| 1 |
On Mon, Dec 19, 2005 at 08:12:13PM -0600, John Jolet wrote |
| 2 |
|
| 3 |
> and your pick for client-side portable code is??? |
| 4 |
|
| 5 |
Client-side code is inherently risky. The website is executing a |
| 6 |
program on your machine. It's not that much different from allowing |
| 7 |
people to telnet on to your machine anonymously and run programs. You |
| 8 |
face similar privilege-escalation attacks. And Windows boxes are being |
| 9 |
"administered" (if you can call it that) by computer-illiterate Joe |
| 10 |
Sixpack, not his geeky cousin Joe Sysadmin. |
| 11 |
|
| 12 |
Sure, Java started out from square 1 with a "sandbox" or "Virtual |
| 13 |
Machine". That didn't stop vulnerabilities from showing up in Java. |
| 14 |
Netscape's Livescript (damn the @##holes for renaming it Javascript) |
| 15 |
started off with so little power that the attitude was "Sandbox? We |
| 16 |
don't need no steenkin sandbox.". As Javascript's power grew, that |
| 17 |
decision has come back to bite, especially on Windows, but there have |
| 18 |
been a few multi-platform security bugs. |
| 19 |
|
| 20 |
-- |
| 21 |
Walter Dnes <waltdnes@××××××××.org> In linux /sbin/init is Job #1 |
| 22 |
My musings on technology and security at http://tech_sec.blog.ca |
| 23 |
-- |
| 24 |
gentoo-user@g.o mailing list |
Archives