Java/JavaScript security
Daniel Albano (1)
danielt1 at nypl.north-york.on.ca
Mon Oct 28 17:22:41 EST 1996
On Mon, 28 Oct 1996, Prentiss Riddle wrote:
> My non-expert understanding is that Java is both more troubling and
> more powerful than JavaScript. There are two important classes of
> problems with Java (and maybe with JavaScript): implementation bugs
> and fundamental design problems. The bugs may all come out in the wash
> as browser vendors tighten their code, but if there are underlying
> design problems they may never be solved. The experts are still
> debating.
>
> Meanwhile, the bugs in Netscape and other browsers are still fresh
> enough that neither I nor the sysadmins at my institution are willing
> to encourage general use of Java or JavaScript. Your opinion may
> differ from ours.
Generally, it seems that professional opinion, on the part
of sysadmins and security experts, is that browsers, and to
some extent, http servers are "dangerous" software that
is vulnerable to subversion and attack. Certainly browsers
implementing Java and Javascript have obvious potential for
breaking system security.
Some weaknesses are documented by CERT; but CERT doesn't seem
to like announcing specific problems until a fix is available.
Depending on how long it takes, a weakness known in the
cracker community may not appear on CERT for months.
--
Daniel Albano daniel at nypl.north-york.on.ca
Computer Services +1 416 395 5907
"Views expressed are those of the author and do not necessarily reflect
the position of the North York Public Library."
More information about the Web4lib
mailing list