Re: Java "security holes'

• To: dhudes@panix.com (Dana Hudes)
• Subject: Re: Java "security holes'
• From: Adam Shostack <adam@bwh.harvard.edu>
• Date: Tue, 12 Mar 1996 13:21:31 -0500 (EST)
• Cc: ekr@terisa.com, www-security@ns2.rutgers.edu
• In-Reply-To: <Pine.SUN.3.91.960310221928.11977A-100000@panix.com> from "Dana Hudes" at Mar 10, 96 10:25:21 pm

Dana Hudes wrote:

| I realize the potential security holes involved but malicious
| use is succeeding when we can no longer accomplish legitimate use.
| 
| It is perfectly reasonable to warn that connection to third party is 
| being requested and ask for explicit approval, just as Netscape does when 
| the public key certificate is funky in some way (I have this all the time 
| with PAWWS , pawws.secapl.com, displaying my portfolio and proceeding to 
| request current price quotes from quotes.secapl.com; the certificate is 
| not intended for quotes, only pawws).
| 
| This allows the user to be warned of your proxy attack and still be able 
| to use the Net in a flexible manner for legitimate purposes.

	One of the important functions of a firewall is to allow
centralization of policy decisions.  Thus, if I have a firewall that
(for example) allows http and forbids telnet out, that is likely a
policy decision on the part of the organization.  If there is a
telnet in java that allows me to run a telnet connection through the
http proxy, then my policy has been nullified by user actions.

	A good firewall will continue to work at some level even when
users try to subvert it.  As such, there needs to be another level of
thinking besides user, which is the organization, which sets policies
("No Java except as signed by Verisign", or "No Javascript") which are
then forced on the user.

	Otherwise, users will be tricked into running malicious code
"This really neat Trek app turns your Eudora 'You have new mail'
screen into United Federation of Planets spalsh graphic!  But you need
to give Java full access to let it run."

	The Java applet that does this differs from the downloadable
program that does this in that the downloadded program isn't expected
to open IP connections to the outside world, whereas the Java applet
is.

| I am definitely concerned over possible malicious uses but a compromise 
| is neccessary between forbidding everything unconditionally and allowing 
| everything unconditionally. This list has been holding forth for the 
| former, but I do not propose the latter.

	I'm pushing for multiple levels of control, so that we don't
make the decision, but the organizations we work for do, based on
hopefully good advice that matches thier situation.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Re: Java "security holes'
• From: Dana Hudes <dhudes@panix.com>

• Re: Java "security holes'
• From: Dana Hudes <dhudes@panix.com>

• Previous: Re: Java "security holes'
• Next: Re: Java "security holes'
• Index(es):
  • Index
  • Thread