If I create a signed Java applet, can I host it on any domain I want?

Asked 22/1, 2014 at 17:17 Answered 22/1, 2014 at 19:48

Or is the signed applet associated with and considered signed only when downloaded from a specific domain (i.e., the domain you used as part of your CA identity verification)?

My situation: I created an applet, which I offer for download as a tool, so that others can use it on their websites. People don't use the applet on my website, instead they download it as a zip and host it on their website. (Obviously, my app is aimed at developers and those otherwise HTML-savvy). Up to now the applet has been unsigned, however since Oracle has essentially killed unsigned applets with their last update, I am considering signing it. But I don't want to go through the trouble and expense of signing it only to find that the signing is only valid when the applet is used on my website and not others.

Edit for clarification: I am not intending to self-sign. I intend to use a CA.

Outthink answered 22/1, 2014 at 17:17 Comment(0)

Yes. You may get a warning if it is self-signed, depending on your security level. No warning if it is signed by trusted authority.

Malchy answered 22/1, 2014 at 17:21 Comment(4)

The second sentence is incorrect. At default security levels in recent JREs, self-signed apps. are entirely blocked. – Anchor 22/1, 2014 at 19:52

@AndrewThompson Thanks, clarified that point. +1. Edit: Added link to security levels. – Malchy 22/1, 2014 at 19:54

Great link! I had not seen that flow-chart before. With that, I can happily +1 the answer. :) – Anchor 22/1, 2014 at 21:57

I also had problems using self signed cert when clients upgraded to Java 7 update 51 or above. Applets with a self signed cert are blocked. But you can add your url to the exception list in the Java console and get the applet running again. – Evolutionist 12/8, 2014 at 7:35

The answer is actually a qualified 'yes'.

Missing Codebase manifest attribute for:xxx.jar warns us that in recent security updates, a change was introduced to produce a warning if the Codebase attribute was missing from the manifest of the Jar.

JAR File Manifest Attributes for Security: Codebase Attribute goes into the details:

The Codebase attribute is used to restrict the code base of the JAR file to specific domains. Use this attribute to prevent someone from re-deploying your application on another website for malicious purposes.

Note: If the Codebase attribute does not specify a secure server, such as HTTPS, some risk exists that your code could be repurposed in Man-in-the-Middle (MITM) attack schemes.

Set this attribute to either the domain name or IP address where the JAR file for the application is located. A port number can also be included. For multiple locations, separate the values with a space. An asterisk (*) can be used as a wildcard only at the beginning of the domain name. The following table shows sample values and what they match.

From that I am guessing you could add the Codebase attribute to suppress the warning for your clients, but only if they deploy the applet at a specific location on their site.

I am unsure if it is possible for the client to simply 'hot-link' to the applet at your site. Given the fact that I am not a security expert, I almost expect there is some arcane way for that to be abused.

Given the recent tightening of security, it would not surprise me if Oracle decided to specify an HTTPS server before an app. will launch without lowering the security of the plug-in to dangerous levels, and that only extensions (not the main app./applet) can be used across sites.

Anchor answered 22/1, 2014 at 19:48 Comment(0)

Recommended topics

Hot tags