Hello Richard: On Mon, 15 Apr 2002 10:31:38 +0200 (CEST), [EMAIL PROTECTED] (Richard Menedetter) wrote:
> Hi Samuel! > 14 Apr 2002, "Samuel W. Heywood" <[EMAIL PROTECTED]> wrote: >>> SH> I am aware of some web sites that have online Java Applets being >>> SH> Telnet clients which are purportedly very useful for connecting >>> SH> to Telnet services. I hesitate to use any one of those Java >>> SH> Applet Telnet programs because of security concerns. >>> Java has a big advantage ... it runs on the client side. > SH> Thanks for explaining. So the applet is just downloaded like > SH> any other executable program and then Windows automatically runs > SH> it in your own machine, right? > Not completely ... > your machine can't run Java Bytecode natively ... > So it starts the Java VM which is built into the browser and this executes > the Applet. > The Java VM has _extremely_ strict security measures. > Eg. tha applet can per default only make a connection to the host from > which you have loaded it. > So if it wants to make a connection to another host, the browser's VM will > ask you if this is OK. > SH> You don't have a chance to scan it for virii first. > Viruses are so common because of crappy system design from M$ in DOS and > Windows. > You are logged in allways as root (because there is only the mighty root > user ... who can do everything) > I don't see a way how a java applet could transmit viri. > It would have to ask if it wants to have a look at your filesystem. > SH> Can a Java Applet have a virus, as well as other kinds of malicious > SH> code? > IMHO nope ... no virus > but as explained it could do more than you think it does: > eg you load a ssh applet from host a to connect to host b. > Java asks you if the applet is allowed to make connections hosts other than > that from which it loaded. you say yes, and are connected to host b, > naturally the applet could transmit everything to host c ... > just like arachne or IE could. > SH> The problem with all things suspicious is that one does not know if > SH> they are malicious. Hence the intense psychological need for one to > SH> cultivate and nurture his paranoid intincts. > But _ALL_ programs are suspicious if you don't have the source and look it > through carefully :) > The SSH applet I use does not have that problem, because it connects to my > host, and loads from my host. > So it does not have to ask me, because it transmits to the host it got > loaded from, and I would see if it wanted to transmit to another host. It would seem to me to be a very complicated and involved process. First you have to upload the applet to your host and then you have to connect with your host to run the applet that you are going to use for connecting to another host. It would be a lot simpler just to run a Telnet client or an SSH client that is installed on your own machine or run it from a floppy drive on your machine. >>> _BUT_ the biggest security risk is telnet itself. >>> It transmits and receives in CLEAR !!! (ie not encrypted) >>> So you don't need a malicious programm to read the session ! > SH> Don't most POP3 email clients also transmit passwords in the clear > SH> upon contacting the server? > This is why pop3s has been created (btw. also simap exists) > [ricsi@ricsi ricsi]$ cat /etc/services |grep pop3s > pop3s 995/tcp # POP-3 over SSL I don't know what simap is and I don't understand the command syntax example above. I am just a newbie to Linux and Unix. > SH> Doesn't one have to be a highly advanced geek in order to sniff > SH> passwords? > Not really ... > but you need access to a computer where the traffic gets routed through. > SH> Who would be interested in getting into my email anyway? > Who knows :) > SH> I am not a politician involved in an affair with an intern and I am > SH> not involved in any illegal conspiracies and I don't use email to talk > SH> with suspicious and corrupt and sinister people such as lawyers. > But who knows this _BEFORE_ reading your mail :))) Nobody knows for sure, but I am sure that I know how to pretend to be innocent enough so that my name would not get written into the lists of people who need to be watched. >>> Use SSH (secure shell) instead. >>> It is a "encrypted telnet" which offers scp/sftp capabilities. >>> scp is a secure version of rcp (remote copy) >>> sftp -> secure ftp > SH> I have heard about that but I don't know how to use it. > simply take telnet hostname > and instead replace telnet with ssh voila !!! > (first you have to download a ssh client naturally) > SH> There is a nice Telnet program that comes with BasicLinux, an > SH> operating system that I am using from time to time and slowly learning > SH> more about. > I don't know any linux distribution which would leave out ssh. > simply try ssh hostname BasicLinux is a mini-distribution designed to be run in a 4MB RAM drive. It can be installed on a hard drive, but the RAM drive version of BasicLinux is too small to include SSH. This is what the distribution's developer, Steven Darnold says. > (ps: the first time you will be asked if you accept the hosts key ... and > yes ... you do :)) The DOS version doesn't ask me if I accept the host's key. This might indicate that the DOS version is deficient in security. > SH> Do you know if I can do SSH with the Telnet program that > SH> comes with BasicLinux? > you can't, but you can with the ssh client which comes with linux. > And if this special distribution does not have ssh -> take a look at > another one. At the time I had asked the above question about SSH I was under the misunderstanding that SSH was some kind of plugin or helper program for Telnet. A lot of people have the same misunderstanding. Now I know that SSH is a *replacement* for Telnet to use for connecting to remote sites that have SSH protocol running. For connecting to sites which do not have SSH protocol installed, one still has to use ordinary Telnet. >>> if you don't trust those applets in the wild, download an applets >>> from a secure source and install it into a free webspace provider. > SH> This sounds like an excellent idea. Can you recommend a trustworthy > SH> applet? When I perform some google searches to look for Telnet > SH> applets I find that many of them have been GNU'd. I don't know how > SH> they have been altered. > I don't use telnet. > Actually the university has closed down ftp/telnet just in case somebody > would still want to use it. (but they have not closed pop3 :))) but pop3s > is operational as well) > I can send you the ssh applet I use via mail. Thanks for the offer, but I have decided that I would rather run an SSH client from a floppy disk instead of running an applet from a remote host, even if I have complete control over the remote host. >>> Maybe you mixed it up with M$ active-x ?? >>> This has absolutely _NO_ security measures !!! > SH> Yes, most people including myself think of M$ active-x as just being > SH> just another term for Java. Are we very badly mistaken? > EXTREMELY !!! > Java is platform independant. > ActiveX runs only on windows, and only in M$ IE. > Java has extremely strict security measures. > ActiveX has _NONE_ !!! > And sadly both are proprietary :(((( > SH> The reason why I don't know much about M$-Window$ topics is that I > SH> always avoid using Window$ as much as I can. > Java is no windows topic. > This is one of the BIG advantages. > You write a JAVA applet/application and you can use it as is on many OSes > and computer architectures. > This is the opposit of windows. I have never heard of Java applications or applets running in DOS. If this were possible I would suppose many of us would have heard of such things and we would be using them. >>> SH> Do we know what these Telnet Java Applets do? Are they safe? >>> It depends ... (usually yes but unless you have not read the source >>> you can never know what it does) This is completely independant of >>> the programming language. > SH> Doesn't Java have its own programming language? > Java _IS_ a programming language. That is what I had implied in my question. > I was refering that if you have an executable you can't know what it does, > unless you have compiled it yourself from source that you have inspected > first. > And that it makes no difference if the executable is a C programm or java > bytecode. OK, that makes perfect sense to me. >>> If you want I can send you the applet in private mail. > SH> If you think I can figure out how to use this SSH thing without having > SH> to climb a steep learning curve, please send it to me. > OK ... I'll send it ... > I have just tried it ... with this special applet, you can _ONLY_ connect > to the host from which you have loaded it. > But it can also do telnet. > So if you have webspace on a host that also offers you ssh/telnet access > than write me in private mail, or here :) > Otherwise the applet will not be any help, because it will through a > java.security.exception when you try to connect to another computer. I wouldn't want to even think about trying such a thing on any host that isn't 100% under my control. I have access to web space, but the machines providing the web space belong to somebody else who for a very nominal fee just lets me use part of his space. If I can't run a Telnet or SSH applet in my own machine or on a floppy on my own machine I would be mighty afraid of it. Thanks for the offer anyway. Regards, Sam Heywood -- This mail was written by user of The Arachne Browser - http://arachne.cz/
