P4
FULL PRODUCT VERSION :
java version "1.6.0-ea"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-ea-b37)
Java HotSpot(TM) Client VM (build 1.6.0-ea-b37, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux rock.home2.mark 2.6.10-1.770_FC3 #1 Thu Feb 24 18:09:38 EST 2005 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
JWS is doing unecessary in-addr.arpa lookups when making a socket connection.
If I open a Socket connection to www.java.net port 80 a dialog pops up and asks me if I want to grant access to connect to www.java.net. If I select 'Yes' another dialog pops up and asks me the question again (this time using the IP address 64.125.132.37).
This is a bug. I already granted access. If you `nslookup www.java.net` you get
64.125.132.37. The process of granting connect permission to www.java.net
should also grant the connect permission to all of www.java.net's IP
addresses.
I already trusted the DNS to resolve www.java.net. Why force folks to
decide if they trust the DNS again to resolve the IP address? HTTPS
doesn't do that, SSH doesn't do that, browser's don't even do that. It
does not enhance security to do a reverse/in-addr.arpa lookup enough to warrant confusing the user.
It's way too common for companies to not configure reverse/in-addr.arpa
lookups. Even java.net doesn't do it. Most times the user asks to connect somewhere they are going to see duplicate dialog boxes. It looks and feels broken to end users.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Socket s = new Socket("www.java.net", 80);
InputStream is = s.getInputStream();
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I expect the first dialog box to come up, but not the second.
ACTUAL -
described above.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Socket s = new Socket("www.java.net", 80);
InputStream is = s.getInputStream();
---------- END SOURCE ----------
###@###.### 2005-06-03 16:42:11 GMT
java version "1.6.0-ea"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.6.0-ea-b37)
Java HotSpot(TM) Client VM (build 1.6.0-ea-b37, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Linux rock.home2.mark 2.6.10-1.770_FC3 #1 Thu Feb 24 18:09:38 EST 2005 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
JWS is doing unecessary in-addr.arpa lookups when making a socket connection.
If I open a Socket connection to www.java.net port 80 a dialog pops up and asks me if I want to grant access to connect to www.java.net. If I select 'Yes' another dialog pops up and asks me the question again (this time using the IP address 64.125.132.37).
This is a bug. I already granted access. If you `nslookup www.java.net` you get
64.125.132.37. The process of granting connect permission to www.java.net
should also grant the connect permission to all of www.java.net's IP
addresses.
I already trusted the DNS to resolve www.java.net. Why force folks to
decide if they trust the DNS again to resolve the IP address? HTTPS
doesn't do that, SSH doesn't do that, browser's don't even do that. It
does not enhance security to do a reverse/in-addr.arpa lookup enough to warrant confusing the user.
It's way too common for companies to not configure reverse/in-addr.arpa
lookups. Even java.net doesn't do it. Most times the user asks to connect somewhere they are going to see duplicate dialog boxes. It looks and feels broken to end users.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Socket s = new Socket("www.java.net", 80);
InputStream is = s.getInputStream();
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I expect the first dialog box to come up, but not the second.
ACTUAL -
described above.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Socket s = new Socket("www.java.net", 80);
InputStream is = s.getInputStream();
---------- END SOURCE ----------
###@###.### 2005-06-03 16:42:11 GMT