[1396] in java-interest
Re: Security and Java
daemon@ATHENA.MIT.EDU (Matt Cline)
Thu Aug 31 18:12:41 1995
Date: Thu, 31 Aug 1995 12:13:05 -0700
From: gandalf@viman1.viman.com (Matt Cline)
To: java-interest@java.sun.com
> (2) Chuck McManis has stated that it is possible to write an applet that
> displays a rude picture. Fine - this is behaviour familiar to those who deal
> with PC viruses, and does in fact constitute a problem in a corporate
> environment. What else can an applet do? I've found it a little confusing
> running through the programmer documentation (possibly because my
> programming days are behind me :-)), but I'm not clear on whether
> applets can:
> - manipulate the client's file system;
The browser (or is it the IO classes) is supposed to ask the user's
permision each time the app tries to manipulate a file. I don't know
about things like getting a listing of files to see what software
you have installed; this might not be preventable. And if you're
running a UNIX system, the app could, say, get your users' paths,
and figure out some of the software that you're using from that.
> - use the client's network sockets in an arbitrary way;
The firewall is supposed to be configurable so that the app can only make
a connection to the host it came from, or make it so that it can't make
a connection to any hosts behind the firewall.
> - manipulate the client machine envioronment in any way more subtle
> than spinning at high priority.
Even if this can't be done directly by a HotJava app, it can trick your
user into letting it. For instance, if you have a UNIX site, the
app could say "I need to have a certain environmental variable set.
I'll be nice enough to put the setenv command into your .chsrc if you'd
let me have access to it". If the user is dumb enough to say "OK", there's
probably not anything you could do to stop it.
Also, windows created by a HotJava app are currently indistinguishable from
windows created by normal applications. A HotJava app could theoretically
masquerade as another application and get info/wreck havoc in this
manner.
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
