Java's sandbox model is far more secure than Javascript. But we see Javascript running on practically every web page so it is very counter productive to disallow it through a firewall. There are really several points: 1/ All mobile code is a security risk, since it allows code genrated in a potentially hostile environment to run on your trusted machine, 2/ Interpreted mobile code is more dangerous than compiled code because the code itself can be manipulated dynamically, preventing proper verification before execution (IIS Unicode is an example of this). 3/ Mobile code should run at least privilege and in a sandbox. By looking at the risks, Java is the least dangerous form of mobile code, but still not risk free. Oh and the Brown Orifice exploit last year belies the statement " more computer damage is caused by fire and weather than by Web-based hostile Java applets. Even insects cause more damage than Java, so why aren't those bugs front-page news, too" since it caused many places to spend significant time and resources to upgrade their Netscape browsers. The authors of Brown Orifice, to their credit, never exploited it and really benefited the user community by demonstrating problem with no maliciousness. BUt it does show that, although the Jave model is fairly secure, the implmentation is critical. "R. DuFresne" <dufresneat_private> on 06/27/2001 17:03:21 To: firewall-wizardsat_private cc: Subject: [fw-wiz] article on java in infosecurity mag Howdy, Have othere here seen and read the recent article in information security magazine; http://www.infosecuritymag.com/articles/june01/columns_curmudgoens_corner.shtml The gist of the article boils down to these statments: Hostile Java applets are a perfect example of an over-hyped security threat that has no basis in reality. For years, we've been warned about crackers and unethical Web-site operators surreptitiously placing evil Java code on Web servers. The hostile applets would secretly steal or sabotage data on the PC of any visiting user. But after six years of warnings, such exploits have never materialized. Hostile applet attacks remain theoretical for two reasons. First, what few Java vulnerabilities have appeared have been fiendishly hard to exploit. And second, such an attack would provide little benefit to attackers--e-mail is a much more efficient mechanism for spreading hostile code. To put the situation into perspective, more computer damage is caused by fire and weather than by Web-based hostile Java applets. Even insects cause more damage than Java, so why aren't those bugs front-page news, too? The FUD surrounding Java is a lesson in the perils of believing everything you hear. To understand why this non-threat has assumed such epic proportions, you have to go back to 1995. </quote> Are folks in the industry changing their stances on the security implcations of java these days? Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://www.nfr.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 18:26:09 PDT