From: "Josh M. Osborne" <stripes@va.pubnix.com>
Date: Mon, 9 Oct 95 08:53:23 PDT
To: m5@dev.tivoli.com (Mike McNally)
Subject: Re: netscape mail starts java attachments upon get new mail...
In-Reply-To: <9510091458.AA27858@alpha>
Message-ID: <LAA00780.199510091552@garotte.va.pubnix.com>
MIME-Version: 1.0
Content-Type: text/plain


In message <9510091458.AA27858@alpha>, Mike McNally writes:
>Jack P. Starrantino writes:
> > Given JAVA's i/o capabilities
>
>Java, per se, doesn't have any "I/O capabilities", in the same way
>that neither C nor C++ do.  That said, it is the case that if your
>mail reader allows incoming applets to send mail, you're in for
>trouble.  

As far as I know Java apps can only make network connections to the
IP address they were loaded from.  There may be more restrictions
then that as well.

So if they were going to mail-bomb they would have to hurt the site
that was giving out the Java app (by sending all the mail to it to
be relayed back), and in fact it could be done more effectavly with
a "simple" CGI script.

This isn't to say it is infeesable - someone could write a gereral
purpose Java applet (say something that makes cool looking animated
bullets for lists) that when loaded from a specific IP address/domain
(say www.clueless.org) would then do something bad.  However exactly
who you can harm isn't exactly as broad as I assume "pranksters" would
like, and how badly you can harm them may not be as harmful as
"terrorists" would like, but it seems to be simpler to do then *I*
would like!

OBcrypto: in one of the Java papers I saw a refrence to use of RSA
signitures to allow browser users to say things like "I trust Sun
(or Tim May) to write applets that use Foo not to harm me".  It
wasn't in the public release of HotJava because of licencing 
constrints.  Any speculation on whether Netscape will (eventually)
support that feature?