[1612] in WWW Security List Archive
Re: Java "security holes'
daemon@ATHENA.MIT.EDU (Dana Hudes)
Tue Mar 12 18:43:04 1996
Date: Tue, 12 Mar 1996 15:31:36 -0500 (EST)
From: Dana Hudes <dhudes@panix.com>
To: www-security@ns2.rutgers.edu
In-Reply-To: <199603121821.NAA12604@joplin.bwh.harvard.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Tue, 12 Mar 1996, Adam Shostack wrote:
>
> One of the important functions of a firewall is to allow
> centralization of policy decisions. Thus, if I have a firewall that
> (for example) allows http and forbids telnet out, that is likely a
> policy decision on the part of the organization. If there is a
> telnet in java that allows me to run a telnet connection through the
> http proxy, then my policy has been nullified by user actions.
But this is not what Java does. Maybe I'm confused here but I understood
the question of opening connections to arbirtrary destinations to be
forbidden, which is what I am against. A java app trying to telnet
somewhere is not using http -- although I suppose a malicious app could
open a socket on tcp port 80 to craccker central which is listening with
the cracker_record daemon rather than httpd. More paranoid is to open a
socket to cracker central and use http post to record the stolen
information. That would be hard to detect by a packet-examining firewall.
>
> A good firewall will continue to work at some level even when
> users try to subvert it. As such, there needs to be another level of
> thinking besides user, which is the organization, which sets policies
> ("No Java except as signed by Verisign", or "No Javascript") which are
> then forced on the user.
>
> Otherwise, users will be tricked into running malicious code
> "This really neat Trek app turns your Eudora 'You have new mail'
> screen into United Federation of Planets spalsh graphic! But you need
> to give Java full access to let it run."
>
> The Java applet that does this differs from the downloadable
> program that does this in that the downloadded program isn't expected
> to open IP connections to the outside world, whereas the Java applet
> is.
I like the concept of delgating control to the security/admin authorities
but note that everyone is busily d/l Mosaic, Netscape etc which not only
open arbirtary locations but use all sorts of protocols and even tunnel
through firewalls with SOCKS. How do you know that Mosaic or Netscape
is not attacking, quietly, your network and passing the info on to
cracker.mcom.com?
> | I am definitely concerned over possible malicious uses but a compromise
> | is neccessary between forbidding everything unconditionally and allowing
> | everything unconditionally. This list has been holding forth for the
> | former, but I do not propose the latter.
>
> I'm pushing for multiple levels of control, so that we don't
> make the decision, but the organizations we work for do, based on
> hopefully good advice that matches thier situation.
>
> Adam
>
> --
> "It is seldom that liberty of any kind is lost all at once."
> -Hume
>
>
