Signing an applet


A

Arne Vajhøj

In order to cater for the inadequacies and introduced vulnerabilities of
WebStart and JNLP

I was not aware that the vulnerabilities were not in traditional
applet tags.

Are you sure about this?

Oracle have knee-jerked their way into destroying the
sandboxed paradigm and made Applets almost impossible to activate
without reciting some incantation while waving a dead chicken over your
head :-(

For example: -
https://blogs.oracle.com/java-platform-group/entry/liveconnect_changes_in_7u45

They tightened security. I think that is fine. I think it is very bad that
they change the rules for every other release - they should define the
rules they want and stick to them, so people have a chance of complying.

Arne
 
Ad

Advertisements

Ad

Advertisements

R

Richard Maher

I was not aware that the vulnerabilities were not in traditional
applet tags.

Are you sure about this?
Just one recent example: -
https://addons.mozilla.org/en-US/firefox/blocked/p428

But the underlying architectural problem with WebStart and JNLP is that
the elevated privileges needed to work their bastardry means all THEIR
applets need to be signed. So why not just make everyone do it? hese
people refuse to believe that anyone would not want to use their
WebStart crap :-(
They tightened security. I think that is fine. I think it is very bad that
they change the rules for every other release - they should define the
rules they want and stick to them, so people have a chance of complying.

As I questioned in the referenced blog, I am not sure this change is
about tightening security: -

Deanna: It's not a matter of [Allowing the caller to say "yes, I really
am allowed to call this, honest guv'"] it's allowing the authour of the
document base to say "Hey, I'm including a whole lot of script files
from other domains and I don't want them to be able to script this
Applet". [would defeat the point of it] I'm not sure Oracle have
articulated what "the point of it" is. Is it CopyRight Protection or
marketing mechanism or is it a security mechanism? [It's an option for
the publisher of the applet to specify who can call it.] You mean like
they've always been able to do by interogating the results of
Applet.getDocumentBase()?

The whole idea of having to ship/package/manufacture a separate Applet
for each customer is ludicrous!

costlow: [because it guards against repurposing] Fine. *IF* the check
scrutinized the domain of individual.JS files then I could see the sense
in it, but my quick testing says it ONLY checks the Document Base.
Please communicate exactly what you were trying to accomplish.

On the subject of communication please feel free to assume a fair
portion of responsibility for user-base feelings like this: -
https://bugzilla.mozilla.org/show_bug.cgi?id=914690

Cheers Richard Maher

PS. Why don't I get any pop-up when I dynamically include an unsigned
Applet at run-time with innerHTML="<OBJECT. . .".
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top