Skip to main content

Isn't JavaSE 6 Java Web Start security dialog dangerous?

Posted by kohsuke on August 20, 2006 at 3:27 PM PDT

I'm not a security expert or anything, but I thought I knew enough about those stuff to get by. But when I looked at the new Java Web Start security dialogs in SE 6, I get nervous — AFAICT, this dialog is bit dangerous. But if the security experts of Java SE think these are fine, then I must be missing something. So what am I missing?

The screen in question is below:

When I create my own certificate not signed by any CA, and use that to sign an application,
this is the dialog that you'll see when you try to run it.

The problem, as I see it, is that since I can choose to use any name when I create my certificate, the publisher you are seeing on this dialog is not trustworthy information. That is, you have no way of knowing that this application is really published by the JDIC project as the dialog states, because I can just as easily create a certificat by using "jdic" as the name. And also, technically, since this application is not sent via HTTPS, there's really no guarantee that the application came from either. The bytes can be altered, DNS can be spoofed, proxies could be hacked. Finally, the name of the application could be obviously anything.

So what it boils down to is that, when you are presented this dialog, you really shouldn't be trusting any of the information that's displayed here. In particular, you shouldn't reason like "ah, I trust JDIC guys, so I'm fine with running this application with full access to the system", because you have no way of knowing that the application indeed came from JDIC.

But this dialog says "Only run if you trust the origin of the application", and I think normal users would then proceed to do just what I'm afraid of, despite the fact that there's no way to know the origin of the application. After all, that's really the core function of CAs, which is to make sure that a certificate that says "company X" is only made available to company X, not someone else. It's all about letting you know the origin of the application.

So, that's the point I'd like to make here. Putting up a dialog that says "Only run if you trust the origin of the application" when there's no way to know the origin of the application is stupid. When the same dialog also displays something that looks like the origin of the application is even dangerous, because that makes people think that it is the origin of the application.

There in lies my confusion. These dialogs must have went through some serious scrutinies. So if it is indeed dangerous, then it must have been spotted. Thus it follows that some of my above reasoning is wrong. This is where I need your help!

Related Topics >>