1998-04-29-03:43:04 Todd Radermacher: > I'm curious as to the groups opinion on Java, JavaScript, ActiveX , > or more generally - mobile code secuirty technologies. I think they aren't too well off, as yet. Some of them are wildly unacceptable, as they have no attempt at a ``security'' model; others were designed and implemented by people who tried --- and failed -- to define a workable security model. So far none of them have proven safe, or anywhere near it. So firewall policies seem to split into two camps: some shops attempt to prohibit all applets from coming through, and others just try to keep up with the security fixes in the browsers. As has been pointed out many times, applet stripping remains an unreliable heuristic process; in my opinion its big value is that if it _usually_ works, it helps keep users' expectations in line with policy. > Are methods for dealing with mobile code to become "standard" > features in commerical firewalls? Ahh, this is a question about the future! My favourite sort. Peering into the crystal ball, I see applet features in firewalls ceasing to be important within the next few years; whether it's by retrofitting kluges like Janus[1], or by seriously integrating some old but not widely used OS features (e.g. ACLs, Orange Book-style access control, Domain Type Enforcement, ...) one way or another I think we're going to see improved tools for locking mozillas into boxes on the desktop. -Bennett [1] <URL:http://www.cs.berkeley.edu/~daw/janus/>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:20 PDT