article on Security Warning enhancements in 6u10-12

Some ideas:

Instead of the panicky “Security Warning”, it would be much better if it read something like “Your approval is needed”. My virus checker/firewall is giving me “Security Warning”-s, the least what i want is some applet to show me a window with similar text to what a virus checker is showing. The message should be positive.

There is a slight difference when the browser reports that it needs to download and install a plugin to run the web-page, than the page trying to install something “by itself” and showing some scary “security warning”. Maybe tighter integration of applet/webstart system with the browser would help this issue. The browser could manage the installed libs and cached applets/webstart apps. So Java would not show the security dialog, but the browser would. Its the matter of making an API and writing browser-specific plugins.

[quote=“VeaR,post:21,topic:33154”]
+1
Better still a solid codebase (like flash, shockwave &c) which you download from a trusted source (sun.com) & which has the all bits needed for games. Sun has focussed (understandably I suppose) on their core J2EE market and didn’t see how J2SE could have pissed all over flash if they’d wanted it to…

another late reply. im the frankenstein of reviving threads

well, i care about the basic security, of course. i don’t want any applet to have full access to my files, e.g.
but: i don’t like the warnings for simple things like web access and hardware graphics.

the problem is: i don’t trust anyone. signed or not. if the origin is known, that’s nice, but i don’t see any really trustworthy sources around here! i mean: it’s not like WWF, BP, Siemens or some other big organisations are offering applets. instead, the one-man-show applets you see around are not becoming more trustworthy just because someone says “yep, thats them”. i don’t really know who that is.
and the big players don’t use applets anyways, cause there have to be warnings for nothing.

i would propose an options panel for applets to allow certain things and disallow others. like javascript for firefox. anything that i didn’t allow is either turned off, or raises a warning. the default setting should be comparable to flash and it should be clear, that an applet never allows file or registry access or anything like that. anything else is not the concern of sun, i would say.

otherwise i think all web-based java is going down the drains.

i even dislike jnlp now, cause you get the app installed and must be a java geek to find and uninstall it. that’s not professional, i think. and that system is slow once more. but that’s another topic.

So would you download an .exe installer then and run that instead?

Cas

That’s what ticks me off…people constantly download and run installers for applications, but the minute they see that Java warning it sets off sirens in their heads that keep them from accepting. It’s a double-standard, and it’s one that Sun created by the “different” way they alert users of the security risk…people get used to the “You’re opening a file you downloaded off the internet, it probably has a virus and you’ll all die” and then clicking, “Sounds like fun”, but when they get a similar but different prompt from Java they think, “Haxors are attacking my compy!” and they unplug the cord and hide under their bed…okay, so maybe that’s just my brother that does that, but still, I think the point is valid…unfortunately I don’t know a good solution apart from making all the browsers alert the same way they do for installers and other arbitrary EXEs.

ok, that is a point, but ill grant this only for jnlp.

in case of applets especially, the .exe i installed is the java runtime! after that, it should work seamless! see points above.
the jnlp is sort of .exe downloading and installing. a warning or notice is fine then.

Update: As per the desire some gentlemen expressed in this thread, the article has been updated to use Applet instead of webstart app for a demo:
http://java.sun.com/developer/technicalArticles/GUI/SecurityWarning/AppletWarning.html

All good intentions aside, I don’t see how letting the programmer specify the icon position, make things better.

You can just shift the icon into your own GUI, and put it in front of a Label with has some fake ‘alert message’, like:

[ALERT] Be sure to get our latest update!

Nobody would hover over that icon anymore. It wouldn’t stick out.
Indeed it is less intrusive, but this undermines the security warning/notification.

Suspect I could easily DoS a machine too.

for (;;) { JFrame frame = new JFrame("Haha"); frame.setBounds(0,0,width,height); frame.setVisible(); }

Blam! Could even pop in a few tweaks in there too like preventing OOMEs to make it even more cunning. I think windows should simply be banned from unsigned applets. That’d force people to think more Flash-like.

Cas

FYI, you could do this even w/o windows, by just creating tons of threads. So, should we ban threads from applets? What if you run just a few threads, but with busy spinning loops (take all your cpus to 100%)? It’s nearly impossible to prevent DoS types of attacks, but they aren’t considered that dangerous, your information isn’t getting stolen.

True - though I did wonder that perhaps unsigned applets should have a limit on the number of system resources they can create.

BTW - someone I know finally spotted what was wrong with the security dialog. Or rather pointed it out. The contents of the dialog itself are now entirely adequate and perfectly informational. But look at the title. Warning: Security. FAIL!

If you could just change the title of the dialog instead to, say, the title of the HMTL page, or just to “Java”, that’d be great. I think that’d solve mostly all our problems.

Cas

agreed, I was looking at that too and thinking the same thing.