Date: Wed, 7 May 1997 09:39:36 -0700
Message-Id: <199705071639.JAA19198@puffin.eng.sun.com>
From: Marianne Mueller <mrm@Eng>
To: rshen@nestle.ca
Subject: Re: Security of Java
By default, Java applets cannot invoke platform-specific native code,
or load libraries, if they are downloaded into a browser.
There are two ways to get an applet such power (right now.)
1. Install the applet on your local system, in a directory on the
browser's CLASSPATH. This allows the applet full access.
2. Use digital signing, so that a signed applet can be granted
greater access. While this technology is promising, not all the
pieces are in place presently, as the browser companies are not yet
supporting Java signatures in browsers.
Please do check out these web sites for more info on Java security
http://java.sun.com/sfaq/
http://java.sun.com/security/
http://jeeves.javasoft.com/hypermail/java-security-archive/index.html
As for using Castanet, I believe they have their own classloader and
their own security manager and they do go to great lengths to preserve
the applet security model, but, I have not yet used their latest
software so I can't speak directly to that. You should contact
Marimba for info about Castanet (see www.marimba.com)
Thanks,
Marianne
> From: rshen@nestle.ca (Shen, Raymond North York)
> Organization: Nestle Canada Inc.
> Date: Mon, 5 May 1997 14:01:07 -0400
>
>
> I'm the IS Audit Manager at Nestle Canada, rshen@nestle.ca.
>
> We have Netscape 2.01 throughout the company.
> My knowledge of Web security is limited to what I read from the popular
> press. It seems to me that there is a potential threat that need to be
> either de-mystified or addressed.
>
> It is possible to write Java applets that can call drivers that run
> platform specific code. For example there is a module called "java.sql"
> which is part of Sun's Java 1.1 which interfaces with the "outside
> world". A Javascript can invoke an applet which contains the java.sql
> module. It is possible to mass distribute the applet to all browsers in
> the company using packages such as Marimba Castinet. In the popular
> press they have identified the applet library (Netscape java_30.zip,
> Explorer \windows\java\classes.zip) where anyone can add an applet,
> themselves. They then need to distribute the corrsesponding platform
> specific driver onto the workstation which will be called.
>
> How much of this is true? As long as an java.sql can invoke an non-java
> module, I see great risks. Are there controls?
>
> For security purposes, I think the integrity of the applet library should
> be checked. Static protection could be a crc file integrity check or a
> centrally controlled version of it. I can imagine a virus that would
> dynamicaly change reference to the applet library.
>
> Can you please advise? Thank-you.
>
>
> Raymond Shen
>
>
>