[5894] in java-interest
Java(Script) and "Security"?
daemon@ATHENA.MIT.EDU (Martin Zach)
Sun Mar 3 23:53:09 1996
Date: Sun, 3 Mar 1996 21:08:09 +0100
To: java-interest@java.sun.com
From: 10616@rzuws13.uni-lueneburg.de (Martin Zach)
Hi Javans,
here is some interesting stuff about the security of Java(Script). Is that
so dangerous how it sounds? I think that will be an extremly important
argument against Java(Script), or not?
By
Martin
10616@stud.uni-lueneburg.de
(Fwd) beginning:---------------------------------------
>[http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html]
>
>"THE WORLD WIDE WEB SECURITY FAQ (Version 1.2.0, February 28 1996)"
>by Lincoln D. Stein <lstein@genome.wi.mit.edu>
>Q69: What's the difference between Java and JavaScript?
>
> Despite the similarity in names, Java and JavaScript are two separate
> entities. Java is a language designed by SunSoft (a division of Sun
> Microsystems). Java scripts are precompiled into a compact form and
> stored on the server's side of the connection. HTML documents refer to
> the mini-applications known as Java "applets" by incorporating
> <APPLET> tags. Browsers that support the <APPLET> tag (currently only
> Netscape Navigator 2.0 and Sun's HotJava), download the compiled Java
> applications and execute them.
>
> JavaScript is a series of extensions to the HTML language understood
> only by Netscape Navigator version 2.0. It's an interpreted language
> designed for controlling the Netscape browser; it has the ability to
> open and close windows, manipulate form elements, adjust browser
> settings, and download and execute Java applets.
>
> Although JavaScript has a similar syntax to Java, it is quite distinct
> in many ways.
>..
>Q71: Are there any known security holes in JavaScript?
> You should be extremely concerned about JavaScript, an integral part
> of Netscape Navigator 2.0. It allows many types of private information
> to be included in data submitted to remote sites by fill-out forms,
> without the consent, or even the knowledge of the user. For example, a
> recently published script showed how a JavaScript page could grab a
> user's e-mail address from Netscape's preferences dialog and send it
> user's e-mail address from Netscape's preferences dialog and send it
> across the Internet.
>
> This is just the beginning. Others have figured out how to exploit
> JavaScript to make much more intrusive invasions of the user's
> privacy. The scripts at:
> * http://www.c2.org/~aelana/javascript.html and
> * http://www.osf.org/~loverso/javascript/track-me.html
>
> demonstrate how to take the following obnoxious actions:
> 1. Read the user's URL history list and transmit it to a remote site.
> 2. Read the user's disk cache (containing URLs of all frequently
> visited sites) and transmit it to a remote site.
> 3. Invisibly monitor all the sites a user visits and transmit them
> one by one to a remote site (the monitoring persists until the
> user completely exits from Netscape)
> 4. Obtain a recursive directory listing of the user's local hard disk
> and any network disks that happen to be mounted.
(Fwd) ending:-----------------------------------------------
-
This message was sent to the java-interest mailing list
Info: send 'help' to java-interest-request@java.sun.com
