On 09/04/2017 23:15, Robert Muir wrote:
I dont agree with the use of the word ephemeral here, thats
misleading. Those permissions are *not* needed for outgoing connections.
The default security policy of java absolutely allows for backdoors in
server applications. It does not matter if port number is 80 or 8000
the effect is the same.
I think I said "bind" rather than "outgoing connection". If I'm granted
`SocketPermission "localhost:0", "listen"` then I would expect
`bind(null)` or `bind(new InetSocketAddress(0))` should succeed but I
wouldn't expect to be able to bind to a specific port.
In any case, the default permissions seem like a fine topic to bring to
security-dev. AFAIK the only change to the defaults for JDK 9 is that
`RuntimePermission "stopThread"` is dropped.
-Alan.
