[45628] in Cypherpunks
Re: Java and timing info - second attempt
daemon@ATHENA.MIT.EDU (Jim Miller)
Tue Dec 19 16:50:13 1995
From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 19 Dec 95 14:53:13 -0600
To: cypherpunks@toad.com
Reply-To: Jim_Miller@bilbo.suite.com
Not a big deal, but somebody attributed the quoted section to the wrong
person:
>Jim Miller (jim_miller@bilbo.suite.com) writes:
>Of course it would be a lot easier for the applet to just try to read the
>secret key file, encrypt it with an embedded public key, and post it to
>alt.anonymous.messages.
Andrew Loewenstern wrote the above paragraph.
Bill Frantz wrote:
> If I understand Java security correctly, the applet can
> just send data back to the server it was loaded from, but
> can't read random files on the machine it runs on (even if
> the user running it can read them).
>
I assumed as much, which is why I asked about timing info rather than
snarfing up the key directly.
Andrew Loewenstern wrote:
> Since access to a private key should always be strictly
> mediated by the user any Java implementation would
> probably pop up a panel asking permission for every
> single private-key encryption operation requested by
> the applet.
>
In other words, an applet would just call the crypto function any time it
wanted to, and the function, or something between the applet and the
function, would bring up the panel? I can see that.
Jim_Miller@suite.com
