Home > Archive > Java Security > September 2006 > Web Applet Certificate
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Web Applet Certificate
|
|
| Barkster 2006-09-11, 7:02 pm |
| I have a web applet that I signed myself but I'm having issues with
some people not being able to figure out to accept it correctly and
select cancel and remember setting then make the applet inoperable. I
have a digital certificate for my website that I purchased from xramp.
How do I get this thing signed so it doesn't prompt. When I first
created I looked into signing it and thought it was about 1k to have it
signed?? Ouch. Are there any affordable options?? Thanks
| |
| Andrew Thompson 2006-09-11, 7:02 pm |
| Barkster wrote:
> I have a web applet that I signed myself but I'm having issues with
> some people not being able to figure out to accept it correctly and
> select cancel and remember setting then make the applet inoperable. I
> have a digital certificate for my website that I purchased from xramp.
> How do I get this thing signed so it doesn't prompt.
No such thing is possible. If an all-permissions Web-Started
application or applet could get on-screen without any warnings
to, or questioning of, the client - that would be a security hole.
'sandboxed' JWS apps. are a different matter.
>..When I first
> created I looked into signing it and thought it was about 1k to have it
> signed??
Your applet is already 'signed' if you signed it properly
with a self-signed certificate, it is just the your
certificate cannot be verified, whereas the sort of
'1k' certificates you are thinking of, can be (verified
back to the issuing authority).
>..Ouch. Are there any affordable options??
The good news is, there are a number of sources of
free certificates that *are* verified. The Thawte 'freemail'
certificate is one such beasty. They generally have
a more generic name than the 'expensive' ones.
Ultimately though, the end-user will still be asked
if they wish to 'accept the code signed by..'
HTH
Andrew T.
| |
| Barkster 2006-09-11, 7:02 pm |
| Ok, your right. I talked with thawte and they say the same thing. Is
there any advantage to getting it signed through thawte or something?
I have some users that select cancel instead of run and check remember
and then get all pissed cause it isn't working and I haven't found an
easy way to fix this other than having them go to control panel and
removing certifciate in java control panel.
Thanks
Andrew Thompson wrote:
> Barkster wrote:
>
> No such thing is possible. If an all-permissions Web-Started
> application or applet could get on-screen without any warnings
> to, or questioning of, the client - that would be a security hole.
>
> 'sandboxed' JWS apps. are a different matter.
>
>
> Your applet is already 'signed' if you signed it properly
> with a self-signed certificate, it is just the your
> certificate cannot be verified, whereas the sort of
> '1k' certificates you are thinking of, can be (verified
> back to the issuing authority).
>
>
> The good news is, there are a number of sources of
> free certificates that *are* verified. The Thawte 'freemail'
> certificate is one such beasty. They generally have
> a more generic name than the 'expensive' ones.
>
> Ultimately though, the end-user will still be asked
> if they wish to 'accept the code signed by..'
>
> HTH
>
> Andrew T.
| |
| Barkster 2006-09-11, 7:02 pm |
| How do you use that freemail certificate to sign a java app??
Thanks
Barkster wrote:[color=darkred]
> Ok, your right. I talked with thawte and they say the same thing. Is
> there any advantage to getting it signed through thawte or something?
> I have some users that select cancel instead of run and check remember
> and then get all pissed cause it isn't working and I haven't found an
> easy way to fix this other than having them go to control panel and
> removing certifciate in java control panel.
>
> Thanks
>
> Andrew Thompson wrote:
| |
| Andrew Thompson 2006-09-11, 7:02 pm |
| Barkster wrote:
> Ok, your right.
Who's right about what?
( This translates to - please refrain from top-posting )
>...I talked with thawte and they say the same thing. Is
> there any advantage to getting it signed through thawte or something?
The certificate can be verified - the warning presented
to the user is less oderous.
For further info., see this Blog article..
<http://weblogs.java.net/blog/stanle...ent_good_1.html>
> I have some users that select cancel instead of run and check remember
> and then get all pissed cause it isn't working and I haven't found an
> easy way to fix this other than having them go to control panel and
> removing certifciate in java control panel.
Same deal with the verified certificate, the only
difference being that your end user is slightly less
likely to 'permanently refuse' a verifiable certificate.
And in reply to the question on your next post..
Approximately "how to use freemail certificate?"
I don't know - I've only ever used a self-signed certificate.
Andrew T.
| |
| Barkster 2006-09-11, 7:02 pm |
| Sounds like I ought to look into options other than self signed.
Thanks for clearing that up.
Andrew Thompson wrote:
> Barkster wrote:
>
> Who's right about what?
> ( This translates to - please refrain from top-posting )
>
>
> The certificate can be verified - the warning presented
> to the user is less oderous.
>
> For further info., see this Blog article..
> <http://weblogs.java.net/blog/stanle...ent_good_1.html>
>
>
> Same deal with the verified certificate, the only
> difference being that your end user is slightly less
> likely to 'permanently refuse' a verifiable certificate.
>
> And in reply to the question on your next post..
> Approximately "how to use freemail certificate?"
>
> I don't know - I've only ever used a self-signed certificate.
>
> Andrew T.
| |
| Thomas Hawtin 2006-09-11, 7:02 pm |
| Andrew Thompson wrote:
>
> The good news is, there are a number of sources of
> free certificates that *are* verified. The Thawte 'freemail'
> certificate is one such beasty. They generally have
> a more generic name than the 'expensive' ones.
Fortunately that security flaw is fixed in later version of Java (not
exactly sure from which version). So you now have to pay for certificate
vendors detailed verification of your company name (such as Click here
or Microsoft Corporation).
Recently unsigned WebStart apps have ceased to be able to request an
older version of Java. Presumably it the current version checks the
certificates, so you can't get around it anyway.
In any case, I would strongly advise anyone to avoid trusting code that
happens to be signed.
Tom Hawtin
--
Unemployed English Java programmer
http://jroller.com/page/tackline/
|
|
|
|
|