Skip to main content

Still Using Applets? Sign Them, Or Else

Posted by cayhorstmann on January 16, 2014 at 10:10 AM PST

When Sun Microsystems introduced Java in 1995, applets were considered the killer feature for the business success of Java. Don’t believe it? Check out this article. Imagine a boring business program with buttons and text fields, the kind that in 1995 had a Visual Basic frontend that connected to the backend database. What a nightmare that was. Whenever the app changed, the clients had to be redeployed on thousands of machines. With Java, the equivalent program would be hosted on a server, the user would visit a web page, the applet would be downloaded, and it would then run securely in the sandbox.

Of course, for that to happen, the sandbox had to be really secure. And in 1995, it was. There was discomfort by academic researchers who felt that the security model was pretty complex. This is a typical paper from that era. But nobody paid much attention since exploits were rare and quickly patched.

Of course, applets never were as prominent as originally envisioned. There are many reasons: machinations by Microsoft, the ubiquity of Flash, the rise of JavaScript, and the increasing sophistication of hackers who did exploit the weaknesses that the academics had grumbled about 15 years earlier. But there are lots of applets out there. In my line of work, teaching computer science, I see them all the time. For example, Professor Amruth Kumar has a nice site with exercises for Computer Science 101 students.

In fact, yesterday I headed to that site, and was greeted with this scary message:

applet security error dialog

So it has finally happened. I have a few blast-from-the-past applets on my home page, and the time has come to sign them. In case you are in the same boat, here is what you have to do.

  1. Get a certificate. A self-signed certificate won’t do. This is not so easy for an individual, and there is a fee that ranges from modest to astounding, depending on the provider. The least expensive route seems to be to use a Comodo reseller. I had good experience with K Software. Not only do they offer a decent discount, but they also yell at Comodo when they pigheadedly follow their outdated procedure and won’t authenticate you. In my case, I don’t have a land line (who does these days?), and my phone number isn’t in any online directory. This so baffled Comodo that they refused to issue the certificate, until the reseller intervened.
  2. Install the certificate into a JKS keystore. This is a somewhat byzantine process, and even more so on Linux.
  3. Put your classes in a JAR file. The old way of having the browser load the classes one at a time no longer works. And add a manifest to the JAR with the contents
    Manifest-Version: 1.0
    Permissions: sandbox
    Or, if your app actually requires all permissions, and you previously used a self-signed certificate, use Permissions: all-permissions instead. The jar command is something like
    jar cvfm MyApplet.jar mypackage/*.class
    In the applet tag of your HTML file, add an attribute archive="MyApplet.jar".
  4. Finally, sign your applet. You get a warning if you don’t timestamp it, so you should do that too. Here is how to do that with Comodo.
    jarsigner -keystore path/to/keystore.jks -tsa MyApplet.jar keyalias

So, I did all that and looked at my ancient applets with amazement. This traffic jam applet is as fascinating/depressing as ever. But the weather applet? Time has passed it by. Check out those pre-Swing list boxes!

Weather applet

Then again, it is amazing that it is working at all. The Perl script from NOAA still produces a text report (now wrapped into some gratuitous HTML), and will hopefully continue to do so for all eternity, just like the transponder in 2001 that relayed the excavation of the lunar monolith, millions of years after it was put into place.

2001 book cover


It's now a year later, and I had to redo the process. This ...

It's now a year later, and I had to redo the process. This time, I ran into a nasty snag. I picked up the certificate with Firefox/Linux and exported it. But signing with the certificate did not work. jarsigner reported

Warning: The signer's certificate chain is not validated.

And the applet wouldn't load. The Java Plug-in said it was self-signed.

The reseller told me to import it into Internet Explorer and export it again. I was dubious, but it did work. Apparently, Firefox doesn't have the Comodo cert inside, but IE does, and then it adds it to your key.

If you run into such an issue, run

keytool -storetype pkcs12 -list -v -keystore yourcert.pfx

If the certificate chain has length 1 (as it dd for me when exporting out of Firefox), then try the IE trick.

One feature of Amazon's EC2 Web Services is that you can ...

One feature of Amazon's EC2 Web Services is that you can download certificates in relation to your virtual server. Is it possible to use these certificates to sign Java applets with?

I have a fractal explorer applet at, and as of this latest Java update, my applets are not able to run without changing the security level slider in the Java Control Panel or adding my website to the exception list.

My website is basically built around this applet, and it is frustrating to think that I will have to buy a certificate just to keep my website "alive".

Unfortunately, you will have to get a certificate that is ...

Unfortunately, you will have to get a certificate that is signed by one of the root certificate that is trusted by the Java runtime. You can find out which ones they are by running the Java Control Panel (jcontrol from the command line if you have the jre/bin directory on your PATH). Look at Security -> Manage certificates -> Secure Signer CA -> System.

Amazon is not listed there. Like I said, the least inexpensive route seems to be a Comodo reseller such as KSoftware or Tucows, which is close to $100 and a few fun hours of arguing with Comodo's outsourced staff on whether you are really yourself. If anyone has a cheaper/better way, I'd love to know.