Still Using Applets? Sign Them, Or Else
When Sun Microsystems introduced Java in 1995, applets were considered the killer feature for the business success of Java. Don’t believe it? Check out this article. Imagine a boring business program with buttons and text fields, the kind that in 1995 had a Visual Basic frontend that connected to the backend database. What a nightmare that was. Whenever the app changed, the clients had to be redeployed on thousands of machines. With Java, the equivalent program would be hosted on a server, the user would visit a web page, the applet would be downloaded, and it would then run securely in the sandbox.
Of course, for that to happen, the sandbox had to be really secure. And in 1995, it was. There was discomfort by academic researchers who felt that the security model was pretty complex. This is a typical paper from that era. But nobody paid much attention since exploits were rare and quickly patched.
In fact, yesterday I headed to that site, and was greeted with this scary message:
So it has finally happened. I have a few blast-from-the-past applets on my home page, and the time has come to sign them. In case you are in the same boat, here is what you have to do.
- Get a certificate. A self-signed certificate won’t do. This is not so easy for an individual, and there is a fee that ranges from modest to astounding, depending on the provider. The least expensive route seems to be to use a Comodo reseller. I had good experience with K Software. Not only do they offer a decent discount, but they also yell at Comodo when they pigheadedly follow their outdated procedure and won’t authenticate you. In my case, I don’t have a land line (who does these days?), and my phone number isn’t in any online directory. This so baffled Comodo that they refused to issue the certificate, until the reseller intervened.
- Install the certificate into a JKS keystore. This is a somewhat byzantine process, and even more so on Linux.
- Put your classes in a JAR file. The old way of having the browser load the classes one at a time no longer works. And add a manifest to the JAR with the contents
Or, if your app actually requires all permissions, and you previously used a self-signed certificate, use
Permissions: all-permissionsinstead. The
jarcommand is something like
jar cvfm MyApplet.jar manifest.mf mypackage/*.class
applettag of your HTML file, add an attribute
- Finally, sign your applet. You get a warning if you don’t timestamp it, so you should do that too. Here is how to do that with Comodo.
jarsigner -keystore path/to/keystore.jks -tsa http://timestamp.comodoca.com/rfc3161 MyApplet.jar keyalias
So, I did all that and looked at my ancient applets with amazement. This traffic jam applet is as fascinating/depressing as ever. But the weather applet? Time has passed it by. Check out those pre-Swing list boxes!
Then again, it is amazing that it is working at all. The Perl script from NOAA still produces a text report (now wrapped into some gratuitous HTML), and will hopefully continue to do so for all eternity, just like the transponder in 2001 that relayed the excavation of the lunar monolith, millions of years after it was put into place.