Ian G writes: > By way of comparison, in the same time frame, > my company chose Java for desktop clients for > security reasons, and even though our result is > much more secure and robust, we can't get people > to install Java without violence or blackmail, so > much so that Java on the desktop is pretty much > a failure for commercial purposes.
Java has severe performance issues and some functionality issues, and it's no more secure than C/C++. You cannot secure software just by using a particular programming language; you can only secure it by hiring good programmers. > OK, but practically, I don't see what can be done > about it. Buffer overflows are very hard to detect, > outside and before the case. Before the case they are easy to avoid, by proper coding. They are very difficult to detect in a non-human way, but human programmers with even a modicum of competence can avoid running into them just by writing their software carefully. It's possible to reduce the effects of buffer overflows by writing compilers that fully separate code and data (including on the stack), but nobody seems to be doing that. With a separate code and data stack, it's virtually impossible for any overflow of a data buffer to compromise code. But when you push everything on the same stack, you have a problem. Some languages and compilers overuse the stack, too (including C/C++). -- Anthony _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security