Re: Mobile Code Security???

From: John Painter (tjpat_private)
Date: Tue Apr 28 1998 - 23:28:49 PDT

Next message: David Collier-Brown: "Re: Network Security Certification"

Previous message: Todd Radermacher: "Mobile Code Security???"
Maybe in reply to: Todd Radermacher: "Mobile Code Security???"
Next in thread: Steve Bellovin: "Re: Mobile Code Security???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 8:43 PM -0700 4/28/98, Todd Radermacher wrote:
>I'm curious as to the groups opinion on Java, JavaScript, ActiveX ,
>or more generally - mobile code secuirty technologies.
>
>Are methods for dealing with mobile code to become "standard"
>features in commerical firewalls?
>
>I have been working in this space for over a year now and I'm
>afraid my perception may be *biased*.  ;-)

Just in case this wasn't flame bait ...

They are all evil in terms of users wanting to let them through, and the
security of the Java VMs is of low utility in a high security high risk
environment. Active X is worse, even if you have a certificate for
security, it does not imply testing to assure it is in fact secure/safe.
Javascript executed on the browser side is a attack vector as well.

The only relativly safe Javascript is in the Active Server Pages side,
because the browser only sees HTML, the Javascript (or VBScript) is
executed on the originating server. On the other hand, if it is your
server, the MS security setup is a bit warped as you have to set both file
security and IP service security on NT IIS servers. An error in either can
affect site security or deny execution of the scripts to everyone. I'd have
rather seen them actually use the ACL mechanism and expand the capabilities
to include network filters in the ACLs. The current system is both too
confusing and too restrictive for good general purpose use. (I'd like to
associate or deny privledges to a masked IP address selectivly for a site.)
Also since your defaults affect all virtual domains in some security areas
and not others ...

It's an adventure. I'd be more down on this, but a portion of our business
is knowing the answers to securing commerce site on NT, so I can't get too
down on MS security.

Mobile code in general needs to be filterable at the firewall for high
security installations. The backchannel of information flow out of the site
is too great a possability.

YMMV

--
Strive to always know the right question for any answers you get.

John Painter, <mailto:tjpat_private>

Next message: David Collier-Brown: "Re: Network Security Certification"
Previous message: Todd Radermacher: "Mobile Code Security???"
Maybe in reply to: Todd Radermacher: "Mobile Code Security???"
Next in thread: Steve Bellovin: "Re: Mobile Code Security???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:17 PDT