From teg@shell.one.net Thu Dec 28 23:01:39 1995 Path: news.cs.utah.edu!dog.ee.lbl.gov!agate!news.duke.edu!news.mathworks.com!newsfeed.internetmci.com!news.one.net!news.one.net!teg From: teg@shell.one.net (Jeff Nelson) Newsgroups: comp.lang.java Subject: Re: How to bypass NetScape's socket security policy. Date: 29 Dec 1995 03:27:54 GMT Organization: OneNet Communications (one.net) Lines: 19 Distribution: world Message-ID: References: NNTP-Posting-Host: shell.one.net In-reply-to: gback@lal.cs.utah.edu's message of 28 Dec 1995 22:05:28 GMT In article gback@lal.cs.utah.edu (Godmar Back) writes: > the moz2_0.zip patch for NS 2.0b4 is now available for Win32, >Solaris 2.4, Linux, and HPUX. For more information, see > > http://www.cs.utah.edu/~gback/netscape/bypass.html Before you run out and apply this patch, please consider: * Security is there for a reason * With this patch, any applet can make connections to any socket on the Internet for any reason, with all the fingers pointing at *you*. * This is a BROWSER side patch. That means, although you might be able to develop and test your cool applets after using this patch, the rest of the world won't have the patch so NO ONE WILL SEE THEM!!! - Jeff From gback@lal.cs.utah.edu Thu Dec 28 23:35:03 1995 Path: news.cs.utah.edu!news.cs.utah.edu!gback From: gback@lal.cs.utah.edu (Godmar Back) Newsgroups: comp.lang.java Subject: Re: How to bypass NetScape's socket security policy. Date: 29 Dec 1995 06:32:49 GMT Organization: University of Utah Computer Science Department Lines: 58 Distribution: world Message-ID: References: NNTP-Posting-Host: lal.cs.utah.edu In-reply-to: teg@shell.one.net's message of 29 Dec 1995 03:27:54 GMT In article teg@shell.one.net (Jeff Nelson) writes: In article gback@lal.cs.utah.edu (Godmar Back) writes: > the moz2_0.zip patch for NS 2.0b4 is now available for Win32, >Solaris 2.4, Linux, and HPUX. For more information, see > > http://www.cs.utah.edu/~gback/netscape/bypass.html Before you run out and apply this patch, please consider: * Security is there for a reason * With this patch, any applet can make connections to any socket on the Internet for any reason, with all the fingers pointing at *you*. * This is a BROWSER side patch. That means, although you might be able to develop and test your cool applets after using this patch, the rest of the world won't have the patch so NO ONE WILL SEE THEM!!! Jeff, thank you for pointing out these things. I have added your comments to the web page. With all the ongoing confusion about what is and what isn't allowed by NetScape's security policy, it is probably a good idea to restate those facts. You are right, it is a browser side patch. If it weren't, I'd probably be applying for a bounty now ;-) To my mind, the current situation is that NS 2.0b4 is now configurable, just as the appletviewer. The "configuration" is a little bit clumsy; you have to move files and restart NetScape everytime; but it works. While applets exploiting the unrestricted policy can't be used by those who do not have activated the patch, it at least provides a possibility for those who do not have access to their web server to write socket-based applets and share them with friends. So, security is there for a reason, but please let the programmers and the users of an applet decide what this reason is. My wish is NetScape treated their users like adults and provided a dialog to configure security. Actually, if you look at how my patch works, you'll see that all the provisions are already there. To be honest, I would even prefer a policy in which *every* connection would have to be confirmed by the user to the current one. - Godmar -- // Godmar Back (gback@cs.utah.edu) // University of Utah, Computer Systems Laboratory (CSL)