3

After the latest Java update (7u11), whenever my applet is loaded on a page in firefox, you must allow the application to run with a big security warning when in fact the applet has no access to personal information of any kind.

In IE, it still spams this warning once, but when you click "always allow", it doesn't do it anymore. In Firefox, even if you click "always allow", every time you leave and come back it will prompt again. I'm worried about scaring potential users away.

The applet creates a network connection to a daemon hosted on the same server/IP as the webserver. (port 4444 for now). Before, this would not constitute a security violation but now it does and must be aproved.

The applet sends contstantly changing information (prices, time, etc..) to the client and the data must maintain a live connection with the server to be presented correctly. The client sends a limited amount of data (basically, a self-designed protocol for determining what information you want to view) The applet does not access personal files or other information on the system. This applet only accesses its own resources (things included in the .jar file) and no files on the user's hard drive.

On another note, after updating java, when visiting my page with the applet, an error "you must install java" was displayed. You select download and install, it says java is already installed, do you want to reinstall? If you say no, error is still displayed. If you say reinstall, applet now loads but with all the security stuff.

I know there has to be a work-around for this. Yahoo games and pogo games use the Java environment with some client-server traffic, yet they do not show a bunch of security warnings. The only difference is that my Applet is using JavaFX where yahoo and pogo use Swing or AWT.

Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
SigSeg
  • 248
  • 4
  • 8
  • Please [take a screenshot](http://meta.stackexchange.com/questions/99734/how-do-i-create-a-screenshot-to-illustrate-a-post) of the security warning you receive and add it to the question. – jewelsea Jan 28 '13 at 05:25
  • Can you confirm it is the warnings as seen in?.. 1) [Disabled Java warning appearance & affect on Java Web Start apps](http://stackoverflow.com/q/14487698/418556) 2) [Appearance of Java Security dialog](http://stackoverflow.com/q/12986333/418556). -- the description you give, sounds like a combination of both! – Andrew Thompson Jan 28 '13 at 06:24

1 Answers1

4

Starting with Java 7u11, the default security level for Java applets was change from Medium to High - this may cause the new security warnings which you are seeing when your application is run against Java 7u11. From the Java 7u11 release notes:

Synopsis: Default Security Level Setting Changed to High The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation.

IMO, this amounts to an admission by Oracle that the attack surface for Java is too large for them to adequately prevent drive by download attacks, such as where a user just goes to a web page which runs Java and the webpage exploits an unpatched vulnerability in Java to compromise the user's system. So, Oracle's response is to up the security level for Java applications in browsers so that they can never be run without the user first agreeing to proceed with execution. Many would say that this is a good thing for the internet in general, though it's undesirable if you were previously relying on an unsigned non-malicious application to be delivered to a user without a security warning popup.

With a Yahoo or Pogo game, presumably the game has been signed, in which case a warning message will be shown the first time a game from the publisher is run, but the user may elect to always trust the publisher, in which case the user will subsequently never be shown a warning when the user accesses an applet from the same publisher. You could do the same for your application if you wished.

You could also request the user to lower their security preferences from the default (e.g. from High to Medium), then, when your unsigned application is run, there will be no warning message - but that is inadvisable as Oracle changed the default security preferences from Medium to High for a good reason.

There should be no difference in the behaviour of warnings for JavaFX versus Swing or AWT applets - if there is one, that would be a critical bug to be reported to Oracle.

Independent of the Java security settings, individual browser vendors may choose to block Java or a Java version and display a warning to the user. Some images of what these block messages look like in various browsers are in Disabled Java warning appearance & affect on Java Web Start apps (the post name mentions Web Start apps, but the warning images in the post are relevant to applets - whether those applets are Swing or JavaFX based).

Here is a sample of the warning message which Java will generate for an unsigned application. The warning message was generated on Mac OS X 10.8 by clicking on the "Verify Java" button at Oracle's java.com site when running Java 7u11.

security warning

Community
  • 1
  • 1
jewelsea
  • 150,031
  • 14
  • 366
  • 406