Ed Felten on Java Security

Rohit Khare (khare@www10.w3.org)
Thu, 23 Jan 1997 09:00:03 -0500



One to Whom Internet Security Is Academic By Jeremy Carl Edward Felten, an
assistant professor of computer science at Princeton University, has
established himself as one of the preeminent Internet security gurus in the
past year, as he and a team of graduate students have discovered several
security flaws in the Java programming language.

Felten also recently grabbed headlines by pointing out, in an article on
Web spoofing, perhaps the most dangerous Internet security flaws his team
has yet discovered. He is the head of Princeton's Safe Internet Programming
Team, which advises such industry heavyweights as Microsoft, Netscape, and
Sun on Internet security. This month he is releasing a book, co-authored
with computer security expert Gary McGraw, entitled "Java Security: Hostile
Applets, Holes, and Antidotes" (Wiley Computer Publishing). Web Week
recently talked with Felten about his work and the future of Web security.

Web Week: How did you involve yourself in the issues of Web security?

Felten: To be honest, it really sort of started by accident. Some graduate
students were wondering over coffee whether Java was really secure, and
they began looking into the issue and found out some interesting things. So
they came to me, and we started talking as a group and that was the genesis
of the whole effort.

WW: What is the current focus of your research?

Felten: We're looking at a wide variety of things now. We're examining
security issues involved with not only Java, but other executable content
systems on the Internet. We're not just looking for flaws in the existing
system, we're also doing some basic research, trying to make things better
by developing better security structures that eventually may make their way
to the broader marketplace.

WW: Can you give an example of this basic research?

Felten: One of the issues we're working on right now is code signing. We're
looking at new ways of doing digital signatures that are a bit more subtle
than the security model you might find in something like ActiveX. Currently
you can only basically say, 'Yes, this can access my system' or 'No, it
can't.' We want to make it so that your computer can tell an applet that
'You can access these files, but not those files,' so that people can
really have a lot of control about what an executable is doing on their
computer. At the same time, you need to make the process relatively simple
so that users don't get totally confused by the choices.

WW: Are you working with any industry partners on this effort?

Felten: On this particular effort, we are collaborating with Netscape, and
in the next version of Navigator you'll see some support for code signing
based on the early part of our work. Basically, Netscape is one of several
companies, including Sun and Microsoft, that are helping to fund our work.

WW: Why have so few other academic computer scientists focused on these
sorts of critical security issues? Or have they done so and we're just not
hearing about them?

Felten: We have gotten an unusual amount of attention from the press for
our work, but there are other academic researchers looking at these
questions. We work in an unusual way for academic researchers in that we
are focusing on products that are out there today, rather than looking at
the longer-term theoretical questions that many of our colleagues are

I think research in this area is going to grow dramatically in the future.
Research in computer security has become relevant in a visible way only
recently, and there's a period of adjustment in the research community to
take account of that and start to do work on different kinds of problems.

WW: In general, you've chosen to widely publicize the security flaws that
you've found. Are there any cases where you've chosen to keep silent?

Felten: There have been some issues where we decided it was better to work
behind the scenes to try to get things fixed. It's a difficult ethical
question-what to do when you find one of these problems. It depends on how
soon it can be fixed and how easy it is to exploit. Also, in announcing a
problem exists, do you need to tell how exploit it? In general, we have
publicized or intend to publicize any flaw that we find, but we may
sometimes wait until a time when it's appropriate to announce.

WW: You most recently caught headlines for publicizing the problem of Web
spoofing, for which you seemed to imply there were currently no adequate
solutions, given the nature of today's Internet. Is this problem ever going
to be solvable?

Felten: There are some elements of spoofing that are always going to be
there. But we want to make it equally difficult to impersonate someone, or
particularly some large organization, in the electronic world as it is in
the real world. There are other security reasons to be concerned about core
protocols, but things are being done to address these issues. This is part
of the Internet growing up.

WW: What about Java? Can it ever be secure?

Felten: I think of these things in terms of what I would and would not be
able to risk. If I were running a business, I would not feel comfortable
using Java in an environment where its breach could do very serious damage
to my business. For everyday activities, it might be secure enough. The
core part of the system is improving, but it has a ways to go before it is
secure enough to support mission-critical applications. And each new
feature they add to Java is an opportunity for new security problems to
crop up.

WW: What are going to be the big Internet security issues in the coming
months that aren't getting enough attention today?

Felten: The security ramifications of Web plug-ins are going to get more
attention. Another issue that should get more attention is the management
of encryption keys, where you keep these keys, and how you protect them. A
file on your PC is not good enough to keep those keys safe. Your security
is only as good as the security of your keys.

WW: Given the relevance of computer security work these days, do you think
the average business end-user of the Internet is too concerned about
security, not concerned enough, or concerned appropriately, given the

Felten: I think that the average users have a reasonable level of concern
about security, though I think many don't know what to think because
there's a lot of conflicting information out there. This is an area where a
little knowledge can be dangerous. Frankly, some of the people that have
more knowledge are the ones who are too complacent.

At a higher level, it's hard to figure out how worried to be.

It depends on what we think the future Internet should be. We are concerned
primarily because we expect a lot more commerce on the Net in the future,
and in many ways the Internet isn't quite ready for secure commerce.