World: r3wp

I know we talked about it a while ago, but those discussions are 
long gone from REBOL and from the web......I apologize, I should 
have archived them. Can you repost your thoughts on the default security 
model, in *concise* posts please? thank you!

I'm sorry, those discussions are long gone from AltME and the web 
archive, that's what I meant to say.

BTW, you talked about rebol as external process,sharing window. Its 
not plugin, but could that work between rebol-apps? view-desktop 
could profit a lot.

hmm. good thoughts. I don't think that will go into the next release 
of plugin, but you could suggest it in the general REBOL 3.0 area

Extra Security, some thoughts:
- 'secure for ips, eg: secure [net ask tcp://rebol.com allow]
- don't share sandbox-folders between hosts.
- if possible memory-restriction, hd, cpu?
- clipboard-restriction somehow?

- check for memory-access, specially disable struct! . IMO real hackers 
will figure out how to inject code by poke. 

- reblets can store executable code by naming the file *.exe. Does 
not run immediate, but script can open folder in explorer by browse, 
and one wrong click runs it. (or is windows smarter now? Maybe you 
could add an own extension always, and maybe store everything as 
64#{} ?

- Make sure untrusted reblets don't run invisible, can snoop clipboard, 
or at least users online-times. I guess creatives can find other 
uses.

- Maybe some kind of log about starts/stops, with urls? To have a 
little chance of tracking. Some kind of global console.
- Running out of thoughts for now.

- protect access to real file-pathes. kind of chroot. getting 'what-dir 
can be a good hint for attacks i guess. At least mozilla puts a random 
part in profile-folders.

A couple of quick thoughts:

[*] Don't allow reading/writing outside of a local sandbox......That 
includes not allowing access to URLs elsewhere on the web.  permitting 
wider local access and permitting wider web access should be separate 
security settings
[*] Disallow send by default

huh, are we talking rebol then?

disallowing send? why? can't you just send email by java script?

I would not limit rebol networking at all, I would add some security, 
yes, but not limitation ...

What Volker suggests might work, but then rebol's secure dialect 
should be extended ....

Yes of course with dialog. And some way to set prferences. I like 
how noscript does that.

disallowing send - how many spam can i send on your account while 
you run my reblet?

Maybe change it and open the users mail-client with the prepared 
email?

that is a very good idea volker!

this should actually be added as a standard REBOL feature IMHO!

Thinking about it, yes. Maybe the standard things native, browser, 
email, editor. With an option to use mail and editor inbuild. Maybe 
these could run by 'launch, so they are rebol, but reblets cant touch 
the real code.

BTW how about changing the exe to a thin wrapper around the dll? 
Would be a single download for both. (could be offered in both ways, 
completely one exe, or wrapper + plugin + dll).

Volker. Jaime.  Clipboard access should probably raise a security 
request, like it does in (secured) browsers.   Maybe it should also 
be part of 'secure  ...

woops, not Jaime ==> Josh

Yes. its tricky. restriction is very inconvenient, but snooping can 
be valuable. I sometimes even clip passwords..

Maybe a native 'field, which is not accessible from the script until 
"enter", and allowing pasting there? Rebol3, how much protection 
can modules give?

Yes. You should try disabling third party cookies in your browsers 
and see how much stuff is leaked to  through that., easy enough to 
steal from a form a user just filled out ;-)

Looks like Volker covered the security issues I'd note.  About Rebol 
as a COM server process--I would think that would be the way to go. 
 Pretty sure that is how Acrobat runs, too.  Basically, the first 
time you run into a PDF on the web Acrobat32 starts, and handles 
all instances.

To disallow send properly means a mini firewall.  If you disallow 
SEND, script implements its own function. If you remove smtp scheme, 
script implements its own smtp scheme. Therefore, you have to get 
it at the root, which is to block outgoing tcp on port 25.

hmm, blocking port 25? What if I am a hacker and I run smtp on purpose 
on different port? ;-)

let's hope hackers are very stupid then :-)

That mini-firewall is in my secure-proposal:  secure [net ask tcp://rebol.com 
allow].

Although securing ports would be nice too, secure [net ask tcp://rebol.com 
80 8080 - 9090 allow].

Be carefull with restricting Rebol. I like Rebol, because I can simply 
do things, which I cannot do in other apps. I cannot believe, that 
Maxim wants to remove send even from Rebol and replace it with some 
application. Why? Do I need xxMB large aplication just to send message? 
What will be better in Rebol than in Flash, if you remove the best 
parts of Rebol?

Because you run in the browser now and spy/adware/spammers will love 
rebol without such things.

Oldes, it should be a different word yes. every plugin does not send 
mail directly, they prepare the mail. it is what user expects.

With exe people run rebol intentionally (although /desktop goes in 
the other direction). With plugin user goes to a web-page and webdesigner 
turns that into a rebol-page without notice.

I agree, that some security is needed, but just want to say, not 
to give everything away just because there may be one bad guy

I ask once again - isn't it possible to send email using javascript 
and getting into browser settings?

we must not view rebol in the browser as a means to distribute any 
apps.   I also think the plugin should have a complete control panel 
which allows user to choose from "allways/ask/never" for every sensitive 
aspect.

If that is possible the browser is severely broken.

Rebol as a plugin is here more then 2 years. It was plenty of time 
to do evil things

It is *here*, but not *everywhere* as flash is.

First thing what should be done is better security request window

Security extension, yes, removal of something - hehe, how uneducated 
imo :-) Is smtp so difficult to build? Having tcp socket is dangerous 
already, as I can build my custom smtp in script, and have server 
at the other end of the country, which listens on 8080 and doing 
smtp ....

The current security window is almost useless as I never see the 
directory I'm dealing with

I agree oldes, and we cant "remember" specific directories!

Pekr, you can not build smtp if the sandbox does not let you connect 
to a mailserver.

Maxim - I do agree about unificed control panel icon options, as 
Java does - I would hate thousands of messy dialogs for xy features 
which pop-up-I-don't know-when :-)

or tcp ports, or URL roots...

And a good sandbox lets you connect only to your homeserver, where 
the reblet comes from.

Volker - Volker - how do you distinguish mailserver?

url.

And I'm sure, you will not be able send emails from my browser as 
I don't remember that I allowed to use such a port to any application

You can also run a mail-server on the machine where you host the 
reblet, then send works.