Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Java 7 Deployment Rule Sets, or, I Was Right All Along



On Thu, Sep 26, 2013 at 7:11 PM, Richard Pieri <richard.pieri at gmail.com> wrote:
> Back in the day when Netscape incorporated Java in their flagship product I
> was horrified. Not because of Java per se but because of how Netscape
> implemented it: any Java program would run more or less automatically upon
> load from a web page. This flew in the face of a fundamental security tenet:
> you only run programs that you choose to run. But here was Netscape trying
> to dominate the world with the "convenience" of Java applets right there
> with Sun backing Netscape all the way.
>
> And then Microsoft followed suit with ActiveX.
>
> And then all hell broke lose.

I agree that allowing execution of random "programs" from the web is
of concern, but I wonder how (or if) you differentiate Java/ActiveX
from other random "programs" that your browser might receive.

For example:

1. Javascript
2. Postscript and/or PDF
3. Flash

As I see it, there is a continuum from static "data" to
Turing-complete active "programs".   Probably for both theoretical as
well as implementation reasons, the closer you get to Turing-complete
the harder it is to be secure.  I'm not sure if there is a line which
can be definitely drawn so that we can say "this side is safe" and
"that side is unsafe".   In the end though, a decision must be made
and the process by which one would make make such a decision is more
interesting to me than any particular statement about  a particular
language/implementation.

Your thoughts?

Bill Bogstad



>
> Fast forward to today. Oracle has announced and deployed a security update
> to Java 7 that will once and for all solve the problem of web browsers
> loading and launching rogue programs. It's called Deployment Rule Set and it
> prevents Java from running anything that isn't explicitly allowed by a
> site's administrators.
>
> Java finally has an implicit deny/explicit allow security mechanism, and
> it's about damned time. It only took Sun + Oracle the better part of 20
> years to figure it out.
>
> Bets on how long it will take the black hats to figure out how to bypass it?
>
> --
> Rich P.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org