From owner-freebsd-questions Tue Jul 17 17: 6:35 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-141-144.mmcable.com [24.27.141.144]) by hub.freebsd.org (Postfix) with SMTP id B094637B403 for ; Tue, 17 Jul 2001 17:06:31 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 83034 invoked by uid 100); 18 Jul 2001 00:06:30 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15188.54022.876036.338916@guru.mired.org> Date: Tue, 17 Jul 2001 19:06:30 -0500 To: David Kelly Cc: questions@FreeBSD.ORG Subject: Re: ARRGH Netscape stinks! In-Reply-To: <20010717115346.A18795@grumpy.dyndns.org> References: <21096630@toto.iv> <15188.23500.936661.82769@guru.mired.org> <20010717115346.A18795@grumpy.dyndns.org> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG David Kelly types: > On Tue, Jul 17, 2001 at 10:37:48AM -0500, Mike Meyer wrote: > > JavaScript is a security nightmare. Java isn't quit so bad, but CERT > > recommends turning them both off. I turn off Flash because I haven't > > had time to investigate the security issues. > Uh, don't you have Java and Javascript crossed? I don't think so. The people at Sun who worked on Java at demonstrably thought about the security implications of what they were doing, and dealt with the worst excesses in the design. As a result, Java security problems tend to be bugs in the implementation, with "in violation of security policies" being a common phrase. JavaScript tends to have bugs along the lines of "we never thought anyone would do that", like sending email to an arbitrary address at page load time, or putting java script in a cookie file then loading the cookie file to get access to the disk. The net result is that JavaScript tends to have nastier bugs than Java. Of course, I've had both of them turned off pretty much since they were introduced, and base this on watching CERT advisories and a quick check of the CERT site just now. This may not be representative of the problems seen by people who leave those enabled by default. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message