Re: Java "security holes'

• To: www-security@ns2.rutgers.edu
• Subject: Re: Java "security holes'
• From: dpkemp@missi.ncsc.mil (David P. Kemp)
• Date: Wed, 13 Mar 1996 13:06:37 -0500

> From: Dana Hudes <dhudes@panix.com>
> 
>    ...    Maybe I'm confused here but I understood 
> the question of opening connections to arbirtrary destinations to be 
> forbidden, which is what I am against.

Pick up a copy of Cheswick & Bellovin sometime.  It describes a firewall
(which is more than a box and some software, BTW - it also includes
policy and administration) as a "crunchy shell around a soft and
chewy center".  Then consider just how soft and chewy your own site
is.  Do you run X?  NFS?  Do you mind if j.random.applet connects to
your own machine and does keystroke monitoring, passing the results
back to the host from whence it came?  Do you mind if it makes NFS
requests on your behalf, perhaps only reading whatever you have
permission to read, or perhaps writing?

If you don't mind the above, then feel free to disable Netscape's
applet security on your machines - the patch is simple (only 2 bytes),
and was posted by Godmar Beck (sp?) to the Java mail list some time ago.

>    How do you know that Mosaic or Netscape 
> is not attacking, quietly, your network and passing the info on to 
> cracker.mcom.com?

You don't.  But NCSA and Netscape have reputations to uphold.  Microsoft
took some heat for allegedly having its software scan user's disks
and emailing the results back home.  If Netscape were caught doing
something similar, they might be embarrassed.  Do you believe that
each and every java-enabled site on the Internet has a similar
interest in protecting it's own reputation?
(Hint: it only takes one.)


#include <std.disclaimer>

• Re: Java "security holes'
• From: Gene Ingram <gene@hpfsvr01.cup.hp.com>

• Previous: Re: Re[2]: Java "security holes'
• Next: Re: CGI Scripts and Permissions
• Index(es):
  • Index
  • Thread