Call me paranoid, but what exactly do 'Java applets' do when they download themselves from websites?
I seem to have no control over whether they do or not, some are presumably ok as they are on bank account sites, but others appear on sites I visit.
When they download, up pops the 'Java Consloe' in my System tray. What happens to the applets when I leave the relevant site? Can they be harmful?
20th Feb 2003, 23:50
Applets are Java programs that live in a web page and are therefore "runnable" in a browser (IE, Opera etc) when you navigate to the page.
As far as security is concerned applets can run in two ways. Firstly they can operate in what is known as a "sandboxed" environment where they have no access to any of the resources on your machine. This means they can't do things like read to and from your local directory structure. The second way they run is where they have access to your machine and it's resources. Effectively the second way means that the applet will have the same security priveledges as any Java application running locally on your machine.
The second way can be achieved by running an applet that has been published by a source that you trust. This trust is achieved by a process called "signing" where a cryptographic assurance is provided to the client by the provider to guarantee that the applet comes from a trusted party. The only places in which I have seen signed applets in action is in an intra/extranet environment.
Most of the applets you see on public sites are of type one and they can't tamper with your system. When you close your browser or navigate off the page the applet will cease to run.
Hope this helps.
??? - thanks for that - I had no idea about 'Type 2'! Is there any way of telling when these are around and can I set IE to run only 'signed' applets?
21st Feb 2003, 21:49
Remember that just because an applet is signed doesn't guarantee much. A bit like buying a used car: how much more useful is it to have a bit of paper from the used-car salesman, saying the car's in perfect nick, as opposed to just hearing him say it ? A signature is only useful if you trust the person or oganisation signing the certificate (and that includes checking for certificate revocation.) Signatures can be very useful, but only if they are used correctly -- blindly trusting a signed applet merely because it is signed will likely end in tears... :rolleyes:
22nd Feb 2003, 14:48
RTFM - This is true
BOAC - Ideally you want your applet to run in the sandbox so you don't want to place a restriction within IE that only allows potentially iffy signed applets to run.
??? - thank you for introducing a 'new' word to my life! (and for your help here).
For the rest of you who like me thought a 'sandbox' was just somewhere the grandchildren went to get dirty for your living-room carpet, try this link (http://www.securingjava.com/chapter-two/)
Going to have a 'study day' I think!
26th Feb 2003, 09:14
Glad to be of service BOAC.
Go easy on the study though, the ladies do no find IT geeks remotely attractive ;-)