Distinguishing signed Java applets

views:

answers:

+2 Q:

Distinguishing signed Java applets

I have a Java applet which doesn't need any special privileges to run (i.e, it runs fine in the sandbox), but which expects the user to enter some sensitive information. Therefore, I'd like the user to be able to verify the origin of the applet.

I then signed the applet, and everything appears to be working correctly. The browser apparently accepts the signature; for test purposes, I tried executing PrivilegedActions and everything worked. However, the browser doesn't inform the user that the browser is signed - from user's perspective, both unsigned and signed versions of the applet appear exactly the same.

So my question is: is there a way to instruct the browser to present the signature authority to the user, or something similar?

+1 A:

Firstly, this is not a valid usage for signing a jar.

Did you at some point ever forget to untick the always trust tickbox?

Back to the first point because it is quite important. By signing a jar you are putting the certificates name to the claim that it is secure. Note that being secure is very much broader than being non-malicious. The security dialog which asks whether the user wants to give full local user access pops up if any code anywhere is encountered is signed. It doesn't mean that some particular set of pixels are from a trsuted source.

The correct approach is to use https.

Tom Hawtin - tackline 2010-08-24 11:27:02

Doh! You're right, "always trust" is turned on by default and I forgot to untick it. The problem with using https is that I want to allow dissemination of the applet by 3rd parties, but don't necessarily trust them with the sensitive information entered into the applet. Any suggestion on how to achieve that (allow dissemination + prevent tampering)?

oggy 2010-08-24 12:11:21

Signing the applet yourself is the only way to ensure that it's not malicious. One option could be to sign a JAR with your business logic classes and create an applet that will also be signed. Give the source code of the applet (or unsigned applet) to third-parties, but have the JAR with your business logic signed by you. This way third-parties won't change your code yet will be able to present their own signatures for the applet.

Eugene Mayevski 'EldoS Corp 2010-08-24 12:48:21

@Eugene: but how does then the user verify that the JAR with the business logic is signed by me?

oggy 2010-08-24 13:24:49

@oggy You are stuck there. More of a browser question. An iframe with https comes close, but browsers don't have a UI to show the origin of iframes. Verified by Visa seems to try to handle this by showing something only the user could know in the iframe, however the originating site could read that page instead.

Tom Hawtin - tackline 2010-08-24 13:37:14

@oggy: signing of the JAR ensures that your code is not tampered by thirdparties. The user will see only thirdparty signature (if they sign their applet). If you sign your applet, they will see your signature. I was addressing only this part of the question. I don't think you will find a way to force a browser show signature information of your applet. Maybe applet could show it's own signature info, but this can be bypassed, so it's weak security.

Eugene Mayevski 'EldoS Corp 2010-08-24 13:51:01

I'm marking this as the accepted answer since no solution has been proposed,

oggy 2010-08-26 22:43:50

ansaurus

tags:

views:

answers:

Distinguishing signed Java applets

related questions