The trustProxy Property

One of the properties you may want to set in the admin properties file is trustProxy, which is set to true by default. This means that HotJavaTM Browser will trust your proxy server to safely contact a host outside the firewall using a DNS (Domain Name Service) lookup. In certain circumstances, you may want to set the trustProxy property to false for security reasons, as described below.

This document describes the following:

trustProxy Basics

If you are running HotJava Browser in a corporate network behind a firewall and you therefore must use HTTP proxy servers to get access outside the firewall, you should:

The trustProxy property is set to true by default. To set it to false, add or modify the following line in your admin properties file:

   trustProxy=false

For information on how to edit your admin properties file, see HotJava Browser Property Files.

Read on if you're interested in the technical details.

Security Details

If you set the trustProxy property to false, the browser deals with applets as follows:
  1. When an applet is first fetched, HotJava Browser looks up its originating host once and caches its IP address.

  2. If this applet tries to open a network connection back to its originating server (for example, to retrieve more class files, image files, or data files), HotJava Browser looks up the cached IP address and will only allow a connection to that host.

This circumvents a small security risk where an applet might, under rare circumstances, be able to connect to hosts other than the one from which it originated. (This is the "DNS attack" problem from Feb. 96, described in the chronology section of the Applet Security FAQ.)

The problem with setting the trustProxy property to false occurs when:

  1. You run HotJava Browser from within a network that is separated from the main Internet by a firewall.

  2. You therefore use a proxy server (or "gateway") to provide access outside the firewall.

  3. Your system has no ability to resolve host names outside the firewall to IP addresses.

    Note: Most networks behind firewalls let the browser find the IP address from a host name directly, without going through the firewall. For these sites, there is no security risk, and you will always see full applet behavior, regardless of the trustProxy setting. Talk to your system administrator to find out if you can find IP addresses for external host names, and if not, to find out if this feature can be implemented for your network.

If the above three items are true for your system, and trustProxy is set to false, HotJava Browser cannot resolve the host name to an IP address because proxy servers do not cache the mapping between host names and IP addresses for future reference. Therefore, if you try to access a Web page on a site outside your firewall that has applets on it, you'll find that the applets won't load.

Does this affect me?

If you run the browser in a networked environment behind a firewall, there is a chance that you will not be able to run applets within the browser if you set the trustProxy property to false. (See items 1 - 3 above to find out if this affects you.) Therefore, the default setting for the trustProxy property is true. This means that even if HotJava Browser can't directly contact the desired host by its host name, it will trust the HTTP proxy server to be able to safely contact the desired external host, and applets will run as expected.

Copyright © Sun Microsystems, Inc.