Firewalls: Re: JAVA

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: JAVA
From:	Scott Barman <scott @ di2 . disclosure . com>
Date:	Mon, 25 Mar 1996 10:47:26 -0500 (EST)
To:	"Mr. Nick Keenan" <nkeenan @ gsionline . com>
Cc:	Firewalls @ GreatCircle . COM
In-reply-to:	18121156703446 @ gsionline . com

On Fri, 22 Mar 1996, Mr. Nick Keenan wrote:

> I went to the same demo -- last friday in Washington DC.  Sun is really
> pushing Java, and they are running headlong into the security issues that
> this list faces every day.  They are walking a tightrope between security
> and functionality.

Drat... I missed this!!  After going through the JDK source I would have
loved to be there!  I guess I'm no longer on their mailing list!  :-)

> In its current incarnation Java can't write to a file, print, make OS
> requests, access the hardware, or connect via TCP/IP to anything other than
> the computer that provided the current applet.

Umm... there is a javaio superclass.  It is up to the browser, app.,
etc. to defined the security constranints.  Because Java was written for
doing more than WWW niceties, Java does have I/O capabilites.  Listen to
Sun as they talk about Java and where it came from.  They're intention
was the internet "toaster"!  Gee... just what I want, to program my
toaster from my pee cee!

> Application developers such as myself have been critical: What can it do!
> All it can do is display pictures and output sound.  It's a glorified
> television set!
>
> Security professionals, on the other hand, generally think it can do to
> much.  How does Java verify where an applet came from?  Are the connections
> secure?  It its security model to be trusted?

For what it does now, I think we can implement a server push/client pull
scenario within the current context of HTML+ to do what Java is
offering!

> The problem I see is trying to create a one-size-fits-all security model.

It could be OK if they actually implemented this!  You would be
surprised at the holes I found in one weekend of perusing the JDK code!

> Most likely you will end up with one-size-fits-none.  Also, another problem
> I see is that Java tries to implement security on the user's desktop, where
> what you really want to do is implement it as part of the network and
> communications infrastructure.

Gee... someone who's caught on!  I like it!!

> Just my $.02.  Flame away.

No flames from here!

scott barman
--
scott barman                  DISCLAIMER: I speak to anyone who will listen,
scott @
 disclosure .
 com                      and I speak only for myself.
barman @
 ix .
 netcom .
 com

Follow-Ups:

Re: JAVA
From: Gavin Aiken <gavin @ theboard . newsquest . co . uk>

Indexed By Date	Previous:	RE: Sick Puppy "Listen Up!" From: Security Admin <security @ sunwave . com>
Indexed By Date	Next:	RE: POINTCAST - Could it be a Trojan Hor From: ARTURO GRAPA YSUNZA <AGRAPA @ banamex . com>
Indexed By Thread	Previous:	Re: Java From: Scott Barman <scott @ di2 . disclosure . com>
Indexed By Thread	Next:	Re: JAVA From: Gavin Aiken <gavin @ theboard . newsquest . co . uk>