About JSesh, Java and Security

Occasionally, people will express concerns about the use of Java in JSesh. I would like to dispel a few legitimate fears here.

At some point, the web was crawling with warnings about security concerns in Java. But why ?

Java is a programming language and environment. By itself, a Java software can do the same things as any other software on your computer. A Java software is not less secure than a C, C#, Python, etc. software (actually, it's a bit more secure than some of these).

On most computers, a software you run will have full access to your files - that's why you need to be careful you don't install stuff from doubtful sources (things are a bit more secure on mobile devices).

So, why do you occasionally find warnings about "java security" ? Well, for two reasons :

  • the foremost reason is that, in the past, when installing Java you also installed a web plugin that would allow you web browser to run Java softwares (a.k.a 'applets'). And that was risky. Basically, it meant that, by visiting a web page, you would run on your computer a software from an external source, sometimes even without a warning.

    In theory, this "java plugin" was secure. That is, it was supposed to only allow "safe" operations, and did not have access to your own files. The mechanism for this was called a 'sandbox' - an safe environment for the applet to run it. What happened, and what caused many warnings about Java security, was that the sandbox was not perfect. And bugs in the sandbox could allow malignant applications to act.

    Now, the current JSesh version has its own embedded Java runtime. It means it doesn't need the Java plugin to be installed - and it won't install it.

  • other warnings about Java might be about Java as a server platform. But it's a completely different story, and one of no concern for desktop users.

So, basically, JSesh being written in Java is not a security issue.

Serge Rosmorduc

Article précédent