Java/JavaScript security

Prentiss Riddle riddle at is.rice.edu
Mon Oct 28 15:41:33 EST 1996


> From web4lib at library.berkeley.edu  Mon Oct 28 13:37:16 1996
> Date: Mon, 28 Oct 1996 11:38:04 -0800
> From: lhyman at mail.sdsu.edu (Linda Hyman)
> To: Multiple recipients of list <web4lib at library.berkeley.edu>
> Subject: JavaScript security
> 
> >Here at Rice we have Java and JavaScript turned off by default
> >for security reasons.
> 
> I hope that I am not covering old territory and I don't want to start a new
> e-mail war; BUT  what precisely (not rumored) are the security issues for
> JavaScript and the security issues for Java?  Has anyone heard of anything
> actually happening anywhere?

"Actually happening?"  On this front, the security mavens seem to be
half a step ahead of the crackers; the holes I've heard about have been
discovered by the security community rather than the bad guys.

Note that Java and JavaScript are entirely separate entities, which
have similar names more for marketing reasons than for any similarity
between them.

My non-expert understanding is that Java is both more troubling and
more powerful than JavaScript.  There are two important classes of
problems with Java (and maybe with JavaScript): implementation bugs
and fundamental design problems.  The bugs may all come out in the wash
as browser vendors tighten their code, but if there are underlying
design problems they may never be solved.  The experts are still
debating.

Meanwhile, the bugs in Netscape and other browsers are still fresh
enough that neither I nor the sysadmins at my institution are willing
to encourage general use of Java or JavaScript.  Your opinion may
differ from ours.

Here are some probably reliable sources for more information:

    WWW Security FAQ, Q60: Are there any known security holes in Java?
    http://www-genome.wi.mit.edu/WWW/faqs/wwwsf7.html#Q60

    WWW Security FAQ, Q61: Are there any known security holes in JavaScript?
    http://www-genome.wi.mit.edu/WWW/faqs/wwwsf7.html#Q61

    Security bugs in Java
    http://ferret.lmh.ox.ac.uk/~david/java/bugs/

    Princeton Java Security FAQ
    http://www.cs.princeton.edu/sip/java-faq.html

-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle at rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Opinions expressed are not necessarily those of my employer.


More information about the Web4lib mailing list