-
Bug
-
Resolution: Fixed
-
P2
-
1.2.2
-
1.2.2
-
generic
-
generic
-
Not verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2027714 | 1.3.0 | Jan Luehe | P2 | Closed | Fixed | beta |
Name: sg39081 Date: 06/23/99
Create a self signed certificate with keytool
Create an applet with previliged code and sign it with the self signer id
Run the applet under Java Plugin 1.2.2 rc1
A dialog box pops up saying applet signed by xyz etc and user can press "grant always" so that the applet has total access to the user's system. The certificate is imported into the local database.
The only problem is since this was a self signed certificate, any person can create a certificate on anybody's name and the certificate is imported without certificate chain verification (since there is no chain, the certificate was self-signed).
So I could create a self signed certificate that says "Sun Microsystems" and the user would accept my applet as if it came from Sun. Since I self-generated the keytool id and certificate and did not go through a CA to get my public-private keys, how did the Java Plugin manage to verify my identity (against what?).
(Review ID: 84381)
======================================================================
- backported by
-
JDK-2027714 Self signed applets get full access
-
- Closed
-