From: Steve@aztech.net (Stephen P. Gibbons)
To: cypherpunks@toad.com
Message Hash: d5e2871628619734ed4f719955b83dca50ae78ff4d0abb1cbc78f8b91976545f
Message ID: <v01510100ad2f798f0beb@[198.182.221.3]>
Reply To: N/A
UTC Datetime: 1996-01-27 08:32:28 UTC
Raw Date: Sat, 27 Jan 1996 16:32:28 +0800
From: Steve@aztech.net (Stephen P. Gibbons)
Date: Sat, 27 Jan 1996 16:32:28 +0800
To: cypherpunks@toad.com
Subject: Possible Java hack.
Message-ID: <v01510100ad2f798f0beb@[198.182.221.3]>
MIME-Version: 1.0
Content-Type: text/plain
I had a brainstorm this morning, and I think that I may have a possible
hack against Java that might circumvent a few network access policies and
the firewalls that support them.
Looking at the Java APIs it seems pretty likeley to me that when a name to
address lookup is performed, all it does is call gethostbyname() or the
equivilant.
If this is the case (and I don't have a source license at this point, or
even a system that will run Java) there is the possiblility that a sytem
with control of a web server and a DNS server could coerce a Java client
into initiating TCP connections to clients other than the system that
provided the applet (which should be a prohibited behavior, as I read the
specs.)
This is still at the WAG stage, since I don't have access to source code
and have not received confirmation (nor denial) from any of the vendors
that I have contacted, but I'd appreciate feedback (positive or negative)
from the list(s).
FWIW, my WAGs have about an 80% hit ratio, but this is the first that I've
posted without confirmation.
ObCrypto: _When_ will DNS be secured via PKE?
--
Steve@AZTech.Net
Return to January 1996
Return to “Steve@aztech.net (Stephen P. Gibbons)”