RE: techport80
On 17 Sep 2002, at 22:41, Ron W wrote:
>
> On 17 Sep 2002 Kat wrote:
>
> >>"Current" is not always good, see the latest java security report >>on
> >>http://www.vnunet.com/News/1134931 If you have IE 6.x it may be >>a bit
> >>harder to disable Java, since MS has taken away many of those >>settings
> >>which
> >>allow you to close the backdoors and loopholes. >>Javascript is even worse.
> >>Do
> >>you want to show webpages, or do you want people to open up their computers
> >>to
> >>any ole script >>kiddie? If you require me to breach security on my
> >>computers
> >>to see >>your webpages, let me assure you it's not worth it.
> >>
> >>Kat
> >>
>
> Thanks for posting the article on Java security. Very informative. I
> would like to point out a new key points about that article and that web
> page though. Also I agree with you in the fact that newer isn't always
> better. Further, I would like to state that JavaScript is used
> sparingly on my website and that you can read anything on my site should
> you choose to turn JavaScript off.
Strangely, turning it off, *if you can*, doesn't prevent your puter from going
out to download the latest addons to the scripting languages, as i found out
the hard way a few months ago. They are downloaded, even if you had
checked Do Not Run, in case you might want to run them later. The badly
botched auto-install deleted/corrupted needed files for IE and Explorer. I am
still missing the proper icon for IE, but that's no problem.
>I'm a professional web developer and
> would never 'require' you to breach security on your computer to read my
> website. The article you pointed to states that Java, shipped with the
> latest versions of IE, has know security flaws. And according to the
> article these flaws are very serious. But if you make it to the bottom
> of the article, it points out 2 important facts. First the JVM in
> question is a Microsoft 'modified' version of the JVM and not the
> official Sun version. Secondly what the article doesn't state is that
> the latest IE browser are shipping the antiquated JVM version 1.1.4.
You said:
The article you pointed to states that Java, shipped with the latest versions
of IE, has know security flaws.
Secondly what the article doesn't state is that the latest IE browser are
shipping the antiquated JVM version 1.1.4.
Ok, so if you go get IE6, you get either antiquated code, or buggy code.
> (for more info go to http://zdnet.com.com/2100-1104-937059.html) The
> latest version 1.4.x by Sun, do not have the security flaws mentioned in
> the article you referred to. For that matter, neither did the Suns
> version of Java shipped way back then.
As was pointed out, the Sun jvm doesn't have the problem. The re-coded MS
versions do, probably intentionally.
> I don't use any Java on my
> website though. But the reason for that is that there is no way for me
> to know in advance what (if any) version of Java the browser is using.
> This sad fact is quite unfortunate because Java (by Sun) is a truly
> great product.
>
> You stated that you feel that "JavaScript is even worse." Worse?? Worse
> than what??
Java
> JavaScript is safe. There is very little you can do with
> JavaScript, as a standalone tool, that is not what it was intended to
> do. When combined with other tools, JavaScript poses a little more of a
> risk, but that risk is minimal.
I lost a computer to javascript. The bios was written to, and was not
recoverable or replaceable. The harddrive was corrupted, and i lost a lot of
material. Javascript is used for redirects, windows that can't be closed, etc
etc.
> If you know something contrary to what
> I'm stating here, please point me to your resources so that I can
> further investigate this matter. In the meantime, allow me to post a
> link back to a website I know you trust.
Please know that i do not have any explicit trust in this or any website. It
was the handiest url i had when i sent the email.
> http://www.vnunet.com/News/1132579
> http://www.vnunet.com/News/1131845
> http://www.vnunet.com/News/1133109
>
> The above three links go a long way in pointing to the real security
> issues a web surfer faces. And I can assure you, Kat, that these
> articles are not pointing to CSS, W3C DOM, JavaScript, or
> http://www.techport80.com for security related issues.
I never accused *you* of security breaches. But i won't open the computer
anyhow, in case your site is breached, and malicious code installed for me
to get without your knowledge.
I am sure you can do a diligent web search to discover the counterpoint to
your arguement, if you wanted to.
Kat
|
Not Categorized, Please Help
|
|
