Re: Java plugin

Tom Ball (Thomas.Ball@Eng)
Wed, 24 Feb 1999 15:32:18 -0800 (PST)

Date: Wed, 24 Feb 1999 15:32:18 -0800 (PST)
From: Tom Ball <Thomas.Ball@Eng>
Subject: Re: Java plugin
To: Daniel.M.Socoloff@ny.frb.org

Daniel,

>From day one (I'm one of the oldtimers here at JavaSoft), the applet
security model was designed so that program loading the applet (such as a
browser, appletviewer or plug-in) controlled how severe the restrictions were
in the applet sandbox. HotJava, Navigator (until recently) and IE all allow
a user to give the applet sandbox more capabilities if necessary, as do the
JDK's appletviewer and Java Plug-in. Applets must have appropriate access
permissions to get their work done -- just turning off all non-standard
access hobbles applet development.

For example, a company may consider it safe for their internal-use applets to
refer to other servers on their intranet. In the pre-1.2 security model
(which most applets still work within), the only ways to grant that
permission were either to have the user configure their browser or plug-in
appropriately, or sign the applet and give it all permissions. Both of these
approaches were severely flawed. It's precisely because of the potential for
security abuse and the administrative burden of configuring each browser or
plug-in that the 1.2 security model was created. With it, a signed applet
can ask for and be granted access privileges without configuring the
browser or granting unnecessary privileges.

So why does plug-in still support the 1.1-style of access granting? Because
almost all deployed applets are still based on 1.1 -- breaking existing
applets isn't acceptable. By default, no permissions are granted other
than the documented minimums, so no security holes have been opened by our
distribution. An end-user can open themselves to attack by enabling applet
access to other servers and then roaming untrusted sites, but that's no
different from the 1.1 or even 1.0 security models. Once applet writers
have had a chance to upgrade (say, in the 1.3 timeframe), we'll remove this
feature and applet writers will have to use the 1.2 security model to
request access.

Tom

> Date: Wed, 24 Feb 1999 11:42:55 -0500
> From: Daniel Socoloff <Daniel.M.Socoloff@ny.frb.org>
> Subject: Java plugin
> To: java-security@java.sun.com
> MIME-version: 1.0
> Content-disposition: inline
> Content-transfer-encoding: quoted-printable
>
> I have a question with regards to Java plugin 1.2 (java security patch
> 1.1.6)(java.sun.com/products/plugin/1.2/docs/index.docs.html
> It appears as if the plugin allows the user to disable one of the most basic
> security controls in the JVM. A java applet is normally allowed to connect
back
> only to the server from which it originated, in order to prevent a hostile
> applet downloaded from an internet site from going out and accessing data
from
> intranet sites and then sending it back out to the internet.
> Can you tell me if the pluginis safe or not based on this information.
> Thank you,
> Daniel