Subject: A note about DNS Spoofing and the Java Plugin from Sun
From: Stanley Ho

Background:

	Back in 1996, a security bug was found in Netscape Navigator and
	Internet Explorer using DNS spoofing. To fix this security bug,
	more rigorous security check were introduced into the security
	manager. See http://java.sun.com/people/mrm/dns_spoofing.html
	for more details.


Problem:

	Because of the rigorous security check, any Java
	applets/applications will perform reverse DNS lookup for any
	network connection in order to obtain both the IP address and
	host name, to ensure that DNS spoofing does not take place. This
	causes problems with client-side applets/applications.  Problems
	occurr when the applet or application tries to connect to an
	external server through a proxy.

	Because the security check requires DNS lookup for the host
	(external server in this case), any applets/applications
	connecting to external hosts will try to resolve the external
	hostname through the internal DNS servers. In most cases, this
	will fail because most enterprise customers doesn't set up their
	internal DNS server to resolve external host name. As a result,
	this prevents any external (e.g. Internet) applets/applications
	to work within the internal (e.g. Intranet) environment.

	To workaround this issue, a Java property called "trustProxy"
	was introduced into Java 1.1.x to disable this security
	check. Therefore, customers enables this property will be able
	to run external Java applets/applications through their proxy
	server, but this will suffer from DNS spoofing.

	Since this security check has a huge impact on Internet
	customers, HotJava browser enables this "trustProxy" setting by
	default, so their customers will be able to run applets on the
	Internet.

	On the other hand, Java Plug-in doesn't enable this property by
	default, so customers had hard time running any external applets
	through Java Plug-in, and it actually reduces the presence of
	Java Plug-in on the Internet to near zero. As a result, almost
	all Java Plug-in customers are deploying applets internally, so
	they will not suffer from this DNS Spoofing security check.

How to work around the DNS spoofing problem:

Method 1, on WINNT:

  Add an entry to the  C:\WINNT\System32\drivers\etc\HOSTS file like this:

  209.24.185.109 www.prometheus-music.com

  # etc.

Method 2, cross platform:

  Add an entry to the $JDKHOME/lib/security/java.policy

  grant
  {
   permission java.security.AllPermission;
  }

 This method opens up a huge gaping security hole, however.