[560] in java-interest
Re: Security
daemon@ATHENA.MIT.EDU (Chuck McManis)
Fri Jun 30 15:27:59 1995
Date: Fri, 30 Jun 1995 11:14:02 -0700
From: cmcmanis@scndprsn.Eng.Sun.COM (Chuck McManis)
To: ryanz@daffy.netrex.com, jcdst10+@pitt.edu
Cc: java-interest@java.Eng.Sun.COM
James Deikun wrote:
>a) the client doesn't send code to the httpd, it's t'other way around.
>
>b) see the Security White Paper off the java home page (which is at
><URL:http://java.sun.com/) (the home page is, not the white paper).
Both of these statements are true, however postulating the case where
an applet created a connection back to the HTTP server to fetch "private"
data for its operation, if you rewrote the URL class to make a copy of
everything fetched you could conceivably "steal" this private data. Note
it is probably easier to just use snoop(1) or some other packet monitor
so there isn't any ADDED vulnerability from using Java.
Again, HotJava protects you from bogus applets, it does not protect Applets
from bogus browsers.
--Chuck
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
