W3C home > Mailing lists > Public > www-jigsaw@w3.org > May to June 1999

Re: How secure is jigsaw ?

From: Yves Lafon <ylafon@w3.org>
Date: Wed, 16 Jun 1999 16:11:43 +0200 (MET DST)
To: Roland Mainz <Roland.Mainz@informatik.med.uni-giessen.de>
cc: W3 Jigsaw Mailinglist <www-jigsaw@w3.org>
Message-ID: <Pine.GSO.4.10.9906161553380.18569-100000@tarantula.inria.fr>
On Mon, 14 Jun 1999, Roland Mainz wrote:

> 
> Hi !
> 
> ----
> 
> Some security related questions on jigsaw:
> 
> - How secure is jigsaw under Unix and under WinNT ?
> - Any known successfull/failed break-in attempts ?
> - Any "common problems" in jigsaw security ?
> - How to detect break-in attempts ?
> 
> ----

Of course no exhaustive checks has been done, but the main cause of
attacks are buffer overflow, or trying to access forbidden files.
Inside Jigsaw, there is no possibility to generate such overflow because
of Java.
No break-in attemps known yet (I checked all my logs to see strange
things)
Of course you have the problem of a malicious servlet or cgi, but that's
webmaster responsability. 
When a connection starts, the server want to parse the first line, and if
it is not a valid HTTP header, it will thow an exception and log a bad
request (see log) with the bogus URI.
Also, it is always safer to run a server as nobody (or another dummy user)
in a chrooted environment.
But I never heard of any security problem.

      /\          - Yves Lafon - World Wide Web Consortium - 
  /\ /  \        Architecture Domain - Jigsaw Activity Leader
 /  \    \/\    
/    \   /  \   http://www.w3.org/People/Lafon - ylafon@w3.org    
Received on Wednesday, 16 June 1999 10:11:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 9 April 2012 12:13:29 GMT