Firewall Wizards mailing list archives
signing applets a solution? Never!
From: Hal <hal () mrj com>
Date: Tue, 2 Dec 1997 10:38:09 -0500
We are seeing a big upswing in the use of applets of all kinds but we have almost no way to control them short of shutting the gate and we can't do that anymore. Some people say signing is the solution but I see real problems with that. One was mentioned by someone on this list a few days ago, namely hacking in to get at a companies signature. But, I worry more about getting an applet, not signed by a well known company which may have been potentially hacked, rather from a company I've never heard of. A signature only provides authentication and integrity. It doesn't says a thing about reliability. Anyone with a few bucks and a BNL number can potentially get a authoring certificate. As it now stands, signed applets are seriously flawed and unsafe. That aside, I am interested in separating good applets from bad ones at the firewall. Relying on the (flawed) applet signature schemes is it possible to check signatures fast enough so that the firewall doen't need a high end SGI box or special siganture hardware? The alternative or decentralized approach (favored by the signed applet crowd) is to let each broswer in a protected network make its own decision. Excuse me, but doesn't experience show that that's not real smart? There are proposals (W3) incorporating some thing like the web of trust for an applet so you can at least see if the author is thought reliable by someone you trust to say so. But that leaves the second problem of speed. These tasks may just be asking too much from a firewall.
Current thread:
- signing applets a solution? Never! Hal (Dec 03)
- Re: signing applets a solution? Never! Marcus J. Ranum (Dec 08)
- Re: signing applets a solution? Never! David C Niemi (Dec 08)
- Re: signing applets a solution? Never! Darren Reed (Dec 08)
- Re: signing applets a solution? Never! chuck yerkes (Dec 09)
- Re: signing applets a solution? Never! Jyri Kaljundi (Dec 11)
- <Possible follow-ups>
- Re: signing applets a solution? Never! Pauline van Winsen - Uniq Professional Services (Dec 11)
- RE: signing applets a solution? Never! Hal (Dec 12)
- Re: signing applets a solution? Never! Bennett Todd (Dec 17)
- Re: signing applets a solution? Never! Marcus J. Ranum (Dec 08)