Details
-
Enhancement
-
Resolution: Future Project
-
P5
-
6
-
x86
-
solaris_2.5.1
Description
FULL PRODUCT VERSION :
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
SunOS solaris-devx 5.11 snv_64a i86pc i386 i86pc
A DESCRIPTION OF THE PROBLEM :
When trying to run "the Java Web Start-enabled demonstration program, JavaFX Pad", I encountered a problem "The application's digital signature cannot be verified. Do you want to run the application?", with either Run or Cancel. Only after clicking "More information..." am I informed that "This application will be run without the security restrictions normally provided by Java.".
There are two problem aspects here (other than the fact that there is a digital signature problem):
1. It is not possible to run a signed program with security restrictions (and I guess this is not possible either if the digital signature is correct), only a go/no-go decision is possible, without any information of what the program will attempt to do. Instead, the user should be given a list of permissions requested by the program (or, if this is not possible, the phrase "unlimited permissions" or something equally informative), and the user should then be able to decide which permissions to grant before running the applications, and which ones as they are required (this last option is necessary to securely run applications that request unlimited permissions, perhaps out of laziness, or any permissions that will not necessarily be used in a particular session), with appropriate shortcuts like "Grant all permissions now" and "Ask each time when needed". For ease of use, such permissions should be remembered across sessions if the user so desires. (I should check the JNLP specification again to know whether it is possible to list the desired permissions, but it should be.)
2. The user is not made aware that there is a security problem. Java is supposedly a secure environment, but, even though this may not have a specification against which this behaviour is a bug, it is definitely a bug or a regression against the promise of security. There is no reason to expose the naive user to such risks, and supposedly making the dialog "friendlier" (as I think I've picked up somewhere as the reason for this change) is an especially bad reason, because it will teach the user community the hard way that Java does not take security seriously after all.
Note that the phrase "Only run if you trust the origin of the application." indicates a conceptual problem: I may trust the origin to some degree (maybe just to give me correct information, maybe also to act responsibly, maybe implicitly because it's a company program on a company computer), but I may still want to verify what the program is doing, and this is not possible now.
Note also that programmers are led to believe they have to sign their applications, even if this creates more (security) problems than it solves with the current behaviour: it is now much safer to launch unsigned programs than signed ones, but maybe most of them are signed. It seems Java Web Start is stuck somewhere in the past of Java's security development, before permissions were introduced, when only an all-or-nothing decision was possible.
As an aside, if you decide to throw away this comment as "not a bug" because you think you know better, at least make it possible for other users to still vote for it to show they disagree with that verdict.
REPRODUCIBILITY :
This bug can be reproduced always.
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
SunOS solaris-devx 5.11 snv_64a i86pc i386 i86pc
A DESCRIPTION OF THE PROBLEM :
When trying to run "the Java Web Start-enabled demonstration program, JavaFX Pad", I encountered a problem "The application's digital signature cannot be verified. Do you want to run the application?", with either Run or Cancel. Only after clicking "More information..." am I informed that "This application will be run without the security restrictions normally provided by Java.".
There are two problem aspects here (other than the fact that there is a digital signature problem):
1. It is not possible to run a signed program with security restrictions (and I guess this is not possible either if the digital signature is correct), only a go/no-go decision is possible, without any information of what the program will attempt to do. Instead, the user should be given a list of permissions requested by the program (or, if this is not possible, the phrase "unlimited permissions" or something equally informative), and the user should then be able to decide which permissions to grant before running the applications, and which ones as they are required (this last option is necessary to securely run applications that request unlimited permissions, perhaps out of laziness, or any permissions that will not necessarily be used in a particular session), with appropriate shortcuts like "Grant all permissions now" and "Ask each time when needed". For ease of use, such permissions should be remembered across sessions if the user so desires. (I should check the JNLP specification again to know whether it is possible to list the desired permissions, but it should be.)
2. The user is not made aware that there is a security problem. Java is supposedly a secure environment, but, even though this may not have a specification against which this behaviour is a bug, it is definitely a bug or a regression against the promise of security. There is no reason to expose the naive user to such risks, and supposedly making the dialog "friendlier" (as I think I've picked up somewhere as the reason for this change) is an especially bad reason, because it will teach the user community the hard way that Java does not take security seriously after all.
Note that the phrase "Only run if you trust the origin of the application." indicates a conceptual problem: I may trust the origin to some degree (maybe just to give me correct information, maybe also to act responsibly, maybe implicitly because it's a company program on a company computer), but I may still want to verify what the program is doing, and this is not possible now.
Note also that programmers are led to believe they have to sign their applications, even if this creates more (security) problems than it solves with the current behaviour: it is now much safer to launch unsigned programs than signed ones, but maybe most of them are signed. It seems Java Web Start is stuck somewhere in the past of Java's security development, before permissions were introduced, when only an all-or-nothing decision was possible.
As an aside, if you decide to throw away this comment as "not a bug" because you think you know better, at least make it possible for other users to still vote for it to show they disagree with that verdict.
REPRODUCIBILITY :
This bug can be reproduced always.