Hi Samuel!
14 Apr 2002, "Samuel W. Heywood" <[EMAIL PROTECTED]> wrote:
>> SH> I am aware of some web sites that have online Java Applets being
>> SH> Telnet clients which are purportedly very useful for connecting
>> SH> to Telnet services. I hesitate to use any one of those Java
>> SH> Applet Telnet programs because of security concerns.
>> Java has a big advantage ... it runs on the client side.
SH> Thanks for explaining. So the applet is just downloaded like
SH> any other executable program and then Windows automatically runs
SH> it in your own machine, right?
Not completely ...
your machine can't run Java Bytecode natively ...
So it starts the Java VM which is built into the browser and this executes
the Applet.
The Java VM has _extremely_ strict security measures.
Eg. tha applet can per default only make a connection to the host from
which you have loaded it.
So if it wants to make a connection to another host, the browser's VM will
ask you if this is OK.
SH> You don't have a chance to scan it for virii first.
Viruses are so common because of crappy system design from M$ in DOS and
Windows.
You are logged in allways as root (because there is only the mighty root
user ... who can do everything)
I don't see a way how a java applet could transmit viri.
It would have to ask if it wants to have a look at your filesystem.
SH> Can a Java Applet have a virus, as well as other kinds of malicious
SH> code?
IMHO nope ... no virus
but as explained it could do more than you think it does:
eg you load a ssh applet from host a to connect to host b.
Java asks you if the applet is allowed to make connections hosts other than
that from which it loaded. you say yes, and are connected to host b,
naturally the applet could transmit everything to host c ...
just like arachne or IE could.
SH> The problem with all things suspicious is that one does not know if
SH> they are malicious. Hence the intense psychological need for one to
SH> cultivate and nurture his paranoid intincts.
But _ALL_ programs are suspicious if you don't have the source and look it
through carefully :)
The SSH applet I use does not have that problem, because it connects to my
host, and loads from my host.
So it does not have to ask me, because it transmits to the host it got
loaded from, and I would see if it wanted to transmit to another host.
>> _BUT_ the biggest security risk is telnet itself.
>> It transmits and receives in CLEAR !!! (ie not encrypted)
>> So you don't need a malicious programm to read the session !
SH> Don't most POP3 email clients also transmit passwords in the clear
SH> upon contacting the server?
This is why pop3s has been created (btw. also simap exists)
[ricsi@ricsi ricsi]$ cat /etc/services |grep pop3s
pop3s 995/tcp # POP-3 over SSL
SH> Doesn't one have to be a highly advanced geek in order to sniff
SH> passwords?
Not really ...
but you need access to a computer where the traffic gets routed through.
SH> Who would be interested in getting into my email anyway?
Who knows :)
SH> I am not a politician involved in an affair with an intern and I am
SH> not involved in any illegal conspiracies and I don't use email to talk
SH> with suspicious and corrupt and sinister people such as lawyers.
But who knows this _BEFORE_ reading your mail :)))
>> Use SSH (secure shell) instead.
>> It is a "encrypted telnet" which offers scp/sftp capabilities.
>> scp is a secure version of rcp (remote copy)
>> sftp -> secure ftp
SH> I have heard about that but I don't know how to use it.
simply take telnet hostname
and instead replace telnet with ssh voila !!!
(first you have to download a ssh client naturally)
SH> There is a nice Telnet program that comes with BasicLinux, an
SH> operating system that I am using from time to time and slowly learning
SH> more about.
I don't know any linux distribution which would leave out ssh.
simply try ssh hostname
(ps: the first time you will be asked if you accept the hosts key ... and
yes ... you do :))
SH> Do you know if I can do SSH with the Telnet program that
SH> comes with BasicLinux?
you can't, but you can with the ssh client which comes with linux.
And if this special distribution does not have ssh -> take a look at
another one.
>> if you don't trust those applets in the wild, download an applets
>> from a secure source and install it into a free webspace provider.
SH> This sounds like an excellent idea. Can you recommend a trustworthy
SH> applet? When I perform some google searches to look for Telnet
SH> applets I find that many of them have been GNU'd. I don't know how
SH> they have been altered.
I don't use telnet.
Actually the university has closed down ftp/telnet just in case somebody
would still want to use it. (but they have not closed pop3 :))) but pop3s
is operational as well)
I can send you the ssh applet I use via mail.
>> Maybe you mixed it up with M$ active-x ??
>> This has absolutely _NO_ security measures !!!
SH> Yes, most people including myself think of M$ active-x as just being
SH> just another term for Java. Are we very badly mistaken?
EXTREMELY !!!
Java is platform independant.
ActiveX runs only on windows, and only in M$ IE.
Java has extremely strict security measures.
ActiveX has _NONE_ !!!
And sadly both are proprietary :((((
SH> The reason why I don't know much about M$-Window$ topics is that I
SH> always avoid using Window$ as much as I can.
Java is no windows topic.
This is one of the BIG advantages.
You write a JAVA applet/application and you can use it as is on many OSes
and computer architectures.
This is the opposit of windows.
>> SH> Do we know what these Telnet Java Applets do? Are they safe?
>> It depends ... (usually yes but unless you have not read the source
>> you can never know what it does) This is completely independant of
>> the programming language.
SH> Doesn't Java have its own programming language?
Java _IS_ a programming language.
I was refering that if you have an executable you can't know what it does,
unless you have compiled it yourself from source that you have inspected
first.
And that it makes no difference if the executable is a C programm or java
bytecode.
>> If you want I can send you the applet in private mail.
SH> If you think I can figure out how to use this SSH thing without having
SH> to climb a steep learning curve, please send it to me.
OK ... I'll send it ...
I have just tried it ... with this special applet, you can _ONLY_ connect
to the host from which you have loaded it.
But it can also do telnet.
So if you have webspace on a host that also offers you ssh/telnet access
than write me in private mail, or here :)
Otherwise the applet will not be any help, because it will through a
java.security.exception when you try to connect to another computer.
SH> Sam Heywood
CU, Ricsi
--
|~)o _ _o Richard Menedetter <[EMAIL PROTECTED]> {ICQ: 7659421} (PGP)
|~\|(__\| -=> Prime-time TV is the opiate of the masses <=-
