Joseph, Ditto that George > From: Siri Amrit Kaur > Subject: Re: OT - Is Java/Java Scripts a Security Risk? > Date: Sat, 18 Jun 2005 04:06:12 -0700 > Reply-To: plug-discuss@lists.plug.phoenix.az.us > > Wow, Joseph, thanks for the information! I've always wondered about > the differences between Java and JavaScript, and whether or not they > were safe to allow. This is the best summarization of the subject > I've ever read. And thanks, too, for the info about Flash. I don't > even bother to install it. > > Siri Amrit > > On Thursday 16 June 2005 08:45 pm, Joseph Sinclair wrote: > > Anytime you allow code to be run on your system you incur risk. > > The question is how much of a risk that is. > > > > Java code run within a browser runs in a "sandbox" where it's > > access to your system is extremely limited. On Windows, > > unfortunately, it is pretty easy to permit code to extend beyond > > that sandbox, and many people do so. So long as you NEVER permit > > Java applets to access resources outside the "sandbox", you're > > pretty safe. If you're running IE on Windows, there are some > > designed-in ways to bypass that (especially if you can get a user > > to accept an ActiveX control), and it's pretty easy to get in > > trouble. Those bypasses aren't present in Firefox. If you see a > > message for a Java Applet asking to access your system resources, > > clicking yes may allow almost anything, and is generally not > > recommended unless the code is signed, you really trust the signer, > > and the signature is fully verified. If you're running IE on > > Windows, it's highly recommended that you browse VERY carefully, or > > just switch to Firefox. Java also supports a technology called > > "Web-Start" where a signed Jar file is downloaded and run like a > > local application. If you are running a Web-Start application, > > there are no fixed limits to what the application is permitted to > > do. It is recommended that you run web-start applications only if > > you're completely certain the publisher is trustworthy, and even > > then only if you've fully verified the Jar signature. > > > > JavaScript is a completely different technology, and has a number > > of areas where it's known to permit excessive access. This is > > particularly true with IE on Windows, but IE on Mac has only > > slightly less dangerous, and even Firefox has a few issues. > > > > The most common danger with JavaScript is when it is used to hide > > malicious activity from a user by, for example, rewriting the text > > in the address bar to hide a website switch. > > > > Linux has far fewer issues with both technologies for 2 reasons: > > 1) The Linux Architecture is very different from Windows, > > and most malicious threats are not currently designed to handle > > Linux. Many fail quietly, many others cause something obviously > > strange to happen. 2) Even if code is written to work on Linux, the > > design of the system is such that most user accounts are very > > limited in what they can do (unless you're running as root, in > > which case you must be utterly insane to be running a browser > > session). So long as you're following recommended practice for a > > Linux system (very few sodoers, root login disabled, etc...) you > > shouldn't have too many problems. > > > > I generally leave both Java and JavaScript disabled on my system, > > and only turn them on for sites where they're required, and I am > > reasonably certain that the site is legitimate. I also have Flash > > disabled due to it's myriad insecure "Features". Various browsers > > have different ways of handling these items. Firefox has 2 very > > nice extensions for this, FlashBlock blocks Flash until you click a > > "play" icon that replaces the Flash image, and PrefBar allows you > > to place a simple checkbox on your toolbar to turn Java or > > JavaScript on or off on the fly. > > > > Hope this helps. > > > > ==Joseph++ > > > > G Gambill wrote: > > > is enabling Java and/or Java Scripts a Security Risk on: > > > > > > on Windows XP? > > > > > > on Linux? > > > > > > If so, under what conditions? > > > > > > George > > > > > > --------------------------------------------------- > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > > To subscribe, unsubscribe, or to change you mail settings: > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change you mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > --__--__-- > > _______________________________________________ > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > End of PLUG-discuss Digest > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss