Java is less secure than C++?

December 19, 2003
coldfusionjava

No it IS NOT! But that is what a hosting company is telling one of my clients.

A fairly well known ColdFusion hosting company (I'm not going to mention their name though I would like to;) refused to install one of our Java components on a server, and asked our customer if there was a dll instead of a jar file. I explained to our customer that "I find it quite odd that your host would rather install a dll than a jar since Java tends to be much safer than C++ applications with regard to memory allocation, and other things."

Their host responded: "Notice they only refer to java being better for resource usage. ... The issue we have with JAVA is the security. We have over 35,000 customers and we are a popular CF host and none of our customers use JAVA Tags."

I was even more surprised by their host's response. When I was talking about memory allocation, I was not talking about resource usage! I was talking about the programmer being able to manually create and free memory, and being forced to manage their own memory in a lot of cases. This is why many c/c++ programs have memory leaks! About the only way to create a memory leak in Java is to create new objects within an infinite loop, and retain their reference out side the loop.

Additionally they feel that Java is less secure than c/c++! As a hosting company they must have heard of buffer overflows! I would also expect many system admins to also understand what they are. Buffer overflows are not possible in java! How many security issues have you seen with Java? or applications written in Java? and how many buffer overflows, or memory leaks have you dealt with?

And to top it off this host does offer CFMX hosting, which is entirely written in... Java!

When it comes to C++ CFX tags in ColdFusion, VS Java CFX tags, I think you will find that Java CFX tags will perform better in general on CFMX. This is because there is no JNI layer required to invoke the procedures in the C++ DLL.


4 people found this page useful, what do you think?

Comments

I think you *should* name the hosting company. People deserve to know about this sort of technology ignorance...
I agree, name the company and shed the light..
Yeah, name and shame them.
Hi, I would like just to mention that we had a quite similar problem in one of our major customer that mention that CFMX 6 installed on a BEA weblogic required to open a JAVA security hole. During the installation of the CF server, Macromedia note that your should replace the default permission by "permission java.security.AllPermission;" (means "bypass all security"). I have already contact Macromedia regarding this issue without success...
Here's an update on this issue. I called the hosting company and their problem with Java CFX tag's VS C++ CFX tags is that the customer could replace the classes in the jar file with their own. This isn't really a problem because the customer doesn't need write permission to the jar file. They said the problem was: with a dll file they can get it from a vendor and know its authentic, but with a jar file its easy for customers to replace the contents of it (jar files are just zip files containing class files), so they have no way of knowing its authentic. I informed him that we were a software vendor, and can provide them with an authentic copy of the jar file. The person I was talking to (a manager) was left powerless at that point because he was still restricted by the company policy. But he said he would bring it up in the next managers meeting. So I'm going to call back next week, and see if they have updated their policy. In the mean time we will still probably have to give our customer a refund. And by the way, the hosting company is Crystaltech. If your a customer give them a ring.
I am the customer of Crystaltech that Pete is talking about, and on their behalf I have to say they are a good hosting company, but they are cautious about making changes to the servers. When I was looking for a host they were the only ones that allowed CFFILE, CFDIRECTORY, and other CF Tags, while also allowing the hosting of multiple domains, while still maintaining the price point we were looking for. With that said, they have very strict policies in place, including not creating DSNs to servers outside their SQL Server pool. I hope they will install the .JAR files for me because then I can get our email verifier and spell checker installed on their servers.
Do u think that this can be a security threat in java --- > that it is easy to decompile a jar and get back the high level java code while decompilation of DLL only gives assembly level code?

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?