Antonio M. Moreiras wrote:
Hi Rob. Thank you very much for your comments.
On 03-10-2012 05:53, Rob Janssen wrote:
The big problem with that is that this whole concept of "signed applet"
has zero value.
There is no auditing of the app whatsoever, everyone with a certificate
can sign his
app and certificates are a dime a dozen.
I would for sure never run a signed java app on my system, especially
not when it
comes from a country with a shady reputation like Brazil.
(although that of course is a prejudice)
Two points here: First, the certificates are cheap, but I think it would
be difficult for you to buy a valid certificate saying that you are the
NIC.br. Talking about reputation, NIC.br is the executive arm of the
Brazilian Internet Steering Committe, that is a multistakeholder
(government + 3rd sector + private initiative) council, responsible for
the Internet Governance here. We manage the ccTLD .br. We are the
Brazilian NIR (distribute the IP addresses in Brazil). We are the
Brazilian CERT (security) team. We host the Brazilian W3C office. We
manage 20 Internet Exchange Points in Brazil. We are currently
incubating the Internet Society Brazilian chapter. So, we have, at
least, enough good reputation in our country to be trusted by the
www.ntp.br visitors.
Of course I know that it is (or should be) difficult to get a certificate that
claims to be
from you but really isn't. Unfortunately this difficulty is only proportional
to the summed
insecurity of the many certificate issuers combined. There has to be only one
issuer
that has been broken into, and the whole certificate system is reduced to
worthless.
And this has happened several times already, requiring quick and dirty fixes.
However, that is not my main concern. Even if I know the code has been signed
by nic.br, that tells me nothing about what is inside. Remember I do not know
your
organisation from the inside, and I cannot know if you or someone else in your
organisation is really wanting to break into my machine. I recognize that you
are
at a NIC organization but what does that tell me about (all) the employees?
From the outside, Brazil looks like a big cesspool of incompetent Internet
Service
providers that flood the world with endless amounts of spam, and do nothing when
alerted at [email protected] or similar. The whois always refers to a cert.br
org
that has never returned a response to me on the hundreds of documented spam
complaints I have sent them. It looks like a black hole.
Many mailsystem operators have given up on dealing with Brazil and just discard
everything that originates from it.
Maybe it is not really related to security incidents (eastern Europe countries
are
much much worse in this respect) but the name Brazil just does not give nice
warm feelings when mentioned to network administrators in other countries.
I hope you or your organisation a striving to improve this.
Back to the idea, you can not trust NIC.br, I can understand and accept
that. But would you run, for example, a java applet hosted and signed by
the ISC (the guys that are hosting the ntp public services project)? Or
by NTP.org? If so, we could go back and discuss the applet funcionality,
that was my original idea. If not, this question leads us to the second
point: you already run software that is hosted by ISC or NTP.org, I
think (ntpd, for instance). Would an applet be less secure than a "full"
software? In which way?
Well, one difference is that the software is distributed with source code.
Although I have no time to investigate every piece of software I run on my
machine
at the source code level, I can hope that other people sometimes do that and
alert
the world when something is discovered. That will probably not happen with
Java
classes that are sent to browsers as bytecode.
I agree that, from the end user point of view, not having the applets
running by default, and using a white list approach, or just enabling it
case by case, is the better alternative.
But it is very different from not using Java at all.
Do you think we should just stop using Java applets, and that it is
wrong to provide an application based on this technology?
I have no problem with people building or using Java applets, as long as they
don't
expect me to do the same. So I really don't mind if you continue to use it.
I think that Mouse worded it well: it works fine on an intranet or on a server
where there
is no risk of malicious code from people you cannot trust is run on the machine.
For the internet as it is today, it is not a good idea. At least until they
manage
to make it more secure, but that will likely be very difficult.
Rob
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
