Wow, Joseph, thanks for the information! I've always wondered about
the differences between Java and JavaScript, and whether or not they
were safe to allow. This is the best summarization of the subject
I've ever read. And thanks, too, for the info about Flash. I don't
even bother to install it.
Siri Amrit
On Thursday 16 June 2005 08:45 pm, Joseph Sinclair wrote:
> Anytime you allow code to be run on your system you incur risk.
> The question is how much of a risk that is.
>
> Java code run within a browser runs in a "sandbox" where it's
> access to your system is extremely limited. On Windows,
> unfortunately, it is pretty easy to permit code to extend beyond
> that sandbox, and many people do so. So long as you NEVER permit
> Java applets to access resources outside the "sandbox", you're
> pretty safe. If you're running IE on Windows, there are some
> designed-in ways to bypass that (especially if you can get a user
> to accept an ActiveX control), and it's pretty easy to get in
> trouble. Those bypasses aren't present in Firefox. If you see a
> message for a Java Applet asking to access your system resources,
> clicking yes may allow almost anything, and is generally not
> recommended unless the code is signed, you really trust the signer,
> and the signature is fully verified. If you're running IE on
> Windows, it's highly recommended that you browse VERY carefully, or
> just switch to Firefox. Java also supports a technology called
> "Web-Start" where a signed Jar file is downloaded and run like a
> local application. If you are running a Web-Start application,
> there are no fixed limits to what the application is permitted to
> do. It is recommended that you run web-start applications only if
> you're completely certain the publisher is trustworthy, and even
> then only if you've fully verified the Jar signature.
>
> JavaScript is a completely different technology, and has a number
> of areas where it's known to permit excessive access. This is
> particularly true with IE on Windows, but IE on Mac has only
> slightly less dangerous, and even Firefox has a few issues.
>
> The most common danger with JavaScript is when it is used to hide
> malicious activity from a user by, for example, rewriting the text
> in the address bar to hide a website switch.
>
> Linux has far fewer issues with both technologies for 2 reasons:
> 1) The Linux Architecture is very different from Windows,
> and most malicious threats are not currently designed to handle
> Linux. Many fail quietly, many others cause something obviously
> strange to happen. 2) Even if code is written to work on Linux, the
> design of the system is such that most user accounts are very
> limited in what they can do (unless you're running as root, in
> which case you must be utterly insane to be running a browser
> session). So long as you're following recommended practice for a
> Linux system (very few sodoers, root login disabled, etc...) you
> shouldn't have too many problems.
>
> I generally leave both Java and JavaScript disabled on my system,
> and only turn them on for sites where they're required, and I am
> reasonably certain that the site is legitimate. I also have Flash
> disabled due to it's myriad insecure "Features". Various browsers
> have different ways of handling these items. Firefox has 2 very
> nice extensions for this, FlashBlock blocks Flash until you click a
> "play" icon that replaces the Flash image, and PrefBar allows you
> to place a simple checkbox on your toolbar to turn Java or
> JavaScript on or off on the fly.
>
> Hope this helps.
>
> ==Joseph++
>
> G Gambill wrote:
> > is enabling Java and/or Java Scripts a Security Risk on:
> >
> > on Windows XP?
> >
> > on Linux?
> >
> > If so, under what conditions?
> >
> > George
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)