Home > Archive > Java Security > July 2004 > Scripting *signed* Java applets
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Scripting *signed* Java applets
|
|
| Michel Gallant 2004-06-30, 9:01 pm |
| Has anyone succeeded in scripting an RSA signed privileged Java applet
for JavaPlugin 1.4.2+ ? Say with Netscape 7 or IE 6 browsers using Sun JVM.
- Mitch
| |
| Roedy Green 2004-06-30, 9:01 pm |
| On Wed, 30 Jun 2004 17:27:53 -0400, "Michel Gallant"
<neutron@NOSPAMistar.ca> wrote or quoted :
>Has anyone succeeded in scripting an RSA signed privileged Java applet
>for JavaPlugin 1.4.2+ ? Say with Netscape 7 or IE 6 browsers using Sun JVM.
If you did, we would have to put it into the Bug Parade as a security
hole. By that do you mean having JavaScript ok the cert?
You can of course dynamically generate the applet tags to fire up a
signed applet.
I do that at http://mindprod.com/urlcheck.html
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Michel Gallant 2004-06-30, 9:01 pm |
| This functionality was available in Netscape 4.x and Netscape JVM, but
one needed to digitally sign the script, and the user was prompted with
the usual security dialog .. same as for regular signed applet ... no difference.
Same with MS JVM so there is not really a security issuer if the scripting
access is done properly.
- Mitch
"Roedy Green" <look-on@mindprod.com.invalid> wrote in message news:jjf6e09km1f2pn733nvhs8ejrpkn6crn9h@
4ax.com...
> On Wed, 30 Jun 2004 17:27:53 -0400, "Michel Gallant"
> <neutron@NOSPAMistar.ca> wrote or quoted :
>
>
> If you did, we would have to put it into the Bug Parade as a security
> hole. By that do you mean having JavaScript ok the cert?
>
> You can of course dynamically generate the applet tags to fire up a
> signed applet.
>
> I do that at http://mindprod.com/urlcheck.html
>
>
>
> --
> Canadian Mind Products, Roedy Green.
> Coaching, problem solving, economical contract programming.
> See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Roedy Green 2004-06-30, 9:01 pm |
| On Wed, 30 Jun 2004 19:08:27 -0400, "Michel Gallant"
<neutron@NOSPAMistar.ca> wrote or quoted :
>This functionality was available in Netscape 4.x and Netscape JVM, but
>one needed to digitally sign the script, and the user was prompted with
>the usual security dialog .. same as for regular signed applet ... no difference.
What is this script going to do once it gets going?
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
| |
| Michel Gallant 2004-07-01, 3:58 am |
|
"Roedy Green" <look-on@mindprod.com.invalid> wrote in message news:1ui6e095gdopbpgnas6183fmjc4ln7fbt2@
4ax.com...
> On Wed, 30 Jun 2004 19:08:27 -0400, "Michel Gallant"
> <neutron@NOSPAMistar.ca> wrote or quoted :
>
>
> What is this script going to do once it gets going?
>
Fire methods on a signed Java applet. Obviously, the privileged Java applet public
methods need to be designed so that malicious script calls will not damage a client's
system. That is why Microsoft JVM have the "assert" clause in applet methods, to
help the developer vouch that calls from untrusted hosts (like JavaScript-induced calls)
will not harm a client's systems.
Netscape's answer to that was having to sign the script itself, which essentially is a way
of saying that the script/page author assumes responsibility for any scripted calls into
privileged Java applets.
Sun scripted signed applets have similar discussion somewhere, but the functionality does
not appear to work at all!
- Mitch
| |
| Roedy Green 2004-07-01, 3:58 am |
| On Wed, 30 Jun 2004 20:54:17 -0400, "Michel Gallant"
<neutron@NOSPAMistar.ca> wrote or quoted :
>Fire methods on a signed Java applet. Obviously, the privileged Java applet public
>methods need to be designed so that malicious script calls will not damage a client's
>system. That is why Microsoft JVM have the "assert" clause in applet methods, to
>help the developer vouch that calls from untrusted hosts (like JavaScript-induced calls)
>will not harm a client's systems.
>Netscape's answer to that was having to sign the script itself, which essentially is a way
>of saying that the script/page author assumes responsibility for any scripted calls into
>privileged Java applets.
>Sun scripted signed applets have similar discussion somewhere, but the functionality does
>not appear to work at all!
Sorry I have not done this. You are the expert. Ghastly feeling isn't
it.
--
Canadian Mind Products, Roedy Green.
Coaching, problem solving, economical contract programming.
See http://mindprod.com/jgloss/jgloss.html for The Java Glossary.
|
|
|
|
|