TIP: Click on subject to list as thread! ANSI
echo: os2inet
to: MURRAY LESSER
from: BILL CHRISTENSEN
date: 1997-07-24 17:38:00
subject: Java Applet Security
Hello Murray 
ML>     I would avoid homesteading in Central Park if I were you; too many
ML> outlaws in there at night :-).
Yeah, but the realitor told me that if I stayed  in my Java
sandbox, that the world would be a safer and kinder place
and no harm could come to me and mine. 8-).
ML> "Java applications, including Java-enabled Web
ML> browsers are allowed to customize two of the fundamental
ML> portions of the security model to suit their needs (the
ML> Class Loader and the Security Manager)...  In the end, a
ML> great deal of faith is placed in the ability of a
ML> Java-enabled Web browser to ensure that applets remain
ML> properly constrained.  Bugs in the system will compromise
ML> the entire security model." 
I never realized how much the browser has to play in the
security picture.  
ML> The book also mentions a "Hostile
Applet Home ML> Page" (URL not given) which is purported to
describe ML> newly-discovered holes in the Java Security
model.  The ML> book does give a web site for updates to its
own findings: ML> http://www.rstcorp.com/java-security.html
 
I cruised over to the website you mentioned and read
the "Understanding the keys to Java security--the sandbox
and authentication" article, by the same authors of the book
that you are quoting from.  Instead of making me quake with
fear, that article gives me a warm fuzzy feeling.  The
article was written about four months after their book and
it seems that most of your  concerns have been addressed by
JavaSoft, MS, IBM and Netscape etc. What makes me soooo warm
is that there are people and organizations (including
JavaSoft) out there who are busting their butts finding,
exposing and repairing these security holes.
     
ML>AFAIAC, linking  to a web site of unknown origin with a 
ML> Java-enabled browser is equivalent to deliberately looking
ML> for viruses to download.
I put more faith in having a "rogue" Java applet being
stopped dead in it's tracks than  a virus checker finding
the latest virus that is embedded in an application.  At
least JavaSoft has a  chance at making applets secure but
the application programmer cannot make his application secure.
 
I think your concerns might be outdated by now.   On the
other hand I concede that I have to do some more research
into this. Anyway thanks for the references. TTFN Bill
 X KWQ/2 1.2i X .. Friends don't let friends use Windows.
--- Maximus/2 2.02
---------------
* Origin: OS/2 Shareware BBS, telnet://bbs.os2bbs.com (1:109/347)
SOURCE: echomail via exec-pc

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.