[4725] in WWW Security List Archive
Re: Snake Oil FAQ
daemon@ATHENA.MIT.EDU (Dennis Glatting)
Sat Mar 8 17:24:07 1997
From: Dennis Glatting <dennis.glatting@plaintalk.bellevue.wa.us>
Date: Sat, 8 Mar 97 10:39:45 -0800
To: "Bob Denny" <rdenny@dc3.com>
cc: "'WWW Security List'" <WWW-SECURITY@ns2.rutgers.edu>
Reply-To: dennis.glatting@plaintalk.bellevue.wa.us
Errors-To: owner-www-security@ns2.rutgers.edu
> From: "Bob Denny" <rdenny@dc3.com>
> Date: Sat, 8 Mar 1997 09:31:01 -0800
>
> [was: RE: Latest Java hole is Netscape/Sun only -- subject line changed to
> curb MS PR-spin verbage ("latest", and "Netscape/Sun only")]
>
> Dennis --
>
> The Snake Oil FAQ... thank you for reminding us of that. For the rest of the
> folks on this list (at least those who don't want to search for "Snake Oil
> FAQ" on AltaVista):
>
> http://www.research.megasoft.com/people/cmcurtin/snake-oil-faq.html
>
> Anyway, the "trust me" commentary in the SOF doesn't aim
> directly at the folly of a trust-only security system. It
> pertains to vendors who try to hide the details of their system
> (thus violating another, but different, basic rule).
>
The details are different but I believe the models are the same.
Vendors, by not disclosing their algorithms and methods, are
saying "Trust Us, We Know What We're Doing" [sic] which is a
trust-me model.
> I agree with your comments regarding the "code signature
> model". However, I don't agree that Java and ActiveX are the
> same. Java is not trust-only, ActiveX is. There is a
> difference. With Java, you can adjust the privileges the
> applet has based on your level of trust of the code. The
> signature provides identity, you provide the evaluation of
> trust, and then you adjust the privileges.
>
A problem I have with that model is the "PC in every home." The
common user is clueless and trust vendors to provide adequate
protection. Protocols, security levels, certificates, and
the rest are foreign to the common user. It is unrealistic, IMO,
to believe most users will adjust their environment for each
trusted code source as their number grow on a global scale.
I believe the value of signed identity to be small. It does not
necessarily represent the source, it isn't evidence you can
use in court, and CRL access is not ubiquitous.
I believe the Java sandbox model is good. However, the
implementation is questionable. I have not read anything on
1.1's security but for the older versions I remember the
Princeton team claimed redesign was necessary.
-dpg
