Alex Strasheim writes:
One thing that I'm sort of fuzzy on is whether or not you feel that this is a problem specific to this one group of products (java) or if it's a problem with the general idea of grabbing and running applets indiscriminently in a protective environment.
I believe that it is possible to design environments in which you can safely run applet like things. However, 1) I am not sure that such an environment is needed for most of what Java does in the Netscape environment, so given the dangers I'm not sure the price is worth paying, 2) Java does not possess the characteristics such an environment needs, and 3) It is pretty clear that much of what the Java designers want to do could not be done in such an environment.
Right now, as near as I can tell, we have two major security complaints with java's design. The first is Perry's point (which I might be munging), that there isn't enough redundancy in the security to protect us if and when human error creeps in. The second is that a rigorous formal analysis of the language hasn't been performed, and that the language as it is currently constituted doesn't lend itself to such an analysis.
I would very much prefer a language who's security did not require such analysis. Java, sadly, does require such an analysis because it requires perfect implementation for its security model to work. In a restricted execution environment that was designed with defense in depth in mind, such an analysis would be a bonus, but not strictly required. Perry