Hi folks, me again, Java guy. Thought I'd stop by for a moment to answer
Scott's email and offer some concrete suggestions.
First, understand that I work on Java so the truely paranoid should distrust
everything I say :-)
> I was wondering if anyone has done a security analysis of allowing Java
> applets behind a firewall?
And the answer is of course yes. We plan to have a more thorough security
analysis paper available for FCS. In the meantime we welcome other analyses
> I finally got to see some documentation and (a) I am not impressed
> (Sun has this nack for doing neat things the wrong way--private email
> if you want to discuss this),
I think private email is probably the wrong way to go. What you should
do is express your concerns publically to the java-interest @
alias. That way we can address/fix them. If you are uncomfortable doing
that, you are more than welcome to discuss them with me privately. We
can turn any legitimate concern into "showstopper" bugs that will prevent
the release of 1.0 until they are fixed. If you have been following
Java you will notice that the window stuff changed _radically_ between
alpha and pre-Beta. This was in a large part response to what people on
the lists were requiring.
> (b) I saw a lot of stuff regarding these applets and Unix, but what
> if the client machines are pee cees?
> The NT and Windoze 95 weenies are jumping up and down going "oooo neat!"
> I'm still responding "oy vey!" :-)
Interestingly enough the language is the same on PCs as it is on UNIX. It
is still impossible to express a virus in Java, and it is still impossible
to cons up some illegal byte codes and have them executed by the virtual
machine on the other end. If you have any specific concerns I can address
then please feel free to write or post to the java lists.
> I need feed back from anyone who has run or evaluated it with security
> in mind. Besides Sun's propoganda, are there any documents on the net
> I can pick up that comments on it, pro or con?
We at Sun would like your analyses as well. It does everyone a great
disservice to "discover" some hole that we have not and then not tell
us about it. The idea here is to provide a solid, secure, foundation
for doing interactive content. That is why a) Alpha has been so long,
b) we release the source so that *every* question can be answered by
personal investigation if you choose, and c) people like me solicit
> On more important item... can anyone compare and contrast what Sun is
> doing vs. SGI's web stuff for both its technical merrit and security?
I'm from Sun so discount this comment but from what I've been able to
gather "SGI's web stuff" consists of some third party ports of bits of
web software and a marketing campaign called "WebForce". If there is
actually anything new or novel in their "stuff" I'd like to know what