Java Security: Hostile Applets, Holes, and Antidotes

I'm writing this review in April, 2002 when IE 6.0 became a standard browser and Netscape is RIP.This book was written 6 years ago in the days of NN 2.0 and IE 3.0 .. Although it's more thenoutdated by now it clearly explains what security risks exist for Java-enabled browsersand answers my (and may be your) question "How the hell applets can break through Security Manager ?!"It's main idea is to explain readers what harm applets can do, why is it possible at alland what is done about the subject by the browser manufactures. Good work for 1996.Note that it's not "Java security book" in the terms you may think today - in 1996 Javawas only understood as a flashy applets popping-up in the Web.

If you use a web browser that is Java enabled (versions greater than Netscape Navigator 2.0 and Microsoft Internet Explorer 3.0) ,and are concerned about Java security, this book is required reading.At under 160 pages of text (not counting the appendices), Java Security provides a superb overview of security issues involved with using Java. The authors are security veterans. Felton heads up the Princeton University Safe Internet Programming Team and is famous for discovering quite a few holes in the Java security model. One might think that two security experts who know the depths and implications of Java security may come out with a reference with suggestions that are overly restrictive and perhaps paranoid. That is not the case here. The recommendations that the book suggests are rational and reasonable. Java Security provides commendable guidelines on how to use Java more safely and what the future holds for Java security features.The 6 chapters of the book provide an excellent and comprehensive analysis to all aspects of Java security. Chapter 2 provides a significant amount of detail about the Java Security Model, with in-depth coverage of the 3 prongs (as they call it) of the security model, namely: the Byte Code Verifier, the Applet Class Loader and the Security Manager.Chapter 3 follows with a discussion detailing serious holes in the security model. The authors consider a flaw to be serious when the breach has the potential to corrupt data, reveal private information, or infecting the workstation with a virus. They fittingly note that all of the flaws detailed in the chapter have been fixed by Netscape and Microsoft. The function of the chapter is to show what sort of things can go wrong. Chapter 3 concludes with a summary of 8 significant security problems that were discovered last year in implementations of Java. The book also goes into great detail on what developers and end-users can do to make Java much more secure. Their six guidelines for Safer Java use are:1. Know what web sites you are visiting 2. Know your Java environment 3. Use up-to-date browsers with the latest security updates 4. Keep a lookout for security alerts 5. Apply drastic measures if your information is truly critical 6. Access your risksFenton has his doctorate in computer science, nonetheless, the book is written in a very clear and coherent manner. Add this to your bookshelf.

This book is wonderfully written and full of good information. It would be useful for anyone from novice users to managers to Java Programmers who are concerned about security. In fact, I strongly recommend them buying a copy to read as this is one of the best technical books I've read in a long time. The only audience I wouldn't recommend it for are the people who are doing very advanced Java Security work such as writing their own Security Manager, but they may even learn something from it.

Heave an egg out of an open window almost anywhere in the world today, and the odds of striking a Netscape user are in your favor. The odds are even better that this person either knows nothing of Java or believes that it is safe. Pick up almost any book on Java programming, and you will see the same superficial and misleading treatment of security issues. This important book is the first one to address the myriad problems raised by Java. It clearly and concisely explains past problems, current issues, and future risks. McGraw and Felten grab the high and mighty Java industry by the ear, and they offer sane and sensible advice to every level of Java programmer and user. One can only wish that this book had appeared a year earlier and had been widely read by Java's cheerleaders and hucksters. Perhaps then more of the problems would have been solved by now, and fewer risks would remain.