Question

Locked

Security issue - Use of JS in TR's sites and other's sites

By oriolus99 ·
Hi,
I would like to know what risks/annoyance/displeasure I bring upon myself if I grant JS being executed when reading TR-stuff (in this question I take TR mainly as an example).
I installed NoScript as an extension in Firefox and now several pieces of JS want to get permission to be executed, originating:
1. js.revsci.net
2. i.i.com.com
3. adimg.com.com
Honestly I think there will be no harm in executing those scripts (TR cannot afford it if they would), but
A. what do they do,
B. how can I generally get an answer to this question by myself, regarding other pieces of JS urging to be executed at numerous other sites, or cannot I?
BTW, some sites don't function properly if I deny all scripting; then I simply guess (by name, or by other intuitive triggers) whether to grant a script, running the risk of getting myself into trouble (e.g. giving away my identity or the like).
I installed McAfee SiteAdvisor as well; can I generally count on no harm whatsoever, if this tool shows the actual site as a 'green' one, regarding pieces of JS?
TIA

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

JS on TR

by JFPSF In reply to Security issue - Use of J ...

Question A.
The js.revsci.net call is from Revenue Science (an ad company). The adimg.com.com is from TR's parent company CNET (anything from the com.com domain is from CNET), and again is ad related. The scripts running from i.i.com.com are the ones that actually are used on the TR site for functionality. So, technically, the i.i.com.com scripts are the only ones you have to run, and the site will work without them (just not as prettily).

Question B.
The general question of how you can tell which scripts you should let run is a tough one. There is no good answer. The easiest approach is just to trust particular sites. Major commercial sites are extremely unlikely to be trying to do anything that is intentionally malevolent. We have way too much to lose. On the other hand, that approach leaves you vulnerable if the site you trust gets hacked.

Collapse -

Trusting a major site

by Dr Dij In reply to JS on TR

As others say, 'Trust but Verify'

The problem with this is that they MAY NOT KNOW that they are serving up a threat. Despite widely publicized ad rotator serving up viruses on a major site a few years ago, you rarely hear of this.

Yet recently, I GOT a virus while surfing a major IT site other than TR. Symantec caught it trying to load an exe into root of C: drive the instant it tried. I notified the site owners. I'm sure it was not on purpose. Someone else on TR said in spyware chat that they get spyware at their company from ads in the website ad rotators regularly.

I have the mvps.org/winhelp2002 hosts file to block many malware sites. Siteadvisor is good but limited to sites it has tried (you can submit sites for review but not instant).

Try this: disable activex and then browse to computerworld.com, informationweek, eweek, networkcomputing, etc. (you'll see just about every page saying 'may not display right because activex is disabled.)

My guess is that major companies have holes i n methods they use to check for malware activex, flash, jscipt and probably don't check jpegs for wmf flaws where stupid MS executes scripts embedded within jpegs or it causes an overflow; however it does this, they can execute arbitrary spyware code.

The state of security is sad but getting better. Browsers should execute completely in a 'sandbox'. They should be as indestructable as an appliance. Laundry you throw in your washer shouldn't be able to reprogram the controls.

Even emails - I have gotten emails from TWO SECURITY COMPANIES in last 3 months that had embedded activex! FROM A SECURITY COMPANY!

turns out, them signing the email at the bottom, pasting their company address, adds some activex from word to the email in one case. So they didn't even know they were doing this!

Collapse -

You are absolutely right

by JFPSF In reply to Trusting a major site

Dr. Dij,

You are absolutely right. The problem is driven by three factors.

1. The advertisers are constantly demanding more interactivity and tracking in their ad programs. This requires more and more scripting, flash, etc.

2. Sites are mainly judged by features not security, so engineering tends to focus on adding new stuff. Moreover, a security review is not baked into most site's engineering process.

3. There are a lot of employees of major technical companies that aren't technical themselves.

J

Back to Browser Forum
4 total posts (Page 1 of 1)  

Related Discussions

Related Forums