|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: hallam@ai.mit.edu To: jsw@netscape.com, www-security@ns2.rutgers.edu Cc: hallam@ai.mit.edu Date: Sun, 25 Aug 96 19:27:07 -0400 Errors-To: owner-www-security@ns2.rutgers.edu > Since Marc and Kipp have not been involved in our security >efforts for at least a year and a half (since I arrived here), >I don't understand why your experiences with them so long ago >are relevant to our current security efforts. Last I heard Marc was your Senior VP in charge of Technology. When I raised the point about wanting to turn off Java and Javascript someone at Netscape made a very pointed reply about the user being able to do this but never responded to my point that as security officer it is my decision. Another problem on the horizon is that we do not currently have a security solution that interacts with firewalls. As one manager put it to me "SSL will not go through our firewall period.". Basically an opaque encryption protocol conflicts with the primary role of a firewall - restricting outgoing bandwidth. Mind you I don't think that implementing S-HTTP is much fun either :-( >You can also change the User-Agent field >to indicate that this is your locked version. Ah thats fair enough. It would be nice if this was incorporated into some sort of client capabilities field so that servers generally were aware of which features were available. Dave Ragget has been trying to get a proposal of this sort implemented for a very long time but with little support. One of the features that worries me about Java generally is that there does not seem to have been much thought about how to upgrade the virtual machine. This is of particular concern to language designers like myself for whom the Java VM is inadequate to implement language models with richer inheritance features. Although I have never believed that the mobile code concept that Java initially took wing on was ready for prime time, I like many others was willing to give Java a nudge in the hope that it could kill C++ which seemed like it was about to take over the world, even though nobody actually liked it. Now that C++ is competing against Java on its merits I think Java is the clear leader, if I was to teach a programming course for non specialists it would be my first choice as a teaching language since it is the first language with clean semantics that has succeeded commercially. This brings a problem for the Java VM, the Redmont club having built their way into OLE, COM, DCOM etc have heavilly invested into a multiple inheritance model that Java VM does not support. Given that Java represents the best chance to clean up the resulting mess and produce a programming environment for windows that is usable the commercial and technical pressures are likely to force certain extensions on the VM. Tagging which VM a browser supports would seem to me to be a good start. Phill
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |