[3979] in WWW Security List Archive
RE: Javascript and Security
daemon@ATHENA.MIT.EDU (Phillip M. Hallam-Baker)
Tue Jan 14 12:47:59 1997
From: "Phillip M. Hallam-Baker" <hallam@ai.mit.edu>
To: "'Kevin J. McMahon'" <0003557428@mcimail.com>,
www security
<www-security@ns2.rutgers.edu>
Date: Tue, 14 Jan 1997 10:26:14 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
I agree that it is pretty helpful. What we have done is to tell our
constituents that they should disable Java/Javascript by default.
When they access a site that uses Java, _and_ they have some reasonable
level of assurance that it is not compromised, they can then enable
Java(script) for use on that site. I know this is cumbersome, and
it is very hard to determine whether a site is secure or not. But
it is very dangerous to leave Java turned on by default -- esp. when
you are periodically checking out sites of dubious origin.
My general advice would be for a firewall manager to use a proxy
that strips out Javascript and other dangerous "add ons". In my
experience the utility of JavaScript is negligible if you intend
to support a wide range of browsers, particularly the MAC versions
of Netscape which have a habit of crashing the machine if they
encounter JavaScript that breaches certain (undocumented of course)
restrictions.
Java is a somewhat different issue, for all the hype about mobile
code I think its better to realize that Java has slain the C++
dragon and be thankful for that. The sandbox approach to security
doesn't work because it essentially means you can't allow the
applet access to any information or facility that matters which
inevitably means that the applet can't do much that is useful.
It is a great pity that the Java developers chose to ignore the
HTTP protocol spec and give Java the content type application/binary
rather than state it as application/Java as it should be. As a
result there is no mechanism whereby a firewall manager can prevent
Java from being carried across a firewall without preventing all
application/binary types.
Phill
