The Source for Java Technology Collaboration
User: Password:
Register | Login help    



Syndicate this blog (XML)
Kohsuke Kawaguchi

Kohsuke Kawaguchi's Blog

«Hudson plugin support | Main | JAX-WS RI goes truly asynchronous! »

Isn't JavaSE 6 Java Web Start security dialog dangerous?

Posted by kohsuke on August 20, 2006 at 03:27 PM | Comments (9)

I'm not a security expert or anything, but I thought I knew enough about those stuff to get by. But when I looked at the new Java Web Start security dialogs in SE 6, I get nervous — AFAICT, this dialog is bit dangerous. But if the security experts of Java SE think these are fine, then I must be missing something. So what am I missing?

The screen in question is below:

When I create my own certificate not signed by any CA, and use that to sign an application, this is the dialog that you'll see when you try to run it.

The problem, as I see it, is that since I can choose to use any name when I create my certificate, the publisher you are seeing on this dialog is not trustworthy information. That is, you have no way of knowing that this application is really published by the JDIC project as the dialog states, because I can just as easily create a certificat by using "jdic" as the name. And also, technically, since this application is not sent via HTTPS, there's really no guarantee that the application came from http://javadesktop.org/ either. The bytes can be altered, DNS can be spoofed, proxies could be hacked. Finally, the name of the application could be obviously anything.

So what it boils down to is that, when you are presented this dialog, you really shouldn't be trusting any of the information that's displayed here. In particular, you shouldn't reason like "ah, I trust JDIC guys, so I'm fine with running this application with full access to the system", because you have no way of knowing that the application indeed came from JDIC.

But this dialog says "Only run if you trust the origin of the application", and I think normal users would then proceed to do just what I'm afraid of, despite the fact that there's no way to know the origin of the application. After all, that's really the core function of CAs, which is to make sure that a certificate that says "company X" is only made available to company X, not someone else. It's all about letting you know the origin of the application.

So, that's the point I'd like to make here. Putting up a dialog that says "Only run if you trust the origin of the application" when there's no way to know the origin of the application is stupid. When the same dialog also displays something that looks like the origin of the application is even dangerous, because that makes people think that it is the origin of the application.

There in lies my confusion. These dialogs must have went through some serious scrutinies. So if it is indeed dangerous, then it must have been spotted. Thus it follows that some of my above reasoning is wrong. This is where I need your help!


Bookmark blog post: del.icio.us del.icio.us Digg Digg DZone DZone Furl Furl Reddit Reddit
Comments
Comments are listed in date ascending order (oldest first) | Post Comment

  • What's the difference between JWS's dialog and IE's or Firefox's dialogs? Why are they not so dangerous?

    Posted by: ronaldtm on August 20, 2006 at 05:28 PM

  • all are dangerous. i remember i've filed a bug to firefox asking them to change the words into something like "the publisher claims to be ....".

    Posted by: weijun on August 20, 2006 at 06:24 PM

  • Absolutely. But I guess this is just something Java follows Microsoft's lead on. There is not much point in Java applications being paranoid if Windows malware can get through without problem.

    (I wouldn't trust the JDIC guys:)

    Posted by: tackline on August 21, 2006 at 01:11 AM

  • Even if the app were sent over SSL, someone could have spoofed DNS. As for the "validity" of the certificate - even a cert signed by a "trusted" CA could be bogus. Most of SSL is just encryption for show anyway - the path validation algorithms are so broken (and poorly implemented) that you don't get much identity proofing for the other end of the connection.

    Posted by: cajal on August 21, 2006 at 07:23 AM


  • tackline and ronaldtm, I guess I should check what IE would say on ActiveX controls that are signed by a non-verifirable certificate. I thought it did a better job, but if it's not, then perhaps that was the reason behind what JWS chose in Mustang.


    Cajal, I don't follow what you are saying. Say, in HTTPS, If a certificate says "company X" and signed by VeriSign, then you can really trust that the server you are talking to is company X. I don't see how DNS spoofing could attack this scheme. What am I missing?

    Posted by: kohsuke on August 21, 2006 at 09:44 AM

  • The concept of signed applications is basically faulty anyway. It would be better if the app asked for all the resources it needed access to.How much checking does VeriSign do that you are who you claim to be?

    Posted by: tobega on August 22, 2006 at 03:39 AM

  • (1) Yes, the dialog is nonsense. 99.44% of end users cannot make an informed decision one way or another. Judging from some of the other comments in this thread, the rate for developers isn't too good either. (2) The comparison with Microsoft is nonsense. A Windows executable has no controlled security. Java does. Don't throw away this important advantage.

    If you write a demo, go through the extra effort and make it run in the sandbox. The JNLP sandbox is pretty good--you can even print and save and load files, but the user is notified and can stop your app.


    Posted by: cayhorstmann on August 22, 2006 at 07:30 AM


  • cayhorstmann — I'd like to better understand why comparing it with the way Internet Explorer displays the dialog is "non-sense." JavaWS displays this dialog when I try to run an unverifiable application that's asking for full system access.


    So I thought the risk of running this application is about as bad as running an unverifiable ActiveX control. Assuming the reasoning so far is correct, then I think it certainly follows that there's no need for two dialogs to give different scare level. Hence, wouldn't it make sense to make two dialogs similar in tone?

    Posted by: kohsuke on August 22, 2006 at 09:32 AM

  • What I find odd is that JNLP forbids you to deploy an unsigned app in non-sandbox mode. You have to sign it. But you can make up a signature. So a nonverified signed app is functionally equivalent to a completely unsigned app (unless you have encountered this signature before and just want to check that the publisher is the same as before). Why won't the JNLP client let you run an unsigned app out of the sandbox with an appropriate warning? Creating a bogus signature just complicates development (and makes everything slower, since signing is rather slow and verifying a signature is a bit slow).

    Posted by: jglick on August 28, 2006 at 06:19 PM



Only logged in users may post comments. Login Here.

This work is licensed under a Creative Commons License.
Creative Commons License

Powered by
Movable Type 3.01D
 Feed java.net RSS Feeds
Feedback  | FAQ  | Press | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2008 Sun Microsystems, Inc.
Oreilly LogoCollabnet Logo
Powered by Sun Microsystems, Inc.,
O'Reilly and CollabNet