[5104] in java-interest
Re: Netscape security => lame applets
daemon@ATHENA.MIT.EDU (Nathan Williams)
Mon Jan 29 14:42:19 1996
To: Cay Horstmann <horstman@jupiter.SJSU.EDU>
Cc: java-interest@java.sun.com
In-Reply-To: Your message of "Sun, 28 Jan 1996 13:04:27 PST."
<01BAED86.C23D2E60@mg131-074.ricochet.net>
Date: Mon, 29 Jan 1996 09:24:32 EST
From: "Nathan Williams <nathanw@MIT.EDU>" <nathanw@java.sun.com>
> Two points. First, security is important. I am NOT asking that the applet
> have ARBITRARY network and file system access. All I am asking is that the
> applet has THE SAME URL ACCESS AS THE AMBIENT BROWSER. This would not be
> rocket science to implement, and it would give applets the power of
> analyzing documents on the net that are already there for perusal by
> browsers.
I don't think the security model is different for accessing
URLs as creating sockets. This may be a valid concern; I can
understand why you want the applet to go fetch documents and do
something with them. There is still a concern of having an applet go
out of control; if I'm on a 14.4 PPP link, I want the network traffic
to be under my control, and a malicious applet can still mount a
denial-of-service attack until I get around to killing the applet
and/or browser.
> Second, in a way I personally agree that applications are more interesting
> than applets. But that isn't where the action is. The action is definitely
> in applets. Consider my silly little weather applet. As an applet, it is
> trivial to use. You go to my web page, and you use it. Had it been an
> application, then you would have to download it to your computer first--an
> extra step that eliminates a lot of users.
But a necessary one for security reasons. Until there is some
kind of signing/authentication system for distributed code, I do not
want to give arbitrary code any real priveleges on my system. There is
certaintly an opportunity for Java to help the software installation
mess that exists today, but applets as they stand don't have any of
the necessary structure to provide it. There is a group at the MIT
Artificial Intelligence lab that has done some research on these
problems, and of using Java to help solve them; look at
http://www.ai.mit.edu/projects/transit/rc_home_page.html for details.
> The Java boosters promise that it will be a way out of the current mess
> with CGI and forms, but replacing it with a new mess of CGI, custom sockets
> and Java seems no better.
Java is only a first step; there is definitely a needed layer
of code for use in applets and servers to make writing interactive
network applets easy. Whether this layer is developed publicly and
absorbed into the Java distribution or privately and sold as a
developer's tool by some third party remains to be seen.
- Nathan <nathanw@mit.edu>
-
This message was sent to the java-interest mailing list
Info: send 'help' to java-interest-request@java.sun.com
