[Home]
[Edit this page]
[Recent Changes]
[Special Pages]
[Help]
Java Security
JAVA SECURITY
Is Java secure?
Nothing in life is completely secure; Java is no exception. Several specific security problems have been discovered and fixed since Java was first released. If you're using an up-to-date Web browser, you are usually safe against the known attacks. However, nobody is safe against attacks that haven't been discovered yet.
If somebody says Java is safe because hackers aren't smart enough to exploit the problems, don't believe them. We're disappointed that some people who should know better are still spouting this nonsense.
Other Web ``scripting'' tools such as JavaScript, Visual Basic Script, or ActiveX face the same sorts of problems as Java. ``Plug-in'' mechanisms provide no security protection. If you install a plug-in, you trust that plug-in to be harmless.
What are the risks?
There are two classes of security problems: nuisances and security breaches. A nuisance attack merely prevents you from getting your work done - for example it may cause your computer to crash. Security breaches are more serious: your files could be deleted, your private data could be read, or a virus could infect your machine.
If you are the victim of a security breach, any data stored on your machine may be read or corrupted by a bad guy. If you've got important company secrets on your computer, maybe you should surf the net on another machine.
In the future, your computer may be able to digitally sign documents that are legally binding, just like your paper signature. Your computer may also be able to spend your money. In a world like that, security becomes even more important than it is right now.
How common are security breaches?
So far, there have been no publicly reported, confirmed cases of security breaches involving Java, though there have been some suspicious events that might possibly have involved Java security problems. Of course, the lack of reported cases is no guarantee that there haven't been breaches that either weren't discovered or weren't reported. But it does indicate that breaches are rare.
Who is at risk?
You're at risk if you're running a Java-enabled browser and you visit a Web page written by a person you don't know or don't trust. Since the two most common browsers, Netscape Navigator and Microsoft Internet Explorer, are Java-enabled, most people surfing the Web are at risk.
How can I protect myself?
If you maintain sensitive data on your computer that you think an unscrupulous adversary might want, you should disable Java and JavaScript, as well as not installing plug-ins, except from well-known vendors. If you don't disable Java or JavaScript, think twice before visiting a Web site belonging to a person you don't know or don't trust. Of course, some people will be perfectly happy just living with the risk.
You can reduce the damage caused by a potential security breach by taking common-sense precautions like backing up your data frequently and keeping sensitive data off your Web-surfing machine.
What about products that claim to detect malicious applets?
We are skeptical about these products. They probably can't hurt, but don't let yourself get a false sense of security from using them.
Won't digital signatures solve all of the problems?
No, they'll only help a little. Digital signatures let you know who wrote an applet, but they don't help you decide whether you can trust the author.
Is this problem ever going to go away?
No. Security will always be an issue with any network software. As long as vendors are racing their products out the door and adding new functionality with each and every release, you can expect security bugs will always exist. Writing crash-proof software is hard. Writing secure software is even harder.
Which is more secure: Java or ActiveX?
This is a complicated question with no simple answer, so we wrote a separate FAQ about it.
Which is more secure: Netscape Navigator or Microsoft Internet Explorer?
In our judgement, the latest versions of the two browsers offer roughly comparable levels of security.
Which version of my browser should I use?
Generally, the latest version is the safest. Be sure to regularly check your browser vendor's Web pages for announcements of new versions. Look carefully - the announcements are not always prominent.
What about "hostile applets"?
This is a general term for Java applets (programs) that exploit security bugs. There are some pages on the Web that demonstrate, with appropriate warning messages, some hostile applets. The applets we've seen are nuisance attacks rather than damaging attacks.
What about JavaScript?
Java and JavaScript, despite the similarity of their names, are not related. (Isn't marketing wonderful?) JavaScript has its own security problems, so you may also want to disable JavaScript.
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
Java Security
JAVA SECURITY
Is Java secure?
Nothing in life is completely secure; Java is no exception. Several specific security problems have been discovered and fixed since Java was first released. If you're using an up-to-date Web browser, you are usually safe against the known attacks. However, nobody is safe against attacks that haven't been discovered yet.
If somebody says Java is safe because hackers aren't smart enough to exploit the problems, don't believe them. We're disappointed that some people who should know better are still spouting this nonsense.
Other Web ``scripting'' tools such as JavaScript, Visual Basic Script, or ActiveX face the same sorts of problems as Java. ``Plug-in'' mechanisms provide no security protection. If you install a plug-in, you trust that plug-in to be harmless.
What are the risks?
There are two classes of security problems: nuisances and security breaches. A nuisance attack merely prevents you from getting your work done - for example it may cause your computer to crash. Security breaches are more serious: your files could be deleted, your private data could be read, or a virus could infect your machine.
If you are the victim of a security breach, any data stored on your machine may be read or corrupted by a bad guy. If you've got important company secrets on your computer, maybe you should surf the net on another machine.
In the future, your computer may be able to digitally sign documents that are legally binding, just like your paper signature. Your computer may also be able to spend your money. In a world like that, security becomes even more important than it is right now.
How common are security breaches?
So far, there have been no publicly reported, confirmed cases of security breaches involving Java, though there have been some suspicious events that might possibly have involved Java security problems. Of course, the lack of reported cases is no guarantee that there haven't been breaches that either weren't discovered or weren't reported. But it does indicate that breaches are rare.
Who is at risk?
You're at risk if you're running a Java-enabled browser and you visit a Web page written by a person you don't know or don't trust. Since the two most common browsers, Netscape Navigator and Microsoft Internet Explorer, are Java-enabled, most people surfing the Web are at risk.
How can I protect myself?
If you maintain sensitive data on your computer that you think an unscrupulous adversary might want, you should disable Java and JavaScript, as well as not installing plug-ins, except from well-known vendors. If you don't disable Java or JavaScript, think twice before visiting a Web site belonging to a person you don't know or don't trust. Of course, some people will be perfectly happy just living with the risk.
You can reduce the damage caused by a potential security breach by taking common-sense precautions like backing up your data frequently and keeping sensitive data off your Web-surfing machine.
What about products that claim to detect malicious applets?
We are skeptical about these products. They probably can't hurt, but don't let yourself get a false sense of security from using them.
Won't digital signatures solve all of the problems?
No, they'll only help a little. Digital signatures let you know who wrote an applet, but they don't help you decide whether you can trust the author.
Is this problem ever going to go away?
No. Security will always be an issue with any network software. As long as vendors are racing their products out the door and adding new functionality with each and every release, you can expect security bugs will always exist. Writing crash-proof software is hard. Writing secure software is even harder.
Which is more secure: Java or ActiveX?
This is a complicated question with no simple answer, so we wrote a separate FAQ about it.
Which is more secure: Netscape Navigator or Microsoft Internet Explorer?
In our judgement, the latest versions of the two browsers offer roughly comparable levels of security.
Which version of my browser should I use?
Generally, the latest version is the safest. Be sure to regularly check your browser vendor's Web pages for announcements of new versions. Look carefully - the announcements are not always prominent.
What about "hostile applets"?
This is a general term for Java applets (programs) that exploit security bugs. There are some pages on the Web that demonstrate, with appropriate warning messages, some hostile applets. The applets we've seen are nuisance attacks rather than damaging attacks.
What about JavaScript?
Java and JavaScript, despite the similarity of their names, are not related. (Isn't marketing wonderful?) JavaScript has its own security problems, so you may also want to disable JavaScript.
[Edit this page] [Page history] [What links here] [Discuss this topic] [Printer Friendly]
