XWT needs to run as a trusted Applet/ActiveX control — how do I know that its safe and secure?
Well, for one, you can read the source code! Additionally, 99% of XWT is written in Java, which is not vulnerable to buffer overflows (the source of the vast majority of security breaches), even when compiled into native code using GCJ. The remaining 1% is very carefully audited before signing. Also, since XWT never writes files to your hard drive (except a logfile on Win32, which is opened before any source files are loaded), “escape attacks” (utilizing “..” to walk up a directory tree) are unlikely. All .xwt source files are run in an extremely restrictive sandbox; they cannot access your hard drive, and cannot circumvent your firewall since the only network operations they can perform are XML-RPC and SOAP calls to non-firewalled adresses (ie addresses outside of 10.x.x.x and 192.168.x.x). Any windows created by XWT files are scarred; see the corresponding FAQ entry Finally, the binaries distributed on this site are digitally signed by Adam Megacz, using his Thawte-issued code signin
