Web Applet Certificate

Discussion in 'Java' started by Barkster, Sep 11, 2006.

  1. Barkster

    Barkster Guest

    I have a web applet that I signed myself but I'm having issues with
    some people not being able to figure out to accept it correctly and
    select cancel and remember setting then make the applet inoperable. I
    have a digital certificate for my website that I purchased from xramp.
    How do I get this thing signed so it doesn't prompt. When I first
    created I looked into signing it and thought it was about 1k to have it
    signed?? Ouch. Are there any affordable options?? Thanks
    Barkster, Sep 11, 2006
    #1
    1. Advertising

  2. Barkster wrote:
    > I have a web applet that I signed myself but I'm having issues with
    > some people not being able to figure out to accept it correctly and
    > select cancel and remember setting then make the applet inoperable. I
    > have a digital certificate for my website that I purchased from xramp.
    > How do I get this thing signed so it doesn't prompt.


    No such thing is possible. If an all-permissions Web-Started
    application or applet could get on-screen without any warnings
    to, or questioning of, the client - that would be a security hole.

    'sandboxed' JWS apps. are a different matter.

    >..When I first
    > created I looked into signing it and thought it was about 1k to have it
    > signed??


    Your applet is already 'signed' if you signed it properly
    with a self-signed certificate, it is just the your
    certificate cannot be verified, whereas the sort of
    '1k' certificates you are thinking of, can be (verified
    back to the issuing authority).

    >..Ouch. Are there any affordable options??


    The good news is, there are a number of sources of
    free certificates that *are* verified. The Thawte 'freemail'
    certificate is one such beasty. They generally have
    a more generic name than the 'expensive' ones.

    Ultimately though, the end-user will still be asked
    if they wish to 'accept the code signed by..'

    HTH

    Andrew T.
    Andrew Thompson, Sep 11, 2006
    #2
    1. Advertising

  3. Barkster

    Barkster Guest

    Ok, your right. I talked with thawte and they say the same thing. Is
    there any advantage to getting it signed through thawte or something?
    I have some users that select cancel instead of run and check remember
    and then get all pissed cause it isn't working and I haven't found an
    easy way to fix this other than having them go to control panel and
    removing certifciate in java control panel.

    Thanks

    Andrew Thompson wrote:
    > Barkster wrote:
    > > I have a web applet that I signed myself but I'm having issues with
    > > some people not being able to figure out to accept it correctly and
    > > select cancel and remember setting then make the applet inoperable. I
    > > have a digital certificate for my website that I purchased from xramp.
    > > How do I get this thing signed so it doesn't prompt.

    >
    > No such thing is possible. If an all-permissions Web-Started
    > application or applet could get on-screen without any warnings
    > to, or questioning of, the client - that would be a security hole.
    >
    > 'sandboxed' JWS apps. are a different matter.
    >
    > >..When I first
    > > created I looked into signing it and thought it was about 1k to have it
    > > signed??

    >
    > Your applet is already 'signed' if you signed it properly
    > with a self-signed certificate, it is just the your
    > certificate cannot be verified, whereas the sort of
    > '1k' certificates you are thinking of, can be (verified
    > back to the issuing authority).
    >
    > >..Ouch. Are there any affordable options??

    >
    > The good news is, there are a number of sources of
    > free certificates that *are* verified. The Thawte 'freemail'
    > certificate is one such beasty. They generally have
    > a more generic name than the 'expensive' ones.
    >
    > Ultimately though, the end-user will still be asked
    > if they wish to 'accept the code signed by..'
    >
    > HTH
    >
    > Andrew T.
    Barkster, Sep 11, 2006
    #3
  4. Barkster

    Barkster Guest

    How do you use that freemail certificate to sign a java app??

    Thanks

    Barkster wrote:
    > Ok, your right. I talked with thawte and they say the same thing. Is
    > there any advantage to getting it signed through thawte or something?
    > I have some users that select cancel instead of run and check remember
    > and then get all pissed cause it isn't working and I haven't found an
    > easy way to fix this other than having them go to control panel and
    > removing certifciate in java control panel.
    >
    > Thanks
    >
    > Andrew Thompson wrote:
    > > Barkster wrote:
    > > > I have a web applet that I signed myself but I'm having issues with
    > > > some people not being able to figure out to accept it correctly and
    > > > select cancel and remember setting then make the applet inoperable. I
    > > > have a digital certificate for my website that I purchased from xramp.
    > > > How do I get this thing signed so it doesn't prompt.

    > >
    > > No such thing is possible. If an all-permissions Web-Started
    > > application or applet could get on-screen without any warnings
    > > to, or questioning of, the client - that would be a security hole.
    > >
    > > 'sandboxed' JWS apps. are a different matter.
    > >
    > > >..When I first
    > > > created I looked into signing it and thought it was about 1k to have it
    > > > signed??

    > >
    > > Your applet is already 'signed' if you signed it properly
    > > with a self-signed certificate, it is just the your
    > > certificate cannot be verified, whereas the sort of
    > > '1k' certificates you are thinking of, can be (verified
    > > back to the issuing authority).
    > >
    > > >..Ouch. Are there any affordable options??

    > >
    > > The good news is, there are a number of sources of
    > > free certificates that *are* verified. The Thawte 'freemail'
    > > certificate is one such beasty. They generally have
    > > a more generic name than the 'expensive' ones.
    > >
    > > Ultimately though, the end-user will still be asked
    > > if they wish to 'accept the code signed by..'
    > >
    > > HTH
    > >
    > > Andrew T.
    Barkster, Sep 11, 2006
    #4
  5. Barkster wrote:
    > Ok, your right.


    Who's right about what?
    ( This translates to - please refrain from top-posting )

    >...I talked with thawte and they say the same thing. Is
    > there any advantage to getting it signed through thawte or something?


    The certificate can be verified - the warning presented
    to the user is less oderous.

    For further info., see this Blog article..
    <http://weblogs.java.net/blog/stanleyh/archive/2005/04/deployment_good_1.html>

    > I have some users that select cancel instead of run and check remember
    > and then get all pissed cause it isn't working and I haven't found an
    > easy way to fix this other than having them go to control panel and
    > removing certifciate in java control panel.


    Same deal with the verified certificate, the only
    difference being that your end user is slightly less
    likely to 'permanently refuse' a verifiable certificate.

    And in reply to the question on your next post..
    Approximately "how to use freemail certificate?"

    I don't know - I've only ever used a self-signed certificate.

    Andrew T.
    Andrew Thompson, Sep 11, 2006
    #5
  6. Barkster

    Barkster Guest

    Sounds like I ought to look into options other than self signed.
    Thanks for clearing that up.

    Andrew Thompson wrote:
    > Barkster wrote:
    > > Ok, your right.

    >
    > Who's right about what?
    > ( This translates to - please refrain from top-posting )
    >
    > >...I talked with thawte and they say the same thing. Is
    > > there any advantage to getting it signed through thawte or something?

    >
    > The certificate can be verified - the warning presented
    > to the user is less oderous.
    >
    > For further info., see this Blog article..
    > <http://weblogs.java.net/blog/stanleyh/archive/2005/04/deployment_good_1.html>
    >
    > > I have some users that select cancel instead of run and check remember
    > > and then get all pissed cause it isn't working and I haven't found an
    > > easy way to fix this other than having them go to control panel and
    > > removing certifciate in java control panel.

    >
    > Same deal with the verified certificate, the only
    > difference being that your end user is slightly less
    > likely to 'permanently refuse' a verifiable certificate.
    >
    > And in reply to the question on your next post..
    > Approximately "how to use freemail certificate?"
    >
    > I don't know - I've only ever used a self-signed certificate.
    >
    > Andrew T.
    Barkster, Sep 11, 2006
    #6
  7. Andrew Thompson wrote:
    >
    > The good news is, there are a number of sources of
    > free certificates that *are* verified. The Thawte 'freemail'
    > certificate is one such beasty. They generally have
    > a more generic name than the 'expensive' ones.


    Fortunately that security flaw is fixed in later version of Java (not
    exactly sure from which version). So you now have to pay for certificate
    vendors detailed verification of your company name (such as Click here
    or Microsoft Corporation).

    Recently unsigned WebStart apps have ceased to be able to request an
    older version of Java. Presumably it the current version checks the
    certificates, so you can't get around it anyway.

    In any case, I would strongly advise anyone to avoid trusting code that
    happens to be signed.

    Tom Hawtin
    --
    Unemployed English Java programmer
    http://jroller.com/page/tackline/
    Thomas Hawtin, Sep 11, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page