Larry Hosken: New: chris451's comment on Caja

[Edited to add: If you have questions or concerns about Caja, the Google Caja Discuss group is a good place to ask them.]

Since I switched blogging software, people who think they're commenting on my old blog posts are basically typing into a trash can. I broke the old commenting system. Unfortunately, I left the commenting UI in there. (I do plan to remove that misleading UI... uhm, sometime after I finish running playtests... and after I do my taxes... and... uhm, anyhow...) So chris451 probably thinks that I'm censoring him because I'm part of some evil Caja-Iranian-hacker conspiracy. Because I wrote a post praising Caja's HTML sanitizer. But I'll post his comment here:

chris451 has left a new comment on your post "Link: Caja's HTML sanitizer for Javascript":

This code is being used by iran to launch a fake virus scan window

03/05/2010 08:52 AM 426 virussusggester.txt
12/16/2009 02:43 PM 11,350 suggest_window.html_virussuggester
12/16/2009 02:43 PM 8,551 html-sanitizer-minified.js
12/16/2009 02:43 PM 1,890 json_comp.js
03/05/2010 09:05 AM 0 dir.txt
5 File(s) 22,217 bytes pops up gina gershon google search

[editor's note: Do not follow this link. Like the guy says, it shows a popup. And it downloads an .exe to your machine.]

It helps iran who are not freinds of the west.

Posted by chris451 to Larry Hosken: New at 05 March, 2010 07:15

chris451, don't fear Caja, but do avoid that web page.

Caja is a good thing. But Caja is a general-purpose thing.

It's kinda like https; https is for "security", but just because you see that you're connecting to a site via http, that doesn't mean that nothing bad will happen to you. https is more secure than http, but you can use https to connect to an unfriendly site and bad stuff will still happen. https just means that other bad guys can't eavesdrop meanwhile.

If a page's author wants to make their page more secure, Caja will help them to do that. Unfortunately, if a page's author wants to make their malware-downloading page more secure, Caja will help them to securely display a fake Windows UI and download malware to your machine. Caja makes it harder for some other hacker to sneak their code onto that page to do other bad stuff to you. But meanwhille, your machine is still downloading malware. Caja's making one aspect of your transaction more secure... but not the part you care about right then.

[Edited to add: It's not clear to me that Caja's actually being used here. I didn't actually confirm that the malware-downloading site was using Caja. And I never figured out where chris451 was looking when he saw that directory listing. If chris451 had posted this report on the Google Caja Discuss google group, maybe the ensuing discussion would have been useful. There are folks there who know more about this stuff than I do.]

Tags: capabilities programming
blog comments powered by Disqus