[608] in java-interest
Re: Questions
daemon@ATHENA.MIT.EDU (Francois Boussard)
Fri Jul 7 23:26:20 1995
Date: Fri, 07 Jul 95 11:03:00 0200
From: Francois Boussard <francois@coplanet.fr>
To: java-interest@java.Eng.Sun.COM
> 2. What are the downside of Java programming? Is there a danger involved
> in coding those applets? Are we going to see trojan-infested applets?
Hi !
That's again francois !
I wrote you back some words yesterday. I though a lot about dangers
this night, and have seen HAWFULL thing appearing :
1- Technical pb :
Imagine a solution made of clients and 1 process server on 1 web
server computer :
The all callbacks from client to the server cgi applet could
override the ressources of the computer : the server computers can be
overcharged by the users : needs of control, ...
2- Client security pb :
The applets AUTOMATICALY downloaded by an HTML page can be hided :
an applet can run at this moment on YOUR computer, doing what it wants
(even copying, transmiting, erasing, searching files .....) and you won't
see it running !
It's easy to control disk access on the clients by the Java runner.
But how control NETWORK access of such app :
an applet can honestly need a socket connection to one of your unix
protocol servers : how to know the request is secure !
3- Private information pb :
Even if the disk and network right access pb are solved, how to be
sure that an applet is not running for sending-back your e-mail & ip adress
& unix UID infos, & all infos retrieved by internal processing to an unknown
hacker server which collect it for future use ?
Imagine that EVERYBODY who have Net access can write an HTML page,
a Java applet, a Unix deamon process, without control from anybody....
4- Programer pb :
If the dev world of Java rises, we can reach the time when Java app
brokers provides basics Java Libs, and other programers buy these Java Apps :
It's absolutly necesary for the users to control the safety of what they
have bought. Will we have to read all the source codes we import ?,
Cause, for end-client using the app, if hacking apears thought the
app : it will be up to the app provider to explain his hacking !. Even if
he has not writen the hacking code.
Do we need a Certification Organisation of the class we import ?
It's be fine that SUN centralise all the libs wroten, control them,
certificate them, and manage their public-access way (free/commercial...).
And all the aproved Java-compatible Browsers should control the
versus and authorization number of all the applets required on an HTML page.
And, after this control, download them.
Well, I am not a network-security specialist, and other ideas are
welcome. But, that's SURE that something is needed for controlling java apps
honesty.
The danger is that final consumer of Internet services could refuse
the use of Java-Compatible browser, and it could be a selling-argument to say
'I DON'T SUPPRT JAVA' or 'JAVA OUTSIDE!' ......
BRRRR... I am a litle cold to continue to sell java-apps to our
costumers..
I hope, YOU, java developers, and SUN, will build a safly world
for java..
See you soon .
--
__________________________________________________________________________
Francois BOUSSARD
Coplanet : Tel : 44.64.87.60
162 Bd Davout. 75020 PARIS
FRANCE francois@coplanet.fr
__________________________________________________________________________
-
Note to Sun employees: this is an EXTERNAL mailing list!
Info: send 'help' to java-interest-request@java.sun.com
