Tag Archives: ClickOnce

Firefox warning for Java plugin

Web Start of unsigned Java apps: .NET to the rescue

Have you already signed your Java applets with a trusted authority certificate? You know you will have to.

Why sign?

This is supposed to provide “numerous security benefits to users”, according to Oracle. Indeed, if someone used to just visit a “get-rich-quick” site, and to unknowingly start a hidden malicious Java applet, now they will have to confirm that that they knowingly agree to start an applet provided by officially registered “get-rich-quick Pty Limited”.

As for you and me, as publishers of Java applets, how will it protect our good names? Well, the bad guys will not be able intercept our software and add their viruses to it – unless they want to use their own certificate to sign it with. This is the code repurposing which Oracle aims to prevent. One can argue that the same could be achieved by simply requiring the applets to be delivered only via secured protocol. And it would be cheaper too, for us. Some people even are questioning if all this exercise with certificates can achieve much at all…

Oracle used to tell us that “For applets and JNLP applications the best approach is often to leave the jar files unsigned. The application then runs in a sandbox and will not be able to execute any potentially dangerous code” in its Secure Coding Guidelines. Well, no more…

But for now, while you are busy collecting documents for the trusted authority to sell you the code signing certificate, why not have some fun, and see if we can deploy a Java application without help of Java Web Start. Continue reading