On 11/13/06, Erik Moeller <erik(a)wikimedia.org> wrote:
[snip]
My main question is: Are there security considerations
with enabling
the upload and embedding of Java Applets? According to
[snip]
When I first put up the Java Vorbis player I needed to make a
connection to an outside host (
upload.wikimedia.org). Since I don't
have a signing cert I put it up without one, and users had to agree
with a "allow this to 0wn my machine" warning for it to play. In
these first couple of days before I fixed it to run in the sandbox
over 10,000 people allowed their java to bypass security.
As such I could never support a general proposal user submitted java.
Even ignoring the sandbox breakout issues, the halting problem
ultimately means that we can not determine what arbitrary code will
do... The possibilities for vandalism are endless.. Imagine a little
animation of an atom turns into dancing penises for ten minutes on
alternate tuesdays.
one of the capabilities of applets is to open a
connection to the
originating host. Could this be used, e.g., to create auto-vandalism
applets and if so, can we somehow protect against it?
Yes. Originate the Java from a host that does nothing but originate
Java... and better yet, as above don't allow arbitrary code.
[snip]
"non-embeddable" until a sysop flips a
switch, so they can be reviewed
for security? We could add a big fat warning on the file description
page.
I think you're stepping two far... How about we start off treating
java like extensions? We can obtain or build some nice general tools
(java graphers, etc)..
All of this is ignoring the amazing accessibility problems of Java.
Not only will all of this be totally inaccessible to people on low
tech devices and the visually impaired, but a huge amount of our
viewers just don't have java installed (I posted numbers on this
previously).
Fortunately, we have time to think about this.. Sun's complete java
suite will not be opensourced until March 2007...