[Foundation-l] Java becomes Open Source, what next?

[Anthony]

On 11/14/06, Erik Moeller <erik at wikimedia.org> wrote:
> On 11/14/06, Robert Scott Horning <robert_horning at netzero.net> wrote:
> > Adding my own $0.02 here, this is indeed a bad idea for security issues
> > alone.  I completely agree here with Anthony's sentiments as Java has
> > some very significant security holes that would open up some incredible
> > liability and other problems if used on Wikimedia sites.  The very
> > thought of allowing anonymous users to post Java source code that would
> > be served up through Wikimedia servers..... I can't think of a worse
> > possible problem.  It makes all of the issues with hacking the front
> > page of Wikimedia projects seem very tame and mild by comparison.
>
> We're talking about applets, wich have a specific sandbox security
> model. Let's not discuss on the basis of FUD, please.
>
I know a pretty good deal about java's basic sandbox security model.
I'm pretty rusty, haven't written anything in java in a couple years,
but the basic concept of the security model probably hasn't changed
that much.

There are two issues here.  The first is that the sandbox security
model is invariably broken from time to time.  The second is that, in
default browser implementation, the security model relies entirely on
the fact that applets which come from a server were written by an
administrator of that server.

That said, I probably wasn't open-minded enough about this.  Maybe
there's a way to solve problem #2 (and problem #1 will get better over
time).  Hosting the applets on a completely separate webserver?
Probably not good enough, but it might be something to look into.
Providing a static wrapper applet which lowers its security privileges
and then embeds the untrusted class?  More likely to succeed, but
harder to implement.

Just turning on the ability to upload applets would be a really really
bad idea.  But something a little less than that could possibly work.

Anthony