[1598] in WWW Security List Archive
Re: Java "security holes'
daemon@ATHENA.MIT.EDU (Rich Salz)
Sun Mar 10 03:59:07 1996
From: Rich Salz <rsalz@osf.org>
Date: Sun, 10 Mar 1996 01:32:53 -0500
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>restriction of utility to the legitimate applets.
The problem is that one can do things with the language, and its
implementation(s), that make it all too easy and all too tempting to write
illegitimate applets. In the absence of an algorithm for distinguishing
between the two, one must, in the name of safety, close many doors you
might otherwise wish open.
Suppose you download my game and my game knows about the on-line checkbook
that some future Intuit-like applet will create and maintain for you.
Are you certain that the language (and its implementations) will prohibit
my game from creating an empty checkbook with a slightly looser ACL, so
that when you finally do get Java/Checkfree, the next time you play my
game I could write myself an on-line check?
/r$
