I'm a web geek. I first started surfing the web in '90 or so. I've been running my personal web site since '91. I did development work on two different browsers during this era, one open source, one commercial. I've lost track of the number of web servers I've written, because a low-performance web server is a trivial thing to write. These days I work on multi-tier database backed web sites on a contract basis, doing everything from standards-compliant portable code to high-tech AJAX sites.
As you might expect, I do a lot of things on the web. I bought a car over the web in 1997. I've been invoicing clients for work via email for nearly two decades. I get invoices from people who contract for me via email. I order things on the web as a matter of course, and generally only buy locally if I need something today, or if it's perishable. Even in the latter case, I'm liable to place the order over the web. I pay bills on the web if the service I'm paying for has an acceptable site.
What I don't do is bank on the web. This page explains why, and may convince you that you don't want to do so either. Hopefully, it'll result in a service appearing that I'll consider acceptable for banking on the web.
Viruses, worms and trojan horses have been plaguing computer users since pretty much the dawn of the home computer and the start of software sharing among amateurs. There may have been a problem with mainframe or minicomputer software as well, but I never saw it. It was established long ago that to be safe, you never run a program from someone you don't know.
The Internet has made things worse by making it very easy to share software. That also makes spreading malware very easy - you can email it back and forth trivially. Which leads to the admonition that you never open an attachment that might be executable, unless it's from someone you know.
Surfing the web provides an entire new way of bringing things to your computer. Most of those things – image files, sound files, hypertext, style sheets – just cause the computer to display things, and are perfectly safe. Some of them – most notably JavaScript and Flash – are programs. So if your browser is configured to automatically download and run these things, every web site you visit is a potential source of programs – one which your browser is going to treat as someone you trust.
Surfing the web with a browser configured to automatically download and execute JavaScript or similar programs violates the rules about never running programs from people you don't trust. It's the computing equivalent of going to an orgy with a bunch of strangers and not using protection. CERT – a purveyor of computer security information and recommendations for decades – has recommendations for avoiding malicious software on the web, which is basically to disable JavaScript in your browser.
So, what kind of problems can you get into running with JavaScript enabled by default? Well the CERT recommendations discuss some of the things that can happen, like exposing the passwords used by your bank site, or other sensitive information. However, I want to concentrate on the problems that letting your browser run programs can cause.
According the CERT recommendations, a malicious script can
cause your browser to modify data on another web site
.
Some of the JavaScript attacks that have already happened include
virus propagating via JavaScript in web pages, and JavaScript from
the server causing users of a community web site to modify their
profile according to the attacker's wishes. In the worst case, that
other web site could be your banking site. In this case, an
attacker could cause your browser – which knows the user name
and password for your banking site – to transfer money to
the attacker's account. Since the request came from your browser
running on your computer, and used your user name and password, how
willing is the bank going to be to believe that you didn't
authorize this transfer?
Now we come to the reason that I don't bank on the web: every banking web site I've looked at requires that you enable JavaScript. Most don't even tell you what the problem is – they just fail. The designers of this site know so little about security that their site doesn't work for clients that follow the recommendations of the security experts at CERT. This doesn't inspire me to trust their site security. Even if their site is guaranteed secure, what assurances do they offer about failures of your computer's security, especially in light of the security problems they require you to expose your computer to?
Mike W. Meyer