Browser security nags (or lack of them!)

Abuse · November 15, 2008, 11:31pm

Attempt to launch an exe -> browser nags you.
Launch a jnlp -> Java plugin nags you if necessary & you havn’t accepted the certificate.
unsigned Applet -> obviously sandboxed.
signed Applet -> Java nags you if you havn’t accepted the certificate.
signed Jar file -> Java nags you if you havn’t accepted the certificate.
unsigned Jar file -> no browser nag, no Java nag, not sandboxed?

Given that even moderately security literate people won’t realize a .jar file is a security threat that should not be clicked on willy-nilly, this seems to me to be a little bit of a security hole? (obviously in the browser, not Java per-se)
Or have I simply managed to turn off the nag message somehow?

princec · November 16, 2008, 2:13am

Looks like a proper hole to me. Strange that no-one’s noticed it before,.

Cas

zammbi · November 16, 2008, 2:54am

I had notice this also a while back and thinking the same thing. But I guess you rarely hear of any harmful jar files.

Abuse · November 16, 2008, 5:10am

If that is indeed the case, it seems to beg the question as to what purpose the scary security warnings are serving in webstart =/ (except the obvious ill effect of scaring off some users)

princec · November 16, 2008, 1:01pm

To be honest they serve no useful purpose at all. Any dodgy crim can get their code signed anyway.

Cas

zammbi · November 22, 2008, 9:21am

Seems chrome shows a message that that jar files can be harmful.

hishadow · November 23, 2008, 5:42am

In Firefox, the browser will ask if executing a jar. Maybe you have turned this on auto-accept at a previous time?