In lists.firewalls you write:
>To me, the inherent insecurity of Java is that it is supposed to be
>viewed as secure. ActiveX should not be viewed as secure by anyone,
...
>The Java language, on the other hand, is a very different animal than
>Java applets. When it comes to security, the issues are completely
>different and shouldn't be confused. The Java language, like any
>language, is not constrained by VM's or Sandboxes, or whatever. You can
>develop whatever security implementation you chose in the Java language,
>as you could in C. Applets are the fun, neat, easy to implement version
>of Java, but its not the Java language.
I agree with the 2nd statement. Java is just a programming language
and from what little I've read a reasonable one. Now Java applets....
yes there is a problem. I suspect though that if the applet viewers
(ie. browsers et al) were able to verify the origin on an applet - eg
if applets could be signed by an X.509 cert (like we use for SSL)
the situation would improve somewhat.
I'd be reasonably happy if I could configure my browser to run only
applets signed by my company's CA.
But of course...
>We need a way to turn off what we consider insecure, and prevent it from
>being turned on again by the user. This doesn't exist in any browser
>that I've seen so far, but it will be more possible when the browser and
>the OS are the same thing, when we can use authentication servers to
>provide permission profiles back to the OS.
Indeed.
--sjg
References:
|
|
