[4606] in WWW Security List Archive
JAVA Security Risks
daemon@ATHENA.MIT.EDU (HAROLD SIDLER)
Thu Feb 27 16:46:51 1997
Date: 27 Feb 1997 12:55:05 -0600
From: HAROLD SIDLER <Harold.E.Sidler@msfc.nasa.gov>
To: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu> (IPM Return requested) (Receipt notification requested),
"nasirc@nasa.gov" <nasirc@nasa.gov> (IPM Return requested) (Receipt notification requested)
cc: PATTIE SANDERSON <Pattie.M.Sanderson@msfc.nasa.gov> (IPM Return requested),
PAUL PALMER <Paul.Palmer@msfc.nasa.gov> (IPM Return requested)
Errors-To: owner-www-security@ns2.rutgers.edu
I received a request to assess security risks associated with
the following three scenarios:
1. Capability to execute locally created (trusted???) Java applets on a
workstation inside the firewall communicating with a Java application
running on a Web Server inside the firewall.
2. Capability to execute locally created (trusted???) Java applets on a
remote user computer outside the firewall communicating with a Java
application running on a Web Server outside the firewall.
3. Capability to execute locally created (trusted???) Java applets on a
remote user computer outside the firewall communicating with a Java
application running on a Web Server inside the firewall.
It is scenario number three that concerns me the most since our current
firewall policy does allow for HTTP, HTTP proxies or SSL. BTW our firewall
is ANS Interlock running on a Sun workstation.
Locally created Java applets are refered to as "trusted," but once we
enable Java, how do we insure that foreign (potentially hostile) applets
are not imported?
You may reply ot me directly at
Harold.Sidler@msfc.nasa.gov
THANKS...
