renders hypertext, with no JavaScript and a very restricted plugin API. Then if you want to launch an application over the web, make it a separate application and use a URL that starts with something other than "http[s]:". Personally I think it would be cool just to have a URL that opens a VM in a tab and boots it up from a secure OS image.
You would think that the evolution of smart mobile devices would provide the opportunity to not repeat the mistakes of the past. And it is true that mobile devices have security managers which provide some granularity to the rights that an application can be granted. But my experience has been that apps that I install on a mobile device often require more rights than it seems they should. In practice the decision I make when I install an app is, "Do I trust this app or not?" And I either grant it all the rights it wants or not. (Actually what I really think is that mobile devices are not really secure, that the security manager is effectively "security theater", so I don't put anything on a mobile device that I wouldn't want the world to see.)
So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code in under 0.5 second?
It's not as if I have a handy JS engine implemented in every safer language to benchmark, but there are plenty of them out there that compile down to speeds close enough to C that the difference is mostly academic.
Benchmarks in studio.
All comparisons I have seen so far were about executing JS code. But performance of data parsing is still largely sucks in all managed languages. And the modern web is overloaded by the ridiculous amount of the code. Parsing the JS nowadays takes more time than executing it. Because execution can be optimized to the bare necessary minimum, while one still has to parse the whole thing to know what to execute.
The trouble is, every one of them is currently in the range of "obscure" to "extremely obscure" and lacks the surrounding ecosystem to be a viable alternative today.
This is a highly specific task, really. And browsers have already literally excluded themselves from the rest of the software ecosystem. They come with their own network libraries, DNS libraries, security libraries, video/audio decoding libraries, GUI libraries and so on. Yes, on Linux, they can be configured to use the system libraries, but that wasn't the default behavior for many years now - distro devels have to activate that manually, and potentially deal with the incompatibility quirks.
Integration with 3rd parties is a bitch. That was and remains the main reason why plug-ins suck.
But going back, say, a decade, all of the major browsers integrated with all of the major plug-ins just fine.
Nope. Your memory is playing tricks with you.
Browser crashes due to plug-in bugs were the most often cause for browser crashes. And I have followed not one bugzilla ticket (in the times when "bugzilla" still was a term specific to Mozilla's Bugzilla) which involved lots of fingerpointing between Mozilla and Java/Flash developers.
The problems have been caused by deliberate decisions to drop support for various long-standing mechanism and/or an obvious lack of concern for even testing basic integration works. I don't for a moment believe that this was all done purely for technical reasons.
Here is a simple technical reason: keyboard input. There is no established interface, and generally the interface is highly OS specific, for a plug-in to pass an unhandled widget event (for example keyboard input) to the browser. That's why in some browsers still, if you open a tab with flash video, click inside the video and press ^W to close the tab, nothing happens. Because plug-in are the ^W and browser never seen it. Worst part: that is also a security concern: one can not let plug-ins simulate user's keyboard input, since that makes silent web-based keyloggers trivial to implement.
All hope abandon ye who enter here.
What Operating System did these successful browser hacks work on?
Slashdot is pretty "lightweight" and yet:
The size of JS embedded on this page I'm replying from is 33K in about 890 lines of code.
Externally loaded libraries are (most minimified):
http://a.fsdn.com/sd/all-minified.js?release_20150309
http://player.ooyala.com/v3/85...
http://a.fsdn.com/sd/html5.js
http://a.fsdn.com/sd/comments-...
http://www.googleadservices.co...
Total size: 1147446 bytes, aka 1.1MB.
You are welcome.
All hope abandon ye who enter here.
You do realize for quite some time Chrome has been the biggest pig of a browser, right?
Firefox and IE are both technically superior in most ways.
Slashdot is bloated shit. It's nowhere near as bloated and shitty as many other major sites, but it's bloated fucking shit.
The fact that it tracks every fucking pixel you click on or drag across, or phones home when you try to close a tab is fucking absurd. The fact that browsers ALLOW this behavior is utter horseshit.
Go ahead, watch the bottom of the page when you close a Slashdot tab. When Slashdot is slow (and it often is) you'll see the "Working" indicator with the shitty little spinny wheel before your browser actually complies and closes the tab.
But performance of data parsing is still largely sucks in all managed languages.
Are we talking about parsing the JS, or work being done by JS code here? I'm certainly not suggesting rewriting the browsers themselves or major components like the JS engine in a managed language. There are plenty of ways to make much more security-friendly languages than C++ that still compile to self-contained, native code without depending on a heavyweight VM.
This is a highly specific task, really. And browsers have already literally excluded themselves from the rest of the software ecosystem. They come with their own network libraries, DNS libraries, security libraries, video/audio decoding libraries, GUI libraries and so on.
I don't think it's as specific as you're suggesting. The same general balance between needing the control and speed vs. needing security and robust code applies to just about any system software or communications software, for a start.
Ironically, those dependencies on their own libraries (or reinventing all the wheels on the carriage, if you prefer) that were set up to promote portability mostly seem to have adverse consequences that would have been avoided if they'd actually used their host operating system instead of trying to be one. For example, Chrome infamously rendered text worse than the native system functions on all major platforms for a long time, while trying to actually build a site that uses HTML5 multimedia elements has been absurdly difficult for developers because there is so much variation in which exact A/V formats the different browsers support. (Did I mention that Flash could just download an audio or video file in one format and play it on all the platforms it supported?)
Nope. Your memory is playing tricks with you.
Browser crashes due to plug-in bugs were the most often cause for browser crashes.
That may be true, but according to the objective data on the projects I work on (which include some going back nearly a decade and using plug-ins) today's browsers are significantly worse for crash bugs than they used to be.
Chrome comes up with some sort of "I didn't shut down properly last time" warning almost daily, often prompted by nothing but loading Google's own sites. It can't even reinitialise pages using Java applets properly after a page refresh any more.
Firefox has been hanging more for us in recent months than it has for years. This appears to be due to a couple of popular add-ons we use rather than Firefox itself, but the fact that a failing add-on can take out the entire Firefox process is itself a damning indictment of Firefox's basic process isolation and security model, which is still fundamentally flawed many years after every other major browser dealt with this issue.
I recently went travelling, and with mobile devices just a few years old, the built-in browser was crashing just from trying to access various private WiFi systems. Sure, the browser is a little out of date, but that's because to upgrade it we'd wind up upgrading the whole OS, which numerous sources report as basically rendering the device so slow and buggy as to be useless.
The only major browser that does not have major crash/hang bugs with any project I work on today is actually IE, which gets a bad rap for historical reasons but objectively has been vastly better in quality than Firefox, Chrome or Safari for several years now according to our bug trackers.
Here is a simple technical reason: keyboard input. There is no established interface, and generally the interface is highly OS specific, for a plug-in to pass an unhandled widget event (for example keyboard input) to the browser.
That's a fair example, though my immediate question is why these plug-ins ever had direct access to things like keyboard input in the first place, given the obvious stability and security issues you mention. We've been running Java app
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I noticed that they didn't list lynx, links, wget, curl...
Quo usque tandem abutere, Nimbus, patientia nostra?
Firefox is my primary browser. It doesn't hold a candle to Opera 12.17, but FF is pretty much the only (current) browser going for power-users... at least until we see more of what Vivaldi has up their sleeve.
I don't see any superiority in FF at all, beyond allowing customization. It's memory utilization is absolutely insane: 300MB just to open an empty browser --- although interestingly that memory utilization doesn't increase as you open tabs (initially) - so it looks like it requests more memory than it needs, except it doesn't freaking release the memory. Period. Full stop. Close windows, close tabs, does NOT matter. You have to close the whole damn browser.
If I had the time and the desire, I suppose a a good greasemonkey or custom plugin would take care of most of this crap. In the meantime, noscript does work, mostly.
The cesspool just got a check and balance.
I see where you coming from and actually I do not disagree with you.
Basically we just have different priorities.
Firefox has been hanging more for us in recent months than it has for years. This appears to be due to a couple of popular add-ons we use rather than Firefox itself, but the fact that a failing add-on can take out the entire Firefox process is itself a damning indictment of Firefox's basic process isolation and security model, which is still fundamentally flawed many years after every other major browser dealt with this issue.
Add-ons have literally unlimited access to the FireFox innards. That's by design. That's why FireFox add-ons are actually useful, compared for example to their castrated and harmless Chrome counterparts.
If you want to blame something, blame FireFox' rolling releases strategy. It's basically a cat and mouse game: browser changes, add-on authors has to change the add-ons, by the time they are finished, browser changes again.
That's a fair example, though my immediate question is why these plug-ins ever had direct access to things like keyboard input in the first place, given the obvious stability and security issues you mention.
Because plug-in requires at least a GUI widget. And a GUI widget has access to the event queue. On Mac and Linux that can be coded around - but on Windows you are stuck.
We've been running Java applets embedded within web pages for around two decades, and it's kind of absurd that in all that time and despite the rise and fall of other plug-ins like Flash and Silverlight along the way, browsers and operating systems haven't come up with a better model.
There is no better model currently which satisfies the performance and integration requirements. Plug-ins are black box binary libraries with hooks, allowing browsers to hook the plug-in into the browser. (That's why the browsers do the land grab they do, integrating everything possible or not inside them: they try to make out of the black boxes the white boxes. The obvious issue that leads to is the overstretching of the limited development resources. A team can handle only so much.)
Browsers already do the only effective thing they could do: run plug-ins in their own isolated processes.
P.S.
The only major browser that does not have major crash/hang bugs with any project I work on today is actually IE, which gets a bad rap for historical reasons but objectively has been vastly better in quality than Firefox, Chrome or Safari for several years now according to our bug trackers.
The greater irony (or more like "WTF" moment) is that some Google services actually work better in IE than in Chrome.
Rolling releases my ass. Everybody knows how IE works/doesn't work - stagnation is another word for stability. - nobody can be ever sure about the Chrome. Apparently even Google. Because its version number changes sometimes every day. (Well, it is easy to spot Chrome installing the updates: instead of the usual ~15s to fully start, it takes more than 30s.)
All hope abandon ye who enter here.
The best way to deal with the situation is to run browsers under a hardened type-1 hypervisor that has a tiny attack surface itself. Create an 'untrusted' domain and tool around the Internet to your heart's content, or use disposable VMs that appear for risky temporary tasks and then self-delete.
If we want this rich content in our lives we have to accept the complexity and the risk to some degree. Using an OS built on security by isolation allows us all that complexity, but behind very strong, simple security structures that are built on the best hardware virtualization features. This is probably the only good way to keep private data and core systems from being exploited.
I even have reservations about air-gapping as a 'good' security solution: As the practice stands with PCs now, its too free-form and there are too many complex code layers to think about and work around while sneaker-netting info and code between systems. A USB device that got infected could pretend to be any of hundreds of devices that use dodgy, vulnerable drivers; and that doesn't even touch on the risk from complex file formats or desktop features.
Your experience does not match mine, nor all the people I know who use Firefox. It seems those who have the problems just ran off to Chrome, in fact, because Mozilla has been unable to find all of these mystery leaks. In fact, when I close tabs over here, I see no such leak. A few minutes later, it's all back to normal. In fact, Firefox uses less RAM than Chrome on my system for the same browsing tasks. So it's simply a case of YMMV, and people giving up rather than helping find out what the actual problem is, often getting snippy that they should have to help figure out what the problem is.
Dillo wins!
Dear douche, take your own advice. You like the -1 you have?
you do realise the absurdity in what you suggested, don't you.
Looking for people to chat about multicopters, coding, music. skype: gtsiros
It's sadder you can't seem to let your puny cock go out of your hand actually!
R O T F L M A O! Yes sir, he's got that kung fu grip!
In the old days my browser would crash from java or flash at least once a week, but I can't even remember the last time Chrome or Firefox crashed now. Chrome stays open with dozens of tabs 24/7, the only reason I ever restart it is to get security updates, probably been a year since a crash. If you're getting regular crashes in everything but IE, there's something wrong.
This space intentionally left blank
Slashdot is actually absurdly bloated with way more scripts, and an impossible amount of marketing pixels and trackers and scripts than even most e-commerce sites have. Its second only to icanhazcheesburger.
I actually use slashdot to stress test my open source proxy server because of how many requests it does to load a single page, to a crazy amount of different domains.
Well, the rendering engine for these browsers is tty; a known ugly hack of a beast. While there are unlikely to be OS level exploits easily available, there are plenty of user-based exploits available in the vt code (redefining character sets, occasional graphical terminals, goodness knows how many keyboard insertion sequences...).
Yes, it seems we do generally agree about this.
I have criticised the rapid release cycle of Chrome and now Firefox many times myself for the instability and crazy amount of regressions it seems to bring with it (though expressing this opinion seems almost guaranteed to get you down-modded/voted on almost any web development forum on-line) and I'm disappointed that Microsoft is reportedly going to move in the same direction with its new browser project.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
If you're getting regular crashes in everything but IE, there's something wrong.
I'm a professional web developer, I work on a wide range of projects, and in recent versions I've seen fatal errors with Firefox and Chrome several times per week on average. Chrome comes up with a "didn't shut down properly" message a lot of the time just from a session loading it, leaving a real-time screen on Google Analytics open for a while, and then closing it down again!
It may be that we are using different definitions here. I'm including things like Firefox hanging (requiring the process tree to be killed) because of problems with add-ons rather than Firefox itself, Chrome shutting down a process but then complaining next time it starts up, or being forced to close and restart Chrome because it doesn't reset things reliably any more if you refresh a page using Java applets.
It's also fair to say that the projects I work on don't tend to be done-in-a-day tweak-a-template jobs. We're using relatively complicated page layouts in web apps, various HTML5 features in quite demanding ways, and handling non-trivial volumes of data in JS. None of this should be a problem with modern web technologies, but they are things a simple page for your local church or a basic e-commerce kind of site probably isn't doing.
Just to be clear, the general level of unreliability I'm talking about has been observed under controlled conditions, over an extended period, across multiple projects, testing by multiple people using multiple computers and operating systems. This is not one isolated case. Unfortunately, the behaviour often differs depending on the particular system used for testing, or might even not be reproducible from one test to the next, so it would often be difficult to file a useful bug report with a good test case, even if we had enough time to do so.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Go ahead, watch the bottom of the page when you close a Slashdot tab. When Slashdot is slow (and it often is) you'll see the "Working" indicator with the shitty little spinny wheel before your browser actually complies and closes the tab.
What is that, anyway? I have the usual blockers and such installed, but something there is still getting through.
And how the hell does it stop browsers from closing the window immediately when I tell them to? There is a defined mechanism for prompting users to confirm they want to leave a page, which Slashdot doesn't use. Why is anything else not just killed instantly when you close the tab, and who gave web pages a vote in whether or not I get to close them in my own browser?!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
wowzers, try that on dial up why dont you.
The problem is not the size per se.
The problem is that every time you open a slashdot page, 1.1MB of (minified) JS code has to be parsed by the browser. Every damn Time.
No managed language (especially of the "everything is an object" garbage collected ones) are capable of parsing that in a reasonable time below 1s.
In dial-up times everything was slow because the "last mile" was slow. These days it is slow, because "web designers" effectively became a synonym to "mentally retarded hipsters".
Look at the slashdot. It would take probably 50-100 lines of PHP (or Perl/CGI) to create the main page and comments page(*) each, which would (A) take fraction of RAM/CPU resources and (B) load effectively at the speed the DB needs to fetch the data from disk (if they are not cached) (because disk is the slowest link in all that). Another smallish CGI for the login/logout. Throw in 50-100 lines of the CSS for the visual style. And probably 50 or so lines of the JS for the comment form. And another CGI for posting the comment in DB. And that's about 99% of the Slashdot I ever use. Now compare with the unmanageable clusterfuck we have. Or worse: compare to the beta.
(*) The tree organization of the comment might take bit more code.
All hope abandon ye who enter here.
window.onbeforeunload = function(){while(1);}
Throw that on a page, close the tab, and lol.
Browsers happily execute what the page commands it to before considering what you the user commanded it to do. There are poorly-documented restrictions on things you can do during beforeunload or unload, all varying across browsers. I don't think you can alert(), you can return 'Some Shit' but it always displays a stock message ("Do you want to leave this page?"), IE will block window.open calls, etc. There's still plenty of room for you to fuck the user's experience over, however.
Eventually the browser's long-running script timer will grant you, the pitiful user, the option to fucking do what you want.
A few hours ago Mozilla released Firefox 36.0.3 for Windows, OS X, Linux, and Android to patch the exploits revealed at the Pwn2Own contest.
Thanks. I'm really surprised by that. We've used onbeforeunload for ages to give genuine warnings about unsaved changes in web apps, but for security reasons browsers have long forced any prompt message into a standard format and only given pages one shot at blocking the user from leaving. It hadn't even occurred to me that they would still let you spend significant amounts of time in that function or do other user-hostile kinds of things.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Google recently updated Chrome 41 to 41.0.2272.101 m, probably to fix the vulnerability found in Pwn2own "testing."
[...] they are also trying to write secure software in unsuitable programming languages like C++.
Right. So tell me, what "suitable" language would allow the browser to parse 200-500K of minified JS code in under 0.5 second? (200K == JQuery + few JQ plug-ins, 500K - JQuery + lots of JQ plug-ins.) Anyway, browsers already do resort to optimizations in assembler, because even C++ is not fast enough for what the web has become.
Rust, of course.
It's pretty clear that the way we currently write browsers (and, let's be honest, security-relevant code in general), is fundamentally broken. If your code has a security bug you can't just fix the bug and walk away; you have to seriously consider what went wrong in your software development process that it was possible to release code with that bug. Rust solves one class of bugs---and that is a much better way to handle a bug: fixing the entire class of bugs that it belongs to---and while memory safety is far from the only thing that can go wrong in a browser, it does seem to be at the core of a lot of security bugs.
To fix slashdot's broken JS by not running it?
The cesspool just got a check and balance.
Like Apk ignored Dave420 until he had enough & decided to swat him by letting Dave swat himself being unable to backup his crap directed at apk?
Thank god I abandoned Windows 15 years ago. No windows computers in my house.