Comment on applet security model.

Steve Chaffin (schaffin@netwizards.net)
Wed, 14 May 1997 14:37:53 -0700

Date: Wed, 14 May 1997 14:37:53 -0700
Message-Id: <199705142137.OAA22670@news.netwiz.net>
To: java-security@web2.javasoft.com
From: Steve Chaffin <schaffin@netwizards.net>
Subject: Comment on applet security model.

Hi!

I wanted to pass along a security-related observation to you. I don't
claim much expertise in this area, so I'll apologize in advance if this
mail is naive.

Java applet security discussions have focussed, unsurprisingly,
on demonstrating that internet clients can safely download and execute
live content from Web pages. Since clients, by their nature, are actively
retrieving content from the net, they were (and are) intrinsically
vulnerable to attack. Net servers, by contrast, have always been
relatively secure because they are only sources of content and do
not have to receive information from the net.

A consequence of the applet security model that I have not heard
discussed, however, is that it would seem to apply as well to servers as it
does to clients. What I mean by this is that with Java it becomes
feasible to envision net protocols through which a server could receive
unsolicited live objects (applets) from a client with the intent that the
server would be willing to execute them. The applet security model would
protect the server from adverse consequences just as it does the client.

While I don't have any well-developed examples to cite of how this
might be used, it seems to me that this would represent a useful
capability of the net that was not previously feasible. This is
particularly true given that a server receiving Java applets could use
introspection to decide how to treat them.

Apart from just passing this along, I am curious as to whether this
makes sense, and has been discussed.

If this suggestion is valid, there is a related observation that I
believe is significant. If you assume that there are useful applications
where sending unsolicited live content to a server would be valuable, then
it is likely that such applications could not reasonably rely on a security
model based on authentication of digital signatures. In this scenario, the
Java applet security model would work just fine, but an authentication-based
model, such as ActiveX, would not be workable at all.

Regards,

Steve Chaffin

Steve Chaffin
E-Mail: schaffin@softivity.com
Phone: (408) 257-2179
Company: Softivity