1995-11-01 - Please send cash

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: cypherpunks@toad.com
Message Hash: e4ba8edabda19725a4e085a7565ed1714fb6a9cd470b89bd1b9dfb83b75a5b92
Message ID: <9510312359.AA21087@all.net>
Reply To: N/A
UTC Datetime: 1995-11-01 00:31:24 UTC
Raw Date: Wed, 1 Nov 1995 08:31:24 +0800

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Wed, 1 Nov 1995 08:31:24 +0800
To: cypherpunks@toad.com
Subject: Please send cash
Message-ID: <9510312359.AA21087@all.net>
MIME-Version: 1.0
Content-Type: text


I just picked this up from the Risks forum:

> Date: Mon, 30 Oct 1995 16:14:59 -0500
> From: Drew Dean <ddean@CS.Princeton.EDU>
> Subject: HotJava 1.0 alpha 3 security issues
> 
> We have found several security problems in the 1.0 alpha 3 release of
> HotJava from Sun Microsystems.  The two most important problems are that
> HotJava does not enforce the stated limits on where an applet can connect to
> (an applet can talk to any place with which you have IP-level connectivity),
> and HotJava is vulnerable to a man-in-the-middle attack, where someone can
> watch your web-surfing, both seeing your requests, and the content that you
> receive.

Two of the Java attacks I outlined in this forum and got abuse for.

> While HotJava prevents applets from actively opening connections that
> violate the user-selected security policy, it allows an applet to accept
> connections from anywhere.  At this point, an applet only has to use any one
> of a number of channels to communicate where it is, and have the remote end
> do the active open.
> 
> HotJava also allows an applet to set the proxy servers that the browser
> uses.  This opens up a huge hole for anyone concerned about the privacy of
> their web surfing.

Attacks 31-49 work here.

> Please note that these bugs are specific to the 1.0 alpha 3 release, and are
> _not_ bugs in the Java language itself, nor do they apply to Netscape 2.0
> beta 1J, which doesn't permit network connections.  We have notified Sun of
> these problems, and are presently writing a paper on these and other issues.
> We will make more information available on our Web page after we hear back
> from Sun.

Drat - Sun doesn't offer awards.

> 
>     http://www.cs.princeton.edu/~ddean/java/
> 
> Drew Dean				Dan Wallach
> ddean@cs.princeton.edu			dwallach@cs.princeton.edu

Inquiring minds want to know.

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236





Thread