[855] in WWW Security List Archive
Java and trojans: any last words before Netscape 2.0 is out?
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Tue Sep 19 17:07:42 1995
From: riddle@is.rice.edu (Prentiss Riddle)
To: comp-security-misc@news.cs.utexas.edu, alt-security@news.cs.utexas.edu,
hotjava-interest@java.sun.com, www-security@ns2.rutgers.edu
Date: Tue, 19 Sep 1995 12:23:54 -0500 (CDT)
Errors-To: owner-www-security@ns2.rutgers.edu
Netscape Communications Corp. has announced the impending release of a
beta version of Netscape 2.0 to include Java support. See:
http://home.netscape.com/comprod/products/navigator/version_2.0/index.html
http://home.netscape.com/newsref/pr/newsrelease43.html
http://home.netscape.com/eng/mozilla/2.0/
When last we discussed Java security on these lists (see e.g.
http://java.sun.com/archives/hotjava-interest/0745.html), the consensus
seemed to be that the design of Java precluded viruses and the most
heinous forms of security violations, but not an entire class of trojan
horses which might carry out denial of service attacks, data leakage,
misuse of the network while assuming the victim's identity, etc.
None of these trojan horse attacks are anything new with Java, but
since Java proposes to increase the ease and frequency of the exchange
of software on the World-Wide Web so it can happen with practically
every mouse click, it may make these sorts of attacks much more
widespread.
Is there anything to add to this assessment? Are we walking knowingly
into a significant decrease in the security of the average Internet
site? Should security-minded sysadmins ban Java and Netscape 2.0 from
their systems?
[Note the wide crossposting. I would like to see an open discussion
between between the Java and security communities on this issue. If
you agree that's a good idea, please direct followups via mail to:
comp-security-misc@news.cs.utexas.edu
hotjava-interest@java.sun.com
www-security@ns2.rutgers.edu
alt-security@news.cs.utexas.edu
Thanks.]
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Opinions expressed are not necessarily those of my employer.
