Java Security


Domain-name-spoofing scenario

April 3, 1996


A security problem was reported to JavaSoft by a software engineer from Sprint. As in all such cases, we are carefully reviewing the material submitted to us. Our preliminary analysis of the bug has determined that:

For a specific firewall-protected network configuration, an applet downloaded from a client inside the firewall would be able to connect to a single specific host behind the firewall.

For the attack to succeed, the following requirement must be true:

The target network and the attacker's network must have an identical domain name, with the attacker's domain being the officially (InterNIC) registered network. In other words the target network must use an internal name which has not been registered with InterNIC and the attacker must have control over the InterNIC-registered name.

Though this particular network configuration is unusual, if your network fits this description, you are vulnerable and we encourage you to take appropriate measures. These measures include registering all internally used domain names (see http://www.internic.net/ for information on how to register your domain name) and avoiding browsing pages residing on Internet servers which have domain names used in your internal network.

JavaSoft is working closely with Java licensees on a solution to address this problem. A fix will be made available as soon as possible.


Frequently Asked Questions About Java Security


Copyright © 1996 Sun Microsystems, Inc., 2550 Garcia Ave., Mtn. View, CA 94043-1100 USA. All rights reserved.

Contact the Java developer community via the newsgroup comp.lang.java
or JavaSoft technical support via email to java@java.sun.com.

Send questions or comments about this web site to
webmaster@java.sun.com.

 Java