Last modified: Fri Mar 6 18:54:31 EST 1998
Is Java secure?
Nothing in life is completely secure; Java is no exception.
security problems have been discovered and fixed since Java was first
released. If you're using an up-to-date Web browser, you are usually safe
against the known attacks. However, nobody is safe against attacks that
haven't been discovered yet.
If somebody says Java is safe because ``hackers aren't smart enough to
exploit the problems,'' don't believe them. We're disappointed that some
people who should know better are still spouting this nonsense.
We've discovered several security
problems, and we're pretty sure we're not the smartest people in the world.
If one group of hackers creates a Java-based attack and shares it with their
friends, we're all in trouble.
ActiveX face the same sorts of problems as Java. ``Plug-in''
mechanisms provide no security protection. If you install a
plug-in, you're trusting that plug-in to be harmless.
What are the risks?
There are two classes of security problems: nuisances and security
breaches. A nuisance attack merely prevents you from getting your work
done - for example it may cause your computer to crash. Security
breaches are more serious: your files could be deleted, your private
data could be read, or a virus could infect your machine.
If you are the victim of a security breach, any data stored on your machine
may be read or corrupted by a bad guy. If you've got important company
secrets on your computer, maybe you should surf the net on another machine.
In the not-too-distant future, your computer may be able to digitally
sign documents that are legally binding, just like your paper signature.
Your computer may also be able to spend your money. In a world like that,
security becomes even more important than it is right now.
How common are security breaches?
So far, there have been no publicly reported, confirmed cases of security
breaches involving Java, though there have been some suspicious events
that might possibly have involved Java security problems. Of course,
the lack of reported cases is no guarantee that there haven't been
breaches that either weren't discovered or weren't reported. But it does
indicate that breaches are rare.
Who is at risk?
You're at risk if you're running a Java-enabled browser and you visit a Web
page written by a person you don't know or don't trust. Since the two most
common browsers, Netscape Navigator and Microsoft Internet Explorer, are
Java-enabled, most people surfing the Web are at risk.
How can I protect myself?
If you maintain sensitive data on your computer that you think an
as well as not installing plug-ins, except from well-known vendors.
site belonging to a person you don't know or don't trust. Of course, some
people will be perfectly happy just living with the risk.
You can reduce the damage caused by a potential security breach by taking
common-sense precautions like backing up your data frequently and keeping
sensitive data off your Web-surfing machine.
products that claim to detect malicious applets?
We are skeptical about these products. They probably can't hurt, but don't
let yourself get a false sense of security from using them.
products that claim to block Java applets at a firewall?
Recent research by
David Martin, S. Rajagopalan, and Avi Rubin suggests that it is extremely
difficult, if not impossible, to do this, so we suspect that these products
can be bypassed by sophisticated attackers.
If you want to block Java, the best way to do it is by setting your
browser preferences to disable Java.
How can I
restrict which sites my browser will accept applets from?
We are about to release a prototype tool
that lets you do this.
Won't digital signatures solve all of the problems?
No, they'll only help a little. Digital signatures let you know who wrote
an applet, but they don't help you decide whether you can trust the author.
Is this problem ever going to go away?
No. Security will always be an issue with any network software. As
long as vendors are racing their products out the door and adding new
functionality with each and every release, you can expect security
bugs will always exist. Writing crash-proof software is hard.
Writing secure software is even harder.
Which is more secure: Java or ActiveX?
This is a complicated question with no simple answer, so we wrote a
separate FAQ about it.
Which is more secure: Netscape Navigator or Microsoft Internet Explorer?
In our judgement, the latest versions of the two browsers offer roughly
comparable levels of security.
Which version of my browser should I use?
Generally, the latest version is the safest. Be sure
to regularly check your browser vendor's Web pages for announcements of new
versions. Look carefully - the announcements are not always prominent.
What about ``hostile applets?''
This is a general term for Java applets (programs) that exploit security
bugs. There are some pages on the Web that demonstrate, with appropriate
warning messages, some hostile applets. The applets we've seen are
attacks rather than damaging attacks.
I run a Web server. Am I at risk?
Not directly. But watch out for some newer servers that support "servlets".
Servlets are fine if they are all written by the people running the server
site; using servlets in this way is probably better than using CGI scripts.
Going beyond this to let clients upload Java servlets into your server is
Of course, you should be careful about which Java applets appear on your
server. Unless you wrote the applet yourself, you don't necessarily
know what it's doing. If you copy somebody else's applet,
it could possibly be a trojan horse - doing something useful
as well as being malicious.
Where can I find more information?
A book on this topic,
Java Security: Hostile Applets, Holes and Antidotes by
Gary McGraw and
is available in bookstores and
JavaSoft has their own
Frequently Asked Questions about Applet Security.
Mark LaDue, at Georgia Tech, has a page of
applets to demonstrate how serious the problem can be.
David Hopwood, at Oxford University, has also been active in
This information is our opinion only. It is not the opinion of Princeton
University or of our research sponsors. We do not and cannot
guarantee that you will be safe if you follow our advice.