undefined | Better HN

0 pointsstrongpigeon14d ago0 comments

That’s not entirely true. Security issues in the JIT of V8 are found every now and then. See https://v8.dev/blog/sandbox

0 comments

leptons14d ago

Javascript isn't more insecure than any other language. Any language can have the same or other security issues.

echoangle14d ago

Yeah, but you're not normally going to random websites, downloading an exe and running it. But every website you visit can run JS on your computer (as long as you don't disable JS). So maybe JS should be more secure than any other language.

leptons14d ago

>So maybe JS should be more secure than any other language.

And it probably is. The sandboxing and security have been around a very long time.

If Python were the de-facto browser language, people would also blame it for "security problems", and would be just as paranoid about python running when they visit a website. I know whatever language it would be, people would still be paranoid.

I personally don't see any problem with Javascript. If someone knows how to use it, it can be very simple and powerful.

Before Javascript ever existed, I was wishing that websites had a scripting language. I didn't really care what it was, but Javascript answered my prayers rather nicely. But it wouldn't really matter what the language is, I'd still be coding for the web browser, and other people would be hating it for whatever reasons.

teruakohatu14d ago

> Yeah, but you're not normally going to random websites, downloading an exe and running it.

Most or many of secure mobile operating system zero days are caused by image parsing. There is a threat at least as big, if not bigger, in parsing complex file formats.

Sure gopher or gemini would be more secure, but even without JS the web ecosystem would be venerable.

strongpigeonOP13d ago

Reality is a bit more nuanced that that. Some languages are easier to interpret and optimize than others, leading to less error-prone interpreter/compiler code. JS is definitely on the “harder to optimize” side of the spectrum, leading to very complex code with a higher chance of subtle errors.

V8 does some crazy stuff that makes JS one of the fastest interpreted language there is. But had JS been designed differently (Dart was an attempt at fixing some of those mistakes), it’s likely there would be less security vulnerabilities in its interpreter.

j / k navigate · click thread line to collapse

0 comments

leptons14d ago

Javascript isn't more insecure than any other language. Any language can have the same or other security issues.

echoangle14d ago

leptons14d ago

>So maybe JS should be more secure than any other language.

And it probably is. The sandboxing and security have been around a very long time.

I personally don't see any problem with Javascript. If someone knows how to use it, it can be very simple and powerful.

teruakohatu14d ago

> Yeah, but you're not normally going to random websites, downloading an exe and running it.

Most or many of secure mobile operating system zero days are caused by image parsing. There is a threat at least as big, if not bigger, in parsing complex file formats.

Sure gopher or gemini would be more secure, but even without JS the web ecosystem would be venerable.

strongpigeonOP13d ago

j / k navigate · click thread line to collapse