This discussion is archived
1 2 3 Previous Next 40 Replies Latest reply: Feb 14, 2013 12:16 PM by 801338 Go to original post RSS
  • 30. Re: can java app programmer make secure app?
    EJP Guru
    Currently Being Moderated
    So in other words your recommendation isn't based on the limited information that had been provided by the OP, which is exactly what I said.

    This is all 100% off-topic.
  • 31. Re: can java app programmer make secure app?
    jschellSomeoneStoleMyAlias Expert
    Currently Being Moderated
    RichF wrote:
    The [url http://r0k.us/graphics/SIHwheel.html]Interactive Color Wheel is a program; I do not think of it as an applet or plugin.
    So why don't you make it into a program?

    Users download it, then install it, then run it on their computer.

    No more applet. No more security warnings.
  • 32. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    abillconsl wrote:
    ...
    Is there a way to get good credibility into search engines that will fend off peoples fears about making that extra click to get the Applet going? I imagine there must be, but never having had to do such a thing I'm certainly not the one to provide the answer/s to my own question. Does certifying the Applet help if he loads via JNLP?
    Thanks for the reply. Before you posted, I had already done the footwork to achieve this: [url http://r0k.us/rock/junk/SIHgoogleWithFace.png]Google search result with my face. The first time I saw it in effect was just a few minutes ago, and it was time to respond. :)

    Whether or not it will help my credibility or not, I do not know. But something is better than nothing!

    I don't know how much JNLP certification would be; for an applet it would have been thousands of dollars, which is out of the question for a site that has no ads or means to fund itself.
    jschell wrote:
    RichF wrote:
    The [url http://r0k.us/graphics/SIHwheel.html]Interactive Color Wheel is a program; I do not think of it as an applet or plugin.
    So why don't you make it into a program?
    Users download it, then install it, then run it on their computer.
    No more applet. No more security warnings.
    Thank you also, jschell. I guess I could offer that as an option. But for the teachers who use it as part of their curriculum (either directly or as a resource), I doubt they'd want to require their students to install a program.

    -- Rich
  • 33. Re: can java app programmer make secure app?
    EJP Guru
    Currently Being Moderated
    What JNLP certification? All you need to do is sign the applet, which needs a code-signing certificate, which costs a hundred bucks or two, not 'thousands'. Then adjust your HTML to use JNLP, write a JNLP file, and you're done.
  • 34. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    EJP wrote:
    What JNLP certification? All you need to do is sign the applet, which needs a code-signing certificate, which costs a hundred bucks or two, not 'thousands'. Then adjust your HTML to use JNLP, write a JNLP file, and you're done.
    I do not know. I was replying to what abillconsl said.

    As far as cost, maybe I remember wrong. It's been 2 years since I last checked around, and I do remember over $1,000.

    Currently:

    * $549 / 2 years: http://www.thawte.com/code-signing/index.html
    * $873 / 2 years: http://www.symantec.com/popup.jsp?popupid=csc_java_buy&footer=0

    Maybe there are cheaper places, and that offer permanent signatures. Currently neither of the two I know of make sense for a non-commercial site.

    As far as running applet as program, I simply added a link to the .jar file (bottom of [url http://r0k.us/graphics/SIHwheel.html#OS]Open Sources section). In Windows 7 that's all it takes. I don't know about other OS', though. Is such a link considered bad practice, or unworkable for Mac and Linux users?

    Edited by: RichF on Feb 2, 2013 1:32 PM -- corrected typo
  • 35. Re: can java app programmer make secure app?
    EJP Guru
    Currently Being Moderated
    Those prices are top dollar, you can do much better than that. We got ours from godaddy for around what I said above.

    I would have a good look at JNLP in your copious free time. It does a lot for you.
  • 36. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    Yesterday I was notified of a new version of the JRE (1.7.0_13-b20) and allowed it to install. The browsers no longer throw up a security block! :) However, the Java PlugIn itself now throws up a "do you want to run this thing" notice, and the applet won't actually run until the user approves. Fortunately, he can approve permanently for the applet in question, and no more notices for it. Here is what it looks like:

    * http://r0k.us/rock/junk/JavaWarning_1.7.0_13-b20.png

    I hope the folks at CERN and the US Department of Homeland Security quickly withdraw their advice to disable Java. Even if they do so, the press is unlikely to give anywhere near as much coverage that Java is safe as it did to how "dangerous" it was.

    - - - - - - - - - -
    Those prices are top dollar, you can do much better than that. We got ours from godaddy for around what I said above.

    I would have a good look at JNLP in your copious free time. It does a lot for you.
    GoDaddy is $200/year, $360 if you pay for two years at once. What my app would gain is that visitors could use copy & paste. Of course they can do that for free if the click my link to the .jar file.

    I did spend some of my "copious free time" looking at JNLP and I do not really see how it would help this particular applet. If my applet used a file requester (it does not), that would become available. It doesn't say anything about copy&paste, so that still might require $180/year for the signature. Even at that "bargain price", it is still out of line for a non-commercial product, considering what the user gains.

    - - - - - - - - - -
    BTW, why is copy&paste blocked by the sandbox, anyway? It is hard to imagine how it could be misused by a devious programmer. If sending a huge 1 gbyte string is a problem, the sandbox could block anything greater than 32k (or some such number). Is copying or pasting a 7-character hex color string going to make any computer unsafe??

    -- Rich
  • 37. Re: can java app programmer make secure app?
    abillconsl Explorer
    Currently Being Moderated
    To my way of thinking, the bottom line is how much does this bother you?

    On the one hand, it's free, and you're not making any money on it, so why would you pay to make it more attractive to users? If it were me under these circumstances I do believe this would be the end of it.

    However, on the other hand, you're spending what sounds like quite a bit of time searching for the best fix, and it it bothering you as well. Isn't your time and anxiety worth something? If so, perhaps a certification is worth it?

    Have you thought about asking for nominal contributions via PayPal? Would it pay to do more investigation into how to get more attention (positive that is) from search engines? ... because this might be the thing that will get the end user over the hump of wondering if your app is safe or not. How about a hit count on the page? (sorry, I did not look at your page so I don't know if you have one - did you mention that?) How about taking in some adverts?

    Bottom line is ... how much do you care? And then, is it really worth caring about that much (mean no negative reflection on your work, but could you adjust your priorities). If you feel it's worth it, than thinking of creative ways to address this problem might help.
  • 38. Re: can java app programmer make secure app?
    baftos Expert
    Currently Being Moderated
    RichF wrote:
    BTW, why is copy&paste blocked by the sandbox, anyway?
    Maybe this is the reason: http://www.techopedia.com/definition/26419/clipboard-hijacking-attack. It does not mention Java, but it shows that messing with the clipboard may be a threat.
  • 39. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    abillconsl wrote:
    To my way of thinking, the bottom line is how much does this bother you?

    On the one hand, it's free, and you're not making any money on it, so why would you pay to make it more attractive to users? If it were me under these circumstances I do believe this would be the end of it.
    My concern level is greatly reduced since the 7-13 patch. It turns out Oracle actually accelerated the security release; it had been scheduled for 19 February. And the matter is getting press attention:

    <li> [url https://blogs.oracle.com/security/entry/february_2013_critical_patch_update]Oracle Security Blob Post, 2013-02-01
    <li> [url https://www.google.com/search?hl=en&gl=us&tbm=nws&q=%22homeland+security%22+java&oq=%22homeland+security%22+java&gs_l=news-cc.3..43j0j43i400.3622.11446.0.11658.30.26.1.3.0.0.171.2470.20j6.26.0...0.0...1ac.1.qnInnhlbcis]word is getting out of security update
    However, on the other hand, you're spending what sounds like quite a bit of time searching for the best fix, and it it bothering you as well. Isn't your time and anxiety worth something? If so, perhaps a certification is worth it?

    Have you thought about asking for nominal contributions via PayPal? Would it pay to do more investigation into how to get more attention (positive that is) from search engines? ... because this might be the thing that will get the end user over the hump of wondering if your app is safe or not. How about a hit count on the page? (sorry, I did not look at your page so I don't know if you have one - did you mention that?) How about taking in some adverts?
    Having the app signed would do away with the requester, which is now a permanent feature for all unsigned applets (unless the user clicks the "I trust this applet always" box). It would also allow copy&paste. Is that worth 50¢/day to me? ... possibly. Although it would do nothing to help with the folks who uninstalled Java with no intention of re-installing.

    I have thought about contributions and even a small area for plain-text ads. When the page was getting over 300 hits/day, that may have actually brought in useful amounts of cash. Should I decide to get the applet signed, I might reconsider. Up to now my only cash outlay has been the domain hosting fee, and I did not need to earn money from the site.

    The page does have a hit counter, which is currently approaching 1.4 million hits. I'm not sure how much credibility that lends me, though. It (and presumably most types of hit counters) can be initialized to any value. The count is legit, but the number isn't so impressive considering it began counting in 1998. :)
    baftos wrote:
    RichF wrote:
    BTW, why is copy&paste blocked by the sandbox, anyway?
    Maybe this is the reason: ...
    I see how that could be nasty. There are actually two places where my users could use copy&paste in my applet. The first is in the aforementioned plain text field for color hex values. Applying the exploit to copies of that would be possible (although I would presume most users would be highly suspicious of a link accompanying a hex color value.) The second is to copy pre-displayed lines from the applet's color log window. There is no programmatic involvement in that; Java does all the work in allowing copies from lines in a table. I'm not sure the exploit would apply there.
  • 40. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    from [url http://www.mercurynews.com/business/ci_22573646/oracles-java-software-still-major-worry-despite-recent]Oracles Java Software Still Major Worry :
    Will Dormann, a Carnegie Mellon researcher who wrote the Java warning for the government, said the many flaws found in Java may partly stem from some security experts spending inordinate time scrutinizing it. He also noted that Java isn't the only software he's recommended disabling. He gave similar advice in December about Adobe's Macromedia Shockwave Player, which displays certain web content.

    Even with Oracle's latest patches, he said it was unlikely the government would tell people "to turn it back on."
    Sigh. Don't you have a responsibility, once you tell folks it's unsafe to drink the water, to tell them when they can drink again?? If some folks choose to continue drinking bottled water after that, they can. Others would be perfectly fine with the tap water.

    I understand them being cautious, but to say you won't ever withdraw the warning seems irresponsible to me. They don't have to tell people to "turn it back on", but they can announce they know of no security problems.

    -- Rich
1 2 3 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points