Firewalls: Re: JAVA

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: JAVA
From:	Alan Olsen <alano @ teleport . com>
Date:	Tue, 26 Mar 1996 09:40:53 -0800
To:	gavin @ theboard . newsquest . co . uk, Firewalls @ greatcircle . com

At 07:16 PM 3/25/96 +0000, Gavin Aiken wrote:

>Java applets can't do disk i/o or access any host other than the one
>they have been downloaded from, when running under Netscape.
>Java applets running under sun's appletviewer can access any network
>host if allowed in the appletviewer preferences.
>Java standalone applications can do disk read/writes, full networking,
>and all sorts of other things not allowed to applets.

There has been a recient hole that has been discovered that will allow
someone exploiting it to delete files.  In theory, it is not supposed to do
that.  I expect the holes to be patched over the next six months or so.

For all of Java's flaws, it is *MUCH* better than the alternatives currently
being pitched.  Microsoft is pitching OLE as a substitute for Java.  It has
far more security problems than Java.  (They are not going to constrain the
language, they are going to use a security signature on the app to show it
is from a "trusted" source.  (As if I trust Microsoft...))

>> For what it does now, I think we can implement a server push/client pull
>> scenario within the current context of HTML+ to do what Java is
>> offering!
>
>I think it's more of a glorified *interactive* tv set when used as
>an applet. I'd like to see anyone implement Missile Command via server
>pushes! (take a look at http://www.gamelan.com to see some good
>applet examples)

Server push has some problems as well.  If it is not implemented properly,
it can cause zombie processes on the server.  (And setting the timeouts on
the processes is not always a trivial task.)  It also increases the load on
the server.  With Java, you send a piece of code and it goes from there.
With server push, you are holding a connection open the whole time.  If you
are running server push through a firewall, you are increasing the trafic on
that as well.  Java does a better job of conserving bandwidth.

>> It could be OK if they actually implemented this!  You would be
>> surprised at the holes I found in one weekend of perusing the JDK code!
>
>What, what? Please say more! If there are any serious holes, let us
>know so we can take steps to prevent anyone using them to bypass
>our network security!

I have seen alot of people flaming Java becuase it has holes in its security
model.  I think that much of it is unwarented.  It is attempting to put
forth a security model that will allow you to use untrusted apps.  It has
not been around that long, so there will be bugs and problems.  They will
get fixed as soon as they are found.  So far, the only unfixed hole has been
announced far and wide, but not with a published exploit.

I wonder how many of the people who have been bitching and moaning about
Java are still using sendmail?

---
Alan Olsen -- alano @
 teleport .
 com -- Contract Web Design & Instruction
        `finger -l alano @
 teleport .
 com` for PGP 2.6.2 key 
                http://www.teleport.com/~alano/ 
  "We had to destroy the Internet in order to save it." - Sen. Exon

Follow-Ups:

Re: JAVA
From: Scott Barman <scott @ di2 . disclosure . com>
Re: JAVA
From: peter @ nmti . com (Peter da Silva)

Indexed By Date	Previous:	Re: Point of no gain From: amolitor @ anubis . network . com (Andrew Molitor)
Indexed By Date	Next:	Re: virus scanning for Internet From: Grant . Goodman @ sunalliance . com
Indexed By Thread	Previous:	Re: JAVA From: peter @ nmti . com (Peter da Silva)
Indexed By Thread	Next:	Re: JAVA From: peter @ nmti . com (Peter da Silva)