It's Time to Abandon Insecure Languages

[John Brothers]

I disagree in one  area.  I have found that Java is sufficiently
flexible to handle 99 - 100% of the server code for a data
processing server.  As long as its not doing kernel/OS level functionality,
it works great, it has fewer bugs, and, for the most part, is competently
powerful in performance.

Examining my init directory - sendmail, smtp, sshd (maybe), Apache,
squid, etc, all could have been written in Java w/out pain.  Streaming
media servers, Web services engines, etc are all candidates for java -
unless they have to do heavy manipulation of devices, proc tables, etc.

Obviously, that isn't everything.  And I cringe in horror at the idea of
having
to rewrite (for example) iptables or autofs or postgresql or even X in Java.

But that isn't where the problems were found.  They were found in more or
less generalized data processors - httpd and sshd.

---

Obvious note - you were talking more about client-side stuff.  I can't stand
using
Java for client-side work.  But I don't think that is where the
vulnerabilities are
found and exploited.

----- Original Message -----
From: "James A. Donald" <jamesd at echeque.com>
To: <cryptography at wasabisystems.com>
Sent: Friday, July 19, 2002 8:12 PM
Subject: It's Time to Abandon Insecure Languages


I do not wish to start a language holy war, but I have full life
cycle experience in various projects in various languages, and my
experience was that if you use any language other than C/C++
ninety percent of the project goes much faster, and has far fewer
bugs than C++, and the remaining ten percent, which you have to
deliver in order to ship, involves a large number of horrible
hacks which effectively negate all the safety features of the
language and environment, take a very long time, and lead to all
sorts of problems.




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com