Disappointing. Nothing but respect for Billy Hoffman, but this talk has very little to do with Javascript and almost everything to do with the browser security model. Being able to using request timing to sniff things out of someone's email spool is an "evil part" of the browser and of the application architecture of Gmail. It's not a facet of Javascript.
The only thing in this talk that seemed uniquely Javascript-y was his explanation of di Paola's Prototype Hijacking attack (where you override the Ajax calls to sniff requests). But this is an issue in virtually every dynamic language; it's not a specific flaw in Javascript.
I want to be careful here, because I've had to give this talk a bunch of times --- the one security talk at a generalist conference, which is always going to devolve into a survey talk. I'm sure his audience loved it. I'm not sniping at Hoffman. But on HN, when you say "Javascript: The Evil Parts", I'm really wanting to see something about the evil parts of Javascript; like, I don't know, maybe automatic semicolon insertion being exploitable.
Man, if only there was something negative and bad around semicolon insertion, besides JSLint yelling at you ;-)
I appreciate the props, especially coming from someone of your caliber. The talk was exactly what you said it was, a survey of nasty tricks that people have used. The goal was to review features of JavaScript, the DOM, plug-ins, etc, that seemed like a good idea (getting computed styles, rich error handling around the Image object, window.onerror as a massive TRY...CATCH that can recover syntax errors, runtime modification of code, etc) and how those have been twisted to create some nasty problems. More importantly, nasty problems that we really cannot patch away. If we know how we created design flaws in the past, hopefully we will not do them in the future.
I think the whole white-space obfuscation is pretty neat. You could do that elsewhere, but the particular use-cases for JavaScript I guess are more susceptible to this method.
The only thing in this talk that seemed uniquely Javascript-y was his explanation of di Paola's Prototype Hijacking attack (where you override the Ajax calls to sniff requests). But this is an issue in virtually every dynamic language; it's not a specific flaw in Javascript.
I want to be careful here, because I've had to give this talk a bunch of times --- the one security talk at a generalist conference, which is always going to devolve into a survey talk. I'm sure his audience loved it. I'm not sniping at Hoffman. But on HN, when you say "Javascript: The Evil Parts", I'm really wanting to see something about the evil parts of Javascript; like, I don't know, maybe automatic semicolon insertion being exploitable.