Re: Java "security holes'

• To: Dana Hudes <dhudes@panix.com>
• Subject: Re: Java "security holes'
• From: Chris Garrigues <cwg@DeepEddy.Com>
• Date: Mon, 11 Mar 1996 20:15:58 -0600 (CST)
• cc: Sarah Green <greens@hsvaic.hv.boeing.com>, greens@cici.com, www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.SUN.3.91.960311122703.21835A-100000@panix.com>

On Mon, 11 Mar 1996, Dana Hudes wrote:

> The restriction of only talking to the original webserver is a nice idea 
> and can be thrown in as default as long as it can be overridden in a 
> configuration.

In the context of the security list on which this discussion is
occuring, how do you propose overriding this default?  

Does the server override the default?  If so, there is no security
gain in having it a default.  

Does the client override the default? If so, how? 

Does the applet prompt the user with "May I please contact
server.foo.com directly?"  

Does the user select an option saying, "go ahead and contact other
servers if you like"?

Prompting the user is (a) annoying, and (b) will probably be
answered "yes" by most users w/o understanding what they're doing.
The configuration option is something that only a fool would select,
and many probably will.

Chris


Chris Garrigues                                    cwg@DeepEddy.Com
  Deep Eddy Internet Consulting                     +1 512 432 4046
  609 Deep Eddy Avenue
  Austin, TX  78703-4513              http://www.DeepEddy.Com/~cwg/

• Re: Java "security holes'
• From: Dana Hudes <dhudes@panix.com>

• Previous: Re: Java "security holes'
• Next: CGI Scripts and Permissions
• Index(es):
  • Index
  • Thread