 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
On Thu, Sep 26, 2013 at 7:11 PM, Richard Pieri <richard.pieri at gmail.com> wrote: > Back in the day when Netscape incorporated Java in their flagship product I > was horrified. Not because of Java per se but because of how Netscape > implemented it: any Java program would run more or less automatically upon > load from a web page. This flew in the face of a fundamental security tenet: > you only run programs that you choose to run. But here was Netscape trying > to dominate the world with the "convenience" of Java applets right there > with Sun backing Netscape all the way. > > And then Microsoft followed suit with ActiveX. > > And then all hell broke lose. I agree that allowing execution of random "programs" from the web is of concern, but I wonder how (or if) you differentiate Java/ActiveX from other random "programs" that your browser might receive. For example: 1. Javascript 2. Postscript and/or PDF 3. Flash As I see it, there is a continuum from static "data" to Turing-complete active "programs". Probably for both theoretical as well as implementation reasons, the closer you get to Turing-complete the harder it is to be secure. I'm not sure if there is a line which can be definitely drawn so that we can say "this side is safe" and "that side is unsafe". In the end though, a decision must be made and the process by which one would make make such a decision is more interesting to me than any particular statement about a particular language/implementation. Your thoughts? Bill Bogstad > > Fast forward to today. Oracle has announced and deployed a security update > to Java 7 that will once and for all solve the problem of web browsers > loading and launching rogue programs. It's called Deployment Rule Set and it > prevents Java from running anything that isn't explicitly allowed by a > site's administrators. > > Java finally has an implicit deny/explicit allow security mechanism, and > it's about damned time. It only took Sun + Oracle the better part of 20 > years to figure it out. > > Bets on how long it will take the black hats to figure out how to bypass it? > > -- > Rich P. > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
