Javascrypt 210
NTK's weekly list of useful stuff includes a pointer to Javascrypt, a Javascript-based encryption utility. Handy.
This discussion has been archived.
No new comments can be posted.
Javascrypt
Related Links Top of the: day, week, month.
Love may laugh at locksmiths, but he has a profound respect for money bags. -- Sidney Paternoster, "The Folly of the Wise"
The "security blanket" factor (Score:5, Insightful)
Then again, if some sort of certification authority could be set up for Javascrypt-ed pages where the user was somehow assured that their data was equally protected as would be over https, then things would be more preferable. However, the byzantine red-tape behind getting a cert is possibly one of the things this technology would do away with best, and it would be a pity to remove such an obvious advantage.
In any case, it's promising, and I hope it is successful.
___________________
*also I am a poor coder
Re:The "security blanket" factor (Score:5, Interesting)
Re:The "security blanket" factor (Score:5, Interesting)
I seem to recall a quote about armoured cars being used to deliver a package from someone living under a bridge to someone living in a cardboard box.
And can someone explain to me again why some people still persist with giving their credit card numbers over the phone "because its more secure"?
Until the ideas actually sink in at a deep cultural level, we will continue to have all manner of stupid and contradictory actions from people who don't have the time to understand how all of this works. Hopefully it'll happen soon, right?
Jedidiah
Re:The "security blanket" factor (Score:2, Interesting)
I think that is the entire point. Some businesses only put just enough effort into anything to make sure they won't get sued.
Vendors of e-commerce packages come to mind. Their software makes just enough effort so that if anything goes wrong it's going to happen on the end-systems and is therefore be the fault of operator / client / user.
Plausable deniability, etc.
Re:The "security blanket" factor (Score:2, Insightful)
The point is that if you connect with SSL - then the website is not "random". I.e. you can verify that whoever pretends to be amazon.com - is really amazon.com. So you know who you are dealing with - you are not giving your credit card to somebody just pretending to be amazon.com.
Also you made sure that nobody could sniff the credi
Re:The "security blanket" factor (Score:5, Informative)
when people happily send their credit card number to any random website claiming to seel stuff that does an SSL connection, just what is the point?
What's the point? It is useful to encrypt the data in transit, even if you don't know who it's going to -- then at least there's only one party who can steal your card number, instead of a dozen. Beyond that, if you connect via SSL, and your browser doesn't complain about an invalid certificate, you know a couple of things:
So, there *is* value in that little lock on your browser window, even if the security isn't iron-clad. Note that the recent spate of Paypal hoax sites that ask for CC# and PIN do NOT use SSL. Why not? Because it's too hard, and too risky, for them to try to obtain a valid cert.
And can someone explain to me again why some people still persist with giving their credit card numbers over the phone "because its more secure"?;
Because it is! Under most circumstances anyway. Assuming you called them, and you looked up their phone number in some trustworthy place (like the phone book), then the odds that you're giving your credit card number to someone else are pretty small. Basically, the only way your number could be stolen would be if someone were tapping your line*. Not that wiretaps are all that tough to implement, but they're not that common, either, and more importantly they're not very easy to automate.
Compare that to sending your CC# to a web site. How could that be hijacked? Well, to start with, your machine could be trojaned (worms can quicky infect millions of machines), so the simple act of typing your number in compromises it. Next, assuming no SSL, the data will go in the clear over better than a dozen network hops, more often two dozen, before arriving at the destination. The number can be copied anywhere en-route. Thanks to DNS spoofing, router hacks, compromised proxies, etc., that destination may not even be where you think it is.
And computer-based CC# theft is eminently automatable. Packet sniffers can collect and report anything that appears to look like a number. Trojans can quietly search your whole machine looking for numbers. Faked sites can be set up to collect bunches of numbers.
The fact that computer-based CC# theft can be automated means that the rewards are higher, i.e. it's worth the effort. It's also less risky: the scanning tools can send the data to electronic dead drops on hacked machines so that with a little care the attacker is almost completely untraceable (until he tries to *use* the numbers, but that's a separate issue). Contrast that with the effort and risk involved in tapping telephones.
Until the ideas actually sink in at a deep cultural level, we will continue to have all manner of stupid and contradictory actions from people who don't have the time to understand how all of this works.
But don't denigrate useful security measures just because *you* don't understand how they work!
* Note that there is another obvious attack against phone-based CC# delivery: call re-routing. Someone with the ability to re-program the exchanges could get your call sent elsewhere. Again, though, this is labor-intensive and risky, and it requires a high level of access into telco systems, which is not easy to obtain (unlike 20 years ago).
Re:The "security blanket" factor (Score:2)
You missed a very
Re:The "security blanket" factor (Score:2)
Most theft of CC numbers from on-line stores is done by hacking the database where they're stored. Some on-line retailers delete this information, most keep it around as a "convenience" for the customer, some just keep it around for no good reason.
This means that the employee compromise opportunity is even greater with on-line retailers because it lasts longer.
Actually, though, from a cardholder's point of view, all of this is irrelevant. At least in the US, law limits cardholder liability to $50, and
Re:The "security blanket" factor (Score:1)
Mostly because they're clueless. However, an unencrypted HTTP connection is probably less secure than a phone conversation, because it's much easier to sniff.
Re:The "security blanket" factor (Score:5, Informative)
(I do not mean to disparage the Javascrypt work, it's good stuff. But it's more useful to introduce people to encryption then for any practical use.)
The genius of asymmetric encryption is that you can negotiate a secure connection without compromising it; it is not immediately obvious this should be possible and I consider it one of the larger mathematical results of the previous century. Extensions of that work have resulted in the ability to "sign" the keys during exchange. None of this applies to symmetric encryption because you have to agree on a key directly with the sender. (You could in theory still provide a third-party affirmation of the validity of a given key with symmetric encryption but not without giving the third party the key, which is undesirable. With asymmetric encryption the third party can sign a public key without knowing the private key that generated it, so even though Verisign signs your key it does not mean that Verisign can read through the resulting encrypted connection.)
A lot of people seem to be laboring under this misconception. Javascrypt is a neat toy and a valuable educational tool. It is not and can not replace SSL or the SSL layer of the browser. If someone wants to implement a version of SSL it may be sort of possible, but since you don't get raw socket support it's going to be a non-compatible kludge, barring some extremely clever and probably not at all cross-platform hack.
Re:The "security blanket" factor (Score:2, Insightful)
That gives you security real cheap. I know something like GPG is free and assymetrical and all that, but it's not necessarily cheap in that you have to set it up at every point and educate all the users. This scheme doesn't even make you send an encrypted key to the person beforehand, whi
Re:The "security blanket" factor (Score:2)
Actually they can, and have; if you've got good physical security it's more secure then key exchange protocols (one more step that can't be broken), and it's not as inconvenient as one-time-pads, which as Schneier points out, is generally useless as it requires a secure sending of enough bits to send the entire message; why not send the message that way in the f
y^x(mod p) (Score:2)
which means that if you're going to send the data to some server using Javascrypt, at some point you need to communicate the key.
*/snip*
diffie hellman? i think you will need to exchange a key at some point even with ssl. you still have the problem with a man in the middle attack. but if you control both ends and are just trying to stop people from listening in you don't need a cert. or a third party. Just a thought.
Re:y^x(mod p) (Score:2, Insightful)
In SSL, the client verifies the site by means of a certificate that the site provides; this cert has nothing to do with Diffie-Hellman. The site could use SSL to verify the client identity, but this option isn't used
Re:The "security blanket" factor (Score:2)
neat piece of work (Score:2)
No GPG? (Score:5, Interesting)
For example, I'd like to be able to put up a page on my web site containing a Java applet with my embedded public key.
That way I could finally remove my grandmother's AOL account from the exception list, the last obstacle standing between me and my "all incoming mail must be either signed by somebody I trust or encrypted with my public key" procmail rule.
Requiring the sender to use their own CPU cycles to encrypt messages is a classic variation on the "micropayments" approach to reducing spam volumes...
Re:No GPG? (Score:5, Informative)
RSA Crypto-J [rsasecurity.com]
BouncyCastle [bouncycastle.org]
Cryptix [cryptix.org]
Flexiprovider [flexiprovider.de]
There's a bunch more too - just google for them.
Some of these are free, some are Free and some are neither. Personally, I've written banking software using the RSA libs (I tried to get use BouncyCastle but management didn't like the name!).
Re:No GPG? (Score:2)
We use bouncy castle. We just didn't tell the management. Really easy. :-). Works pretty well, too.
Re:No GPG? (Score:1, Informative)
Implement RSA in java (Score:4, Informative)
import java.util.*;
import java.security.*;
import java.security.interfaces.*;
import java.security.spec.*;
import javax.crypto.*;
import javax.crypto.interfaces.*;
import javax.crypto.spec.*;
import java.math.*;
....
public static byte[] encrypt(byte[] enKey, byte[] data) throws Exception{
byte unsigned_data[] = new byte[data.length+1];
unsigned_data[0] = 0x7f;
for(int i = 0; i < data.length; i++){
unsigned_data[i+1] = data[i];
}
KeyFactory kf = KeyFactory.getInstance("RSA");
RSAPublicKey k = (RSAPublicKey)kf.generatePublic(new X509EncodedKeySpec(enKey));
BigInteger T = new BigInteger(unsigned_data);
return T.modPow(k.getPublicExponent(), k.getModulus()).toByteArray();
}
//your welcome
Re:Implement RSA in java (Score:2, Funny)
What about "my" welcome? If you leave my welcome alone, I'll leave your welcome alone.
Re:No GPG? (Score:2)
Which all sounds quite nice until you realize that it's a price that drops by 50% every 18 months or so. If everybody on the face of the earth started doing the same thing tomorrow, it'd take at most a few months before the spammers got the presses warmed back up.
Sorry, but we aren't going to DDOS the spammers. We need a system for holding them accountable
Re:No GPG? (Score:2)
I can't be bothered to look up the source, but I read somewhere that someone is working on a memory-bound solution, rather than CPU-bound. Since memory access speeds do not accelerate at the same rate as processor clock speeds, this should work better
Javascript insecurity (Score:3, Interesting)
Re:Javascript insecurity (Score:3, Insightful)
Re:Javascript insecurity (Score:2)
You mean the implementation, not the language.
Re:Javascript insecurity (Score:2)
In an effort to win the browser wars by adding functionality, Microsoft dug their own security grave by adding a File System Object to their scripting engines - without it, many browser-based exploits won't work.
Goes to show that your bad design decisions will always catch up with you and that adding security as an afterthought never works.
useful (Score:5, Interesting)
I considered it a hack, but it's what the client wanted, and who am I, the developer, to question the client's motives? Cheap bastard, didn't want to pay for an SSL cert. Just hope no one passes the hash.
Re:useful (Score:3, Interesting)
I don't see why this is a problem for *hiding passwords*, but the hash can be intercepted and replay attacks can be done. What you should do would be to have the client request a single-use time-limited challenge nonce from the server and hash the password together with it, and compare with the original.
Re:useful (Score:2)
I remember his words were "well, it's secure enough for our purposes". So rather than argue, I simply went ahead and wrote it. C'est la vie.
Re:useful (Score:2)
Ah, I remember the fun trying to use tcl to create a program that can download and convert emails from the Yahoo web mailbox, the project is still in my ever-full "Pending" list, unfortunately.
Re:useful (Score:2, Informative)
http://yahoopops.sourceforge.net/ [sourceforge.net]
Re:useful (Score:2)
take a hash of the password (Ph1) as the passtoken.
now, on the client, hash the password -> Ph1
do Md5sum(Ph1 XOR SessionID) and send this. Compare on server, where you have the same two pieces of information. Now a replay attack wont work as often (only with the right session id, which is a very slim chance.
The MD5 in the last step is not a hash of a hash, which would yield no improvement. By introducing the SessionID you introduce new info. With the hash, you distribute this info even
Re:useful (Score:1, Insightful)
People use encryption when sending passwords, so others can't intercept the passwords and use them. Now you're sending hashes over the network. Others can just intercept the hashes and use them. The attackers won't know what the original passwords were, but what do they care? They can still log in to those accounts.
Re:useful (Score:1)
While I agree with you that it's not the best security in the world it's not completely useless to send the password hash over the network.
In the overall scheme of things, the risk of someone intercepting traffic is minimal compared to the risk of someone grabbing the entire password database. The real point of using the password hash is to keep the cleartext password out of a database.
Let's face it. It's a lot less time consuming to just grab an entire database than it is to intercept all the traffic (ev
Re:useful (Score:1)
Re:useful (Score:1)
use a salt (Score:5, Informative)
You could also do hash(salt + hash(password)), that way you don't need to keep the password in the DB.
Re:use a salt (Score:2)
Yes, but then the attacker too doesn't need password, only hash(password).
Yes, well (Score:2)
Javascript not just for Clients (Score:4, Interesting)
The remote office didn't know much programing so I wrote a RC4 and base64 implementation in Javascript for them to implement server side.
Nice approach (Score:4, Interesting)
I'm also glad to see folks doing more with the capabilities within a browser. The folks that are taking this the furthest that I've seen are the folks at Technical Pursuit [technicalpursuit.com].
Password generation Javascript bookmarklet (Score:5, Interesting)
This means you only have to remember one master password, and each site you register for gets its own unique password - instead of using the same throwaway password all over so you've given your whole online identity to each site's admins...
I've been meaning to find a crypto guy to ask if I could just use CRC32 to hash the input string, since MD5 is too much Javascript to bookmark in IE. I know it's not a secure way to checksum a file, but given a CRC32 hash and part of the input, can you recover the other part? Anybody?
Re:Password generation Javascript bookmarklet (Score:4, Informative)
First off, the master password thing makes me nervous. If your master password is compromised, then all your previous passwords are compromised. I think that there are ways to mitigate this risk, by using salts. I'm not sure about this, but it's my gut feel.
Second, to your question. You probably do not want to use CRC32 to hash the input. When you take MD5(masterpw + siteurl) = sitepw, you're relying on the fact that if someone gets your sitepw, they still won't be able to recover the masterpw even if they know the url.
It's a little late, and despite my nick, I'm a bit rusty on the mathematical details at the moment. My inclination is that CRC32 isn't a good idea for absolute security. Reply if you want to chat about this off-thread, and I'll get in touch.
CRC32 (Score:3, Informative)
Maybe, you may find this tutorial useful: CRC and how to Reverse it [woodmann.com].
Re:CRC32 (Score:2)
shortest comment for shortest story (Score:1, Troll)
Oh god no... (Score:2, Funny)
Am I the only one... (Score:5, Funny)
"Java's Crypt"
Java dead already? Odd...
I thought, geez the Slashdot Trolls really *have* taken over...
Not new... (Score:5, Informative)
Despite the whole client-side-encryption advantage, I dislike how much easier it would be to perform a man-in-the-middle, or a number of other exploits. I will admit, however, that I am quite concerned with the prospect of honeypot SSL sites, designed to steal info, but I think the former is more likely. So, for now, I am sticking with SSL. Maybe in conjunction with SSL, this would make an ideal solution. Of course, SSH would be even better...
Re:Not new... (Score:2)
Re:Not new... (Score:2)
OpenSSH uses SSL, yes, but only for it's ciphers really. SSH does MUCH MUCH more than SSL does.
Oblig: Java != JavaScript (Score:5, Informative)
I'm already seeing people mix the two up in this thread, let's set this down straight:
JavaScript/ECMAScript: Untyped yucky scripting language developed by Netscape (IIRC) and built into browsers so you can have image rollovers.
-- has nothing whatsoever to do with --
Java: OO, multi-threaded, multi-platform language used occasionally on websites as applets, but much more frequently on the back end for app servers and the like.
This has been a public information posting.
Re:Oblig: Java != JavaScript (Score:5, Informative)
It's just weakly typed.
JavaScript RULEZ!!1! (Score:3, Insightful)
Re:JavaScript RULEZ!!1! (Score:2, Interesting)
For example, say in a form you want to validate a field as soon as the person enters it (i.e. they type a bad value and it returns focus to the field). Sounds simple right? Just trap the onblur event, test the field, and call focus() if it fails.
Not so... most browsers will ignore focus called from within onblur (because the "blu
Re:JavaScript RULEZ!!1! (Score:2)
Re:JavaScript RULEZ!!1! (Score:1)
DOM != JavaScript (Score:2)
Re:JavaScript RULEZ!!1! (Score:3, Informative)
JavaScript is pretty elegant... if you want a more "full-fledged" language that has similar elegance, even more simplicity/grace, and more libraries, try ruby [ruby-lang.org]. Don't let a few surface features or initial impressions fool you into thinking it's anything like Perl (or Python). It would probably make a good beginner language; it certainly makes a great "advanced" language. ;-)
Beginners Need Good Syntax (Score:2)
One of the nice things about JavaScript is that every computer already has an interpreter. (Although not all have a debugger. :( Also, Ruby doesn't have a large enough user base to have ubiquitous document
This isn't secure (Score:3, Insightful)
The server must hash the password itself or it isn't secure. Or the hash value must be protected as much as the password.
What, No RSA/ElGamal? :-) (Score:1)
Symmetric encryption in java script has been around for a long time. What the world needs(tm) is a good implementation of RSA/ElGamal asym crypto in javascript that doesn't make your computer seem like it took a hit of dank before running through primality tests and arbitrary size integer mods and pows.
Because of the nature of that problem, I don't forsee this really coming to fruition, so if you need asym, you'll be resigned to client side Java or nati
Similar techniques are in use already (Score:5, Interesting)
It's definitely an interesting approach especially of a site that size, when you look at how much server CPU usage a full SSL login connection would take. And in the event that someone compromises a secure server, your password wouldn't be available to the attacker, only the hash.
Plus, JS is free to implement (unlike a SSL cert) so hopefully if this technique catches on, more mom-n-pop sites will wind up using it instead of a totally unencrypted login connection.
Re:Similar techniques are in use already (Score:3, Interesting)
If you look at the code on the site, they have a 'challenge' value that is appended to the hash of the password, so to calculate the challenge response you need both the 'challenge value' (a.k.a. a nonce) and your password. The server needs the same thing. I think that this same technique is used in APOP.
The only way
Nope (Score:2)
Also, key distribution is not a problem with public key systems.
Re:Nope (Score:1, Interesting)
Sure it is. I am your bank. This is your bank's public key. Now encrypt your wire transfer details and deposit some of that sweet green wampum, baby!
It's so much of a problem that Certificate Authorities can exploit their positions to turn doing practically nothing into a goldmine, and even then they screw up sometimes and get social-engineered into issuing key pairs to people who are not the convicted monopolists they claim to be.
Re:Similar techniques are in use already (Score:2)
I suppose it depends on how the backend works. I imagine Yahoo for instance have a heckload of servers; perhaps if they have dedicated authentication servers that do all the hashing and authentication, a compromised web server still wouldn't allow password retrieval if it was just a pass-through of the hash.
I know what you mean though, the password must be stored
Re:Similar techniques are in use already (Score:1)
Incidentally, this one is pretty widespread (! [slashdot.org]), available from here [pajhome.org.uk]. Walker uses another one by Henri Torgemane (no home page that I could find).
Re:Similar techniques are in use already (Score:2, Informative)
In the meanwhile, my original page has been mirrored at this page [geocities.com] by a kind soul.
The pajhome source code is arguably prettier than mine, and should almost always be used, rather than mine.
To my defense, mine was developed and works under netscape 2.0, which probably makes it the first md5 implementation in javascript ever.
I have a nagging feeling pajhome's version requires at least NS3/IE3, although I haven't checked that.
At the time, after I bench
Why this is useful (Score:3, Interesting)
I can't imagine people really trust PGP anymore. No longer open source, no longer affiliated with Phil Zimmerman... and his statement when he left was scary.
For those who don't know, Phil stated when he left that every PGP product released while he was there contained no hidden back doors. Knowing that companies like PGP were being pressured, it makes me think the creative differences were them wanting to build something in that he thought shouldn't be in.
Anti-PGP FUD (Score:2)
PGP is not "open source", but like Solaris, source code is published, anybody can download full source at no charge.
Phil Zimmermann is on the "Technical Advisory Board [pgp.com]", along with Bruce Scheier and others.
What statement are you referring to?
Slightly OT, but for hiding mailto links (Score:3, Informative)
Excellent! (Score:2)
Re:Slightly OT, but for hiding mailto links (Score:2)
Re:Slightly OT, but for hiding mailto links (Score:2)
So put the email address in the alt attribute. Oh, hang on...
shouldn't this be called ECMASCrypt? (Score:5, Insightful)
RE: PGP (Score:1)
Speaking words of wisdom, "PGP, PGP."
If you're so afraid that the post PKZ NAI PGP is tainted, don't use it.
PGP 6 and PGP 5 seem to run just fine on my PowerMac 5500/225 under OS 8.6.
I'm currently using PGP 7 Pro.
If I'm not mistaken, PKZ is now at PGP, Inc and seems happy enough with their implimentation of PGP.
Cool, but it needs a net connection (Score:2, Interesting)
Boring I know, but at least it can create self-decrypting HTML files where the ciphertext and decryption code is all self-contained. With such output, any* JS-enabled browser can decrypt the file without a net connection. Here's a sample [speakeasy.org] (use password "test" and 1 loop). This idea can be modified to fit almost any encryption scheme; RC4 just seemed like a good mix of security and extreme ease of im
Encryption, only for protecting privacy? (Score:2, Insightful)
Statements like this from developers of a 'high-security data encryption solution' make me worried.
And assertions that transparency will make software secure always presume that someone with the 'required expertise to pass judgment' will actually do so.
I thought MD5 was cracked?
Quality of AES (Score:1, Troll)
A useful fact the detractors haven't mentioned is that in light of the recent 'academic break' paper published by Courtois and Pierpzyk, AES and several other ciphers should be no longer considered suitable for those with a high level of paranoia.
Useful teaching tool (Score:5, Interesting)
Simple script security (Score:3, Informative)
Similar thing for Flash ActionScript (Score:3, Interesting)
John Walker? (Score:2)
Seriously, good stuff. Perhaps somebody will come up with an open, secure way like this to replace that behemoth Entrust TruePass (which only runs in browsers that are 3 or 4 releases behind in their Java support - MS JVM but no Java Plugin!).
not handy.. (Score:2)
I work for a company that uses javascript to do a few things for their web based apps, and it doesn't even work correctly for the few things it needs to do between browser revisions. Supporting the customers often involves having them upgrade or downgrade their browsers.
Re:Nice, but dangerous. (Score:5, Insightful)
There is no risk of data going outwards though unless the js has been modified.
My Foil Hat (Score:1, Flamebait)
Considering that I wear a foil hat, so don't be mad, ok? I still think it's not a good idea. I just don't trust Javascript.
At first glance, it looks dangerous. However, after considering what you've said, it appears that it all does run offline locally. The form doesn't clickthrough to his server. It has an onclick value that triggers the javascript. Cool.
I would still prefer to encrypt every
Re:My Foil Hat (Score:2)
Not really needed if you're over SSL & HTTPS, just if you want to keep ISP eyes away from your stuff. A discussion site doesn't really need to worry about that.
so like:
$this = md5($pass);
mailpass($pass);
userpass($this);
Then when the u
Uh (Score:2)
Actually, I call it "Encryption in a Website". What do "transactions" have to do with it? You're obviously not talking about Database Transactions, or the general meaning of the word.
Re:Nice, but dangerous. (Score:3, Insightful)
Re:Nice, but dangerous. (Score:1)
Re:Nice, but dangerous. (Score:5, Insightful)
NO! The data never leaves your browser. Therefore, nobody on the net can see it under any circumstances. Also, unless there is a trojan piece of javascript code that submits it to his site (a potential problem with a program in any languge) he can't possibly see it either.
Re:Nice, but dangerous. (Score:2)
Well, as mentioned on the site, that's not necessarily 100% guaranteed. You could, for example, have another page open running an active-x plug in able to sniff the content of the local page. In fact, it might not even take that much since cross site security problems have been frequent among browser bugs.
Re:Nice, but dangerous. (Score:2)
Maybe *THIS* site is safe, for now, but how long before others do up a joke site that uses the js here but pumps your data to a bac
ECMAScript runs on the localhost (Score:4, Insightful)
In other words, you don't really understand what's going on. Although it would be a good idea to to check the page source to make sure that it dosn't upload your data...
Re:Hmmm (Score:5, Insightful)
The problem is knowing when you're dealing with legitimate Javascrypt encryption, and when it may be some malicious code instead (see my post above regarding certification).
Also there's still no way of ensuring that your data, once received on the server-side, will be used properly. That will, as always, come down to an issue of trust between you and the vendor.
Re:Hmmm (Score:1)
How is my original post offtopic though, people of the slashdot?
I said it's neat, but I don't see a large market for it, and that its implementation seems to have security problems itself.
People these days.
Clif
Re:Please ! (Score:2)
I can see using this to encode passwords or the like, that way if the browser does not support encrypted form data you could do it yourself.
Then you can tell people that if the enable JavaScript on your domain they'll have enhanced security.