On Mon, 29 Jul 1996 16:46:29 -0400 Russ <Russ .
Cooper @
RC .
Toronto .
on .
ca>
writes:
> Java Security? What security? You either trust the VM or you don't,
Indeed, however, considering that there is currently no authentication,
this is almost a no op. Discounting bugs in the particular client VM,
there is an open question: can you trust the applet itself. Nope, not
by definition. Hop on over to one of the many "malicious" applet
providing sites and see how well your netscape gets hammered (via Java
and HTML) for a demonstration of this. In my perfect world (which seems
to be where Sun and other are going), you'd sign your applet and it's
end user would make the decision to trust you (or not, as it were.)
I've a model for "applet brokering" which includes the usual digital
signatures for authentication / integrity, AND some other stuff that is
pretty ugly. Consider that you'll need *someone* to guarentee that the
applet is safe *and* someone to ensure that the client won't allow abuse.
A pretty big mess, me thinks. Although, maybe we'll see a few more
millionaires as companies are formed to tackle these tough jobs ;)
> unless you're planning on filtering on .java there's not much you can do
> with your Firewall to secure against malicious Java applets that you
> wouldn't already be doing.
Agreed. Somewhat like HTML, Email...
BTW - what seems to be the first active applet filter seems to have showed
itself yesterday (7/29/96). Check out www.finjan.com. Free downloads
available. Anyone had their hands on this yet?
> Problem with malicious applets is, assuming
> they are able to break out of the VM, that they can attack the hosts
> you thought were secure, because they run from inside your Firewall.
Yep, but consider that this implies an interesting and very onerous
(impossible?) responsibility for every PC on the net? Whoooa. Sounds
like how we approached viruses and lookie where we are: Word 6 comes out,
Word viri emerge, ... I figure that one day we'll all face up to the
fact that you have to architect security before you design it into something.
And, of course, it would be nice if the architecture allowed the enforcement
of a chosen security policy. And, finally, the really tough nut - it would
be great if the policy could be mapped seamlessly into that of the security
domain which provided the applet (for purposes of access control and
authorization...) IMHO, very few firewalls even can do that stuff today.
Java / browsers don;t seem to either. Although, I did see Gradient at a
recent show with a DCE-based browser / server. Certainly the way to go
fopr mapping security domains together with available, off-the-shelf stuff,
eh? Anyone
seen a browser / server that plays SESAME or some other enterprise-wide
security game?
And when you are ready to talk about policy enforcement, I can start
blathering about trusted systems and the nature of trust again ;)
> ...now when digital signatures are mandatory, there will be another
> story to be written.
Well, I hope that they will never become "mandatory." I'd rather like to
see them available for everything and used where required by particular
security policies - even if vendors have to decide what their customers
will have as
the initial settings for those policies. Sometimes, I'd like to send
completely anonymous things. Might be nice to simply omitt the signature rather
than resort to hiding behind a lame anonymous mailer or other unmentionable,
dasterdely deeds ;)
Meantime, there is a runor afoot that Sun will be doing something with
certificates for Java soon. Anyone heard anythng about this?
RayK
Follow-Ups:
|
|
