[2835] in WWW Security List Archive
Re: Applet security (was Re: ActiveX security hole reported).
daemon@ATHENA.MIT.EDU (Chris Newton)
Thu Aug 29 01:39:49 1996
Date: Wed, 28 Aug 96 20:34:38 PDT
From: chris@sandpiper.com (Chris Newton)
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> From: Michael Burati <burati@apollo.hp.com>
> The above is too binary for me (either I trust everything that's signed or
> not). What I really want is authorization based on who signed the applet
> or by anything signed by a particular CA. Any unsigned applet should be
> relegated to working within the limited sandbox given to it by the browser.
</lurk>
I've been sporadically following this whole discussion (both here and on other
lists) concerning the relative merits of the sandbox approach of java compared
to the e-sig approach of ActiveX, and have a couple of questions/comments.
One of the recurring arguments against the e-sig approach seems to have been
that if I allow a signature in, and a malicious applet has that signature, then
I am compromised.
Surely with the explosion of web take-up by companies around the world, the
numbers of people hoping to publish is going to continue growing at a
staggering rate. Do I need to know who out there I can trust? or rather, who
I cannot trust?
And is a site going to be added to some sort of international black-list because
of one bad applet (where 'bad' could be malicious or accidental)
Something tells me that this whole approach is going to get mighty unwieldy
pretty quick. As someone pointed out a week or so ago, we may end up with a
situation where the only trusted suppliers were a few major players.
This seems intolerably sad to me - the web was supposed to be a great
opportunity for everyone to be able to share their ideas by publishing them
to the world. If page context is going to become applet based, then those
ideas are going to be strangled at birth since no-one will trust them to let
them in to be seen.
What will result, perhaps, is a web where 'interesting' content is only
generated by a handful of players, and everyone else is forced to use the old
style publishing tricks of just text and flat images, otherwise they won't
get to display on peoples screens.
In the ideal world, the sandbox seems like a better solution, in that everyone
can produce what they want and no-one would be in danger from crackers since
nothing malicious could escape it. Of course, this isn't an ideal world, but it
does seem like this would be the better approach as far as the man-on-the-web
is concerned.
<lurk>
chris newton
(all views/opinions etc are my own, and may bear no resemblence to any views or
opinions of my employer)
