Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

If I create a signed Java applet, can I host it on any domain I want?

Or is the signed applet associated with and considered signed only when downloaded from a specific domain (i.e., the domain you used as part of your CA identity verification)?

My situation: I created an applet, which I offer for download as a tool, so that others can use it on their websites. People don't use the applet on my website, instead they download it as a zip and host it on their website. (Obviously, my app is aimed at developers and those otherwise HTML-savvy). Up to now the applet has been unsigned, however since Oracle has essentially killed unsigned applets with their last update, I am considering signing it. But I don't want to go through the trouble and expense of signing it only to find that the signing is only valid when the applet is used on my website and not others.

Edit for clarification: I am not intending to self-sign. I intend to use a CA.

like image 605
martinez314 Avatar asked Jan 22 '14 17:01

martinez314


2 Answers

Yes. You may get a warning if it is self-signed, depending on your security level. No warning if it is signed by trusted authority.

like image 121
crnlx Avatar answered Sep 19 '22 16:09

crnlx


The answer is actually a qualified 'yes'.

Missing Codebase manifest attribute for:xxx.jar warns us that in recent security updates, a change was introduced to produce a warning if the Codebase attribute was missing from the manifest of the Jar.

JAR File Manifest Attributes for Security: Codebase Attribute goes into the details:

The Codebase attribute is used to restrict the code base of the JAR file to specific domains. Use this attribute to prevent someone from re-deploying your application on another website for malicious purposes.

Note: If the Codebase attribute does not specify a secure server, such as HTTPS, some risk exists that your code could be repurposed in Man-in-the-Middle (MITM) attack schemes.

Set this attribute to either the domain name or IP address where the JAR file for the application is located. A port number can also be included. For multiple locations, separate the values with a space. An asterisk (*) can be used as a wildcard only at the beginning of the domain name. The following table shows sample values and what they match.

From that I am guessing you could add the Codebase attribute to suppress the warning for your clients, but only if they deploy the applet at a specific location on their site.

I am unsure if it is possible for the client to simply 'hot-link' to the applet at your site. Given the fact that I am not a security expert, I almost expect there is some arcane way for that to be abused.


Given the recent tightening of security, it would not surprise me if Oracle decided to specify an HTTPS server before an app. will launch without lowering the security of the plug-in to dangerous levels, and that only extensions (not the main app./applet) can be used across sites.

like image 38
Andrew Thompson Avatar answered Sep 22 '22 16:09

Andrew Thompson