HotJava Browser's system properties file contains a property called
trustProxy, which is set to true by default. This means
that the HotJavaTM Browser will trust your proxy server to
safely contact a host outside the firewall using a DNS (Domain Name Service)
lookup. In certain circumstances, you may want to set the trustProxy property
to false for security reasons, as described below.
This document describes the following:
If you are running the HotJava Browser in a corporate network behind a
firewall, and you therefore must use HTTP proxy servers to get access outside
of the firewall, you should:
- Keep trustProxy set to true if you want to ensure that applets
can be loaded from outside the firewall.
- Set trustProxy to false for total security, but realize
that the HotJava Browser then might not be able to load applets
from outside your firewall.
The trustProxy property is set to true, by default. To set it to false,
add or modify the following line in your properties file:
trustProxy=False
For information on how to edit your properties file, see
Customizing the HotJava Browser.
Read on if you're interested in the technical details.
If you set the trustProxy property to false, the HotJava Browser
deals with applets as follows:
- When an applet is first fetched, HotJava looks up its originating host
once and caches its IP address.
- If this applet tries to open a network connection back to its originating
server (for example, to retrieve more class files, image files, or data files),
HotJava looks up the cached IP address and will only allow a connection to
that host.
The advantage of this is that it circumvents a small security risk where an
applet might, under rare circumstances, be able to connect to hosts other than
the one it originated from. (This is the "DNS attack" problem from Feb. 96,
described in detail in the Applet
Security FAQ.)
The problem with setting the trustProxy property to false occurs
when:
- You run the HotJava Browser from within a network that is separated
from the main Internet by a firewall.
- You therefore use a proxy server (or "gateway") to provide access outside
the firewall.
- Your system has no ability to resolve host names outside the firewall to
IP addresses.
NOTE: Most networks behind firewalls let the HotJava Browser find
the IP address from a host name
directly, without going through the firewall. For these sites, there is
no security risk, and you will always see full applet behavior, regardless
of the trustProxy setting. Talk to your system administrator to find
out if you can find IP addresses for external host names, and
if not, to find out if this feature can be implemented for your network.
If the above three items are true for your system, and trustProxy is set to
false, HotJava cannot resolve the host name to an IP address because proxy
servers do not cache the mapping between host names and IP addresses for
future references. Therefore, if you try to access a Web page on a site
outside of your firewall that has applets on it (such as www.gamelan.com),
you'll find that the applets won't load.
If you run the HotJava Browser in a networked environment behind a firewall,
there is a chance that you will not be able to run applets within
the HotJava Browser if you set the trustProxy property to false.
(See items 1 - 3 above to find out if this affects you.)
Therefore, the default setting for the trustProxy property is true.
This means that even if HotJava can't directly contact the desired host by
its host name, it will trust the HTTP proxy server to be able to safely
contact the desired external host, and applets will run as expected.
Back to HotJava Browser Applet Security