[icedtea-web] Idea - do not start ITW applets automatically

helpcrypto helpcrypto helpcrypto at gmail.com
Fri Nov 16 00:30:28 PST 2012


Sorry if not explaining myself properly, this is not my mother language ;)

On Thu, Nov 15, 2012 at 9:30 PM, Adam Domurad <adomurad at redhat.com> wrote:
> So in lieu of requests such as [1] and the potential for unsigned code
> escaping the sandbox (eg, the recent 0day) it could be worth looking into a
> feature that has applets not start automatically, but rather require a user
> confirmation (click?) to begin. Additionally a more strict setting could not
> allow This could be controlled via itweb-settings/environment and
> distributions might want it as the default.

I think we should go to the basics:
 - Applets are java applications intended to run on web.
 - Due to privilege needs, only signed applets are able to do some
risky actions (eg: read hard drive)

If unsigned applets were safe to users, wont need any warning (signed
should), but history teaches us this is false.

So, any Java Applet execution could require an additional "security
control" before running, no matter signed or unsigned.
Again, IMHO, the real problem is that users are not "skilled enough",
and usually click without worrying, what makes the measure useless,
and make the user tend to ignore more warnings. (eg: Remember the
annoying Vista User UAC?)

> There should be some way to opt-in normal execution of signed applets based
> on certificate. When an applet's certificates are all opted in, it will
> start automatically. (Note that we do not need to handle mixed signed +
> unsigned code specially, it already requires a confirmation.) Unsigned
> applets, if we choose to allow them being opted in, can be opted in on a
> full domain name basis.

I think "trust for domain" is a good alternative, as it will only
appear "once" in the event user allow it the first time.
What about subdomains?

Another thought: altought my applet can import certs into cacerts
keystore (hence marking himself as trustworthy), IMHO it shouldn't be
possible to add a domain as "trusted-to-run-applets" from an applet.

> The main motivation I have for proposing this feature is that many applet
> users only use a handful of applets, and having other applets automatically
> start is mostly an unnecessary attack surface. I have seen "Disable java in
> browser, and turn it on for any applets you need to use only" giving as
> advice following the 0day, and this would be a superior option.

Again, enable per-domain applet execution seems to be a good approach for me.

My two cents.

More information about the distro-pkg-dev mailing list