Local file access change with new Java update (original) (raw)

Mario Torre neugens.limasoftware at gmail.com
Thu Jul 11 06:43:10 PDT 2013

2013/7/11 Gregg Wonderly <gregg at wonderly.org>:

It seems rather unfortunate that obscurity is being pushed as a form of security. It isn't, that's why security problems are discovered in the field. You can't obscure problems forever. The subtle implication is that "file:" urls are treated specially by the security manager, in applet mode, compared to network based urls.

This is not really security-by-obscurity. The security patch is out, everybody can study it. I'm also sure you can find enough information if you know where to search. Nobody really hopes that not sharing the security details will prevent people from exploiting the unpatched systems. The only reason why details are not discussed in public is to not make it too easy for people to reproduce the issue. Sometimes you also have NDA or other legal matters preventing you from a public discussion. Note, I'm not saying this is the case for this patch, just saying this is how things work usually.

Can Security be handled better? Yes, probably. But the discussion on how to improve it should be moved to the Governing Board in my opinion. If you want to have your voice heard, join the Java Community and participate; criticisms welcomed, as long as it's constructive.

Cheers, Mario

pgp key: http://subkeys.pgp.net/ PGP Key ID: 80F240CF Fingerprint: BA39 9666 94EC 8B73 27FA FC7C 4086 63E3 80F2 40CF

IcedRobot: www.icedrobot.org Proud GNU Classpath developer: http://www.classpath.org/ Read About us at: http://planet.classpath.org OpenJDK: http://openjdk.java.net/projects/caciocavallo/

Please, support open standards: http://endsoftpatents.org/

More information about the macosx-port-dev mailing list