CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide

Communicator opens sandbox

Navigator users will have to learn to trust their browsers a bit more as Netscape adopts a new "flexible" security model for applets.

Beginning this week, Navigator users will have to learn to trust their browsers a bit more.

Netscape Communications (NSCP) today gave the public a peak at "preview release 3" of Communicator, the first version of its browser to use Java's new "flexible" security model.

Ironically, the new model is more like Microsoft's ActiveX than before, though there are still significant differences between the security employed by both technologies. Sun Microsystems, Netscape, and others have heavily criticized ActiveX for being insecure. Last week, in fact, Sun publicly demonstrated a malicious ActiveX control that snatched financial and tax information from a PC.

Preview release 3 of Communicator is available for downloading from Netscape's Web site. Netscape released a version for developers last week.

The new Java security model has been designed not to be more risky, of course, but to free Java programs from some of the constraints traditionally placed upon them. Sun has had to change the security model so that applets can perform new useful functions such as reading files stored on the hard disk or writing new files to the disk. But in the process, Sun is asking users to take some security risks that up until now have been associated with the ActiveX controls that can already perform these functions.

Sun and Netscape, the two prime movers behind the security changes, maintain that Java applets are still far more secure than ActiveX controls.

Microsoft, however, alleges that the changes demonstrate that Java has all along lacked certain important capabilities, such as the capacity to read and write files to a hard disk. By adding these capabilities now, Microsoft argues that Sun is remaking Java to imitate ActiveX.

Sun first introduced the new security features last month in its Java Development Kit 1.1. But Netscape's latest preview release of Communicator will be the company's first product to allow Java programs to step outside the "sandbox" that typically constrains applets.

While the Java sandbox prevents code from performing malicious behavior such as installing a virus, it also prevents programs from doing basic PC functions such as writing files to disk. Sun, Netscape, and Microsoft are now all trying to make Java programs more useful by allowing them to sidestep the sandbox.

Microsoft's Internet Explorer 3.0 has permitted Java applets to go outside the sandbox since last year. To try and make up for the security risk this poses, it created a feature called Authenticode to alert users whenever an uncertified applet or control is about to be downloaded. That way, the user knows precisely when a potentially dangerous piece of code is encountered.

As with ActiveX controls, users will have to trust developers not to mess with their computers. For their part, developers will be required to stamp their Java programs with digital signatures that make them easy to track down if their code does something malicious to a user's computer.

"It's typically hypocritical of Netscape to criticize Authenticode when they are building exactly the same mechanism into Communicator," said Cornelius Willis, director of platform marketing at Microsoft.

Netscape managers, however, say that there are still significant differences between the security of ActiveX and Java. According to David Andrews, a security product manager at Netscape, ActiveX employs a "binary trust model" in which a user can deny a program access to their computer or accept it, giving the ActiveX control free reign over their PC.

The "applet signing" feature of Java, on the other hand, gives programmers more granular access to individual PC capabilities rather than the all-or-nothing access of ActiveX. A signed Java program will also tell users exactly what it is going to do before it does it, Andrews said. Unlike Internet Explorer, Communicator will not allow a user to accept an unsigned Java program, even if a user wants to.

"Nothing is bulletproof," Andrews added. "We're always going for the Holy Grail of security. We've come up with a really strong model."

Security experts said that Java should still provide stronger security than ActiveX, but that it's difficult to tell how well the new system will work until it's widely used.

"There is a compromise involved here," said Edward Felten, an assistant professor of computer science at Princeton University. "But there is still a fundamental difference in that you have an all-or-nothing choice [with ActiveX]. Java lets you establish partial trust. Even when you do expand the sandbox, the applet has to go through certain choke points."

Last year, Felten discovered several security flaws in Java that were later fixed by Sun and Netscape.

"The difficult issue here is figuring out whether there is a level of trust for the applet to do its job, but not so much to do damage," Felten continued. "That's the open question. In order to know how this scheme works is to see it action."

ActiveX and Java are not the only two types of executable code that are sparking security debates. Plug-ins have the same potential to harm a user's computer as ActiveX controls do, though users typically do not download as many plug-ins when surfing the Net as they do ActiveX controls. Netscape's new version of Communicator also supports digital certificates for plug-ins.