[4736] in WWW Security List Archive
RE: Latest Java hole is Netscape/Sun only
daemon@ATHENA.MIT.EDU (Tazman)
Sun Mar 9 20:08:24 1997
Date: Sun, 9 Mar 1997 18:09:27 -0500 (EST)
From: Tazman <taz@kensico.com>
To: schemers@stanford.edu
cc: Thomas Reardon <thomasre@microsoft.com>, "'Bob Denny'" <rdenny@dc3.com>,
"'WWW Security List'" <WWW-SECURITY@ns2.rutgers.edu>
In-Reply-To: <199703090624.WAA16150@tree2.Stanford.EDU>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sat, 8 Mar 1997 schemers@stanford.edu wrote:
> Thomas Reardon writes:
> > Then let me make my own opinion known. First, Java still doesn't have
> > signing, other than announcement-ware. Sun, Netscape, Microsot and
> > others are working to address that.
Signing is like Berkeley remote rlogin, rsh, rsh, etc which is based on
complete trusting the other side. Java is more like the Unix restricted
shell ("box") with very limited resources and capabilities. As always
security must provide functionality in a secure manner. Java applets is a
very closed box restricting almost all interactions with the local
machine. It might be fine for browsing but it is too limited in an
intranet environment. Signing in Java is opening the box a little bit
more. Active-X will probably go the way of rlogin, rsh...
I think capability based access control will balance security and
functionality pretty well. For example, I might want applets to be able
to read or write to only certain designated directories or run only
certain programs from host xyz while restricting all from other hosts.
Java is open and platform independent. Java has been tested and review by many
security expert and researchers. While Active-X is hopelessly behind.
IMHO in 1997 one must be a fool to completely base security on trusting
foreign hosts. The road ahead is the cliff for Microsoft.
