On 11/13/06, Erik Moeller erik@wikimedia.org wrote: [snip]
My main question is: Are there security considerations with enabling the upload and embedding of Java Applets? According to
[snip]
When I first put up the Java Vorbis player I needed to make a connection to an outside host (upload.wikimedia.org). Since I don't have a signing cert I put it up without one, and users had to agree with a "allow this to 0wn my machine" warning for it to play. In these first couple of days before I fixed it to run in the sandbox over 10,000 people allowed their java to bypass security.
As such I could never support a general proposal user submitted java.
Even ignoring the sandbox breakout issues, the halting problem ultimately means that we can not determine what arbitrary code will do... The possibilities for vandalism are endless.. Imagine a little animation of an atom turns into dancing penises for ten minutes on alternate tuesdays.
one of the capabilities of applets is to open a connection to the originating host. Could this be used, e.g., to create auto-vandalism applets and if so, can we somehow protect against it?
Yes. Originate the Java from a host that does nothing but originate Java... and better yet, as above don't allow arbitrary code.
[snip]
"non-embeddable" until a sysop flips a switch, so they can be reviewed for security? We could add a big fat warning on the file description page.
I think you're stepping two far... How about we start off treating java like extensions? We can obtain or build some nice general tools (java graphers, etc)..
All of this is ignoring the amazing accessibility problems of Java. Not only will all of this be totally inaccessible to people on low tech devices and the visually impaired, but a huge amount of our viewers just don't have java installed (I posted numbers on this previously).
Fortunately, we have time to think about this.. Sun's complete java suite will not be opensourced until March 2007...