More Security for Unsigned Applets

I don't like signed applets.

Thus I'm thinking about adding a new clause into the java.policy file, something like this:

grant codebase "http://a.org/b.jar" md5sum 1234... {
    permission ...
}

If I know the developer of the applet quite well, or I've asked some experts to study the applet carefully, I may grant more permissions to the applet (Remember? I always believe that even an unsigned applet can be written to access "sensitive" resources, since the user can always allow it). However, I cannot guarantee that an applet would not be upgraded, or a bad guy hijack my DNS server and put his own applet there with the same URL. A checksum should be quite useful here.

Some problems: Even an unmodified jar, if hijacked, can also bring security problems. For example, an applet can always send info back to its origin, then this hijacked applet will send the precious info I innocently allow it to read on my hard disk back to the bad guy.

But, currently even a signed applet can be hijacked this way also. If some hijacks the Google website (very common in China these days), I will get an HTTPS hostname not matched warning when I browse to GMail. However, if Google releases its mail client as a signed Java applet but its residing page is hijacked by someone, will I be able to detect it? The verification of the code is only happening on the client side, and the private key (the only thing not hijacked) is not involved. Of course, the applet will still use HTTPS to connect with the server, so there still has a chance. But, before the connection, is there any bad things it can do?

Seems not, if the applet is written in a nice style, if it does not connect back to its origin in a plain socket...

OK, I'll think more on this.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today