Java and Javascript


Java and JavaScript may contain several security holes. If you choose to enable Java or JavaScript on your web browser, the CLAS Linux Group is NOT responsible for any damage your account may incur. While we will try to help you recover from any problems you may encounter as a result of using Java or JavaScript, we cannot guarantee that all such damage can be reversed.

To learn more about potential security problems with Java and JavaScript, look at The WWW Security FAQ: Client Side Security.

Security Issues

When you use Java or JavaScript, you are trusting their security mechanisms to protect you from any bugs or maliciously written code in the applets you run from the web. Unfortunately, these security mechanisms have been found to have holes.

Past versions of some web browsers have had a serious hole in Java that could allow an applet to execute any machine code on your workstation. This is a huge hole that could allow a malicious applet to do just about anything. For example, your files could be deleted, your mail could be read, mail could be sent as you, or other holes in the system could be exploited to allow someone to gain unauthorized access. Java holes of this type threaten everyone who uses your workstation, not just to yourself.

JavaScript also has had several holes. Using these holes, an applet could download files from your workstation, get directory listings from your workstation, or monitor all the pages you visit during your web session. Like the Java hole, the JavaScript holes threaten the security of all users, not just you.

Software vendors have been diligent in patching these holes as they are discovered. However, the fact that holes do keep cropping up indicates that Java and JavaScript may still be too immature and untested to be trusted. Furthermore, if you are not diligent in patching or upgrading your web software, or if the CLAS Linux Group staff has not been able to obtain the latest patches or upgrades and install them, you may be risking your data and the accounts of your fellow users by enabling Java or JavaScript.

If You Must Enable Java or JavaScript

If you still feel that you must enable Java or JavaScript, there is nothing that the CLAS Linux Group can do to stop you. Like the choice of a passphrase, the decision to use Java or JavaScript is an individual matter that we cannot control. Also like the choice of a passphrase, how you use Java and JavaScript affects the security of all the other users.

If you must use Java or JavaScript, enable it only when browsing pages at well-known sites, written by people you know of and trust. Disable it whenever you browse a new, unknown site. You most likely would not give your passphrase to a person picked at random from the street; don't let a random, unknown page have access to the security holes present in Java and JavaScript.

Enabling and Disabling JavaScript in Firefox

To enable JavaScript in Firefox, click on Tools > Options (on Linux choose Edit > Preferences). Click on the "Content" icon and check "Enable JavaScript".

To disable JavaScript, follow the same procedure, but uncheck the "Enable JavaScript" button.

Enabling and Disabling Java in Firefox

To enable Java in Firefox, click on Tools > Options (on Linux choose Edit > Preferences). Click on the "Content" icon and check "Enable Java".

To disable Java, follow the same procedure, but uncheck the "Enable Java" button.

Writing Java and JavaScript Applets

If you write Java or JavaScript applets, you are responsible for their behavior. Any attempt to exploit a security hole in Java or JavaScript will result in disciplinary action.