Aye, stop being mean! Obviously security is not at all obvious. It’s got entire companies of professionals dedicated to it.
Cas 
thank you
Have you guys read this?
[quote]New JNLP Extension Security Dialog
A new security dialog has been introduced in 6u18 for installing signed Java extensions on a user’s system. Java extensions are components described in JNLP files that are typically intended to be used by a large number of applications and applets.
The new security dialog is triggered by an application that references the Java extension in its JNLP file (by including it in the resources element). The security dialog will ask the user if they would like to install the extension. Once the extension is installed, it can be referenced by other applications without the need for asking the user’s permission again (as long as it is the same extension from the same codebase).
The JNLP file of the Java extension must adhere to the following requirements:
The JNLP file MUST contain a component-desc element that describes the Java extension.
The JAR files that are specified in the resources element MUST be signed with the same certificate.
The signer’s certificate MUST contain an Authority Information Access or CRL Distribution Points extension so that the revocation status can be checked (via OCSP or CRLs).
[/quote]
(Source: http://java.sun.com/javase/6/webnotes/6u18.html)
oh wow, that could be awesome for lwjgl applets.
That’s wonderful, especially if the security dialog says “extension” rather than “potential atomic bomb/ebola virus.” I always ended up just signing the LWJGL jars myself, but I guess I’ll have to look into using theirs now.
Still, hardly anybody will have the LWJGL extension the first time they load your webstart/applet app. So when your sign your own jars, most users will still see two security dialogs.
It’s better, but not yet done. Why can’t the messages in the multiple security dialogs be merged in 1 dialog. Surely there must be a way to keep it clear, informative, and not annoying.
That’s a really good point. I don’t see the necessity of:
“This may break your computer. Cool with it? Yes/no”
“Okay, well, this might break your computer too. What do you think? Yes/no”
“Just in case you didn’t know, this could even break it a third time. Yes/no”
Seriously if you put in enough extensions you’ll see a stupid number of dialogs. I’ve seen 3 before. Why not just:
“This app could break your computer. It’s signed by these people: xxxx, xxxx, xxxx Yes/no”
There’s a tricky issue here with making sure that the user realises that the different people signed different parts. Otherwise they’ll think “Oh, if I can trust one of John Smith, Kev Glass, or Sun Microsystems then it’s ok. Well, I trust Kev”.
true but you’ll only need one super successful lwjgl applet game and tons of ppl will get it installed. Think it was just announced a day or two ago that minecraft has over 100,000 registered users now.
second why do you need to sign your own jars? unless you really need some vital system access like writing to disk. unsigned LWJGL applet games should be able to function perfectly fine without requiring further permissions. Agreed though multiple certificate dialogs are annoying.
The problem is that the current warning message is about the “digital signature”, which I’m quite sure means nothing to 99% of readers. So, they will either get scared and claim the application or game “doesn’t work”, or completely ignore the message and just click OK.
I attached two versions of the Webstart security dialog. In my opinion the second one is more user friendly, and it makes the risks more clear.
I’m not at all bothered about what the “unverified cert” dialog looks like. What I care about is what the dialog looks like after I’ve paid $400 for a Thawte code signing certificate. The unverified one can show a picture of Russian crackers buggering your granny for all I care. I want the one that I’ve paid for to look like a pleasant request.
Cas
Good point. In your case the dialog says “Shaven Puppy Ltd” instead of “cannot be verified”, but otherwise the dialog is exactly the same. So to think about the wording in these dialogs for longer than 2 minutes would still be a good idea.
Offtopic:
I never really understood why I should trust somebody with $400 to spare and avoid people that don’t.
It’s not so much about the money I have to spare, but as the effort the CA puts into an audit trail.
Cas
With Thawte’s free email certificate now gone and no help from Sun, there doesn’t seem to be any good way to go about getting a decent java code signing certificate for cheap.
That should hopefully ensure that people avoid Java Apps written by broke programmers.
Thanks Sun.
If you’re serious about it - you can get certs for Not Much Money At All.
If you’re just doing it for fun - who cares. I know who you are.
Cas
That check is a complete joke. They are only there to take your money and delay the ‘your cert is ready’-email for two days, to make it look they actually did something.
I believe Thawte and Versign actually do make proper checks on the authenticity of the documentation provided. And so they should, because if it were found out that they didn’t, then they’d completely lose all credibility with consumers. I have no idea about other providers. Comodo are another one that I’ve used in the past; I think they’re in the root CAs in the JDK now too.
Cas
90 day free ‘full featured’ SSL certificate.
http://www.comodo.com/business-security/digital-certificates/free-ssl.php
Ninety days are more than enough to do some serious damage.
That’s only an SSL cert. Besides… what you you have to give to Comodo in order to get a cert? I had to provide actual proof of my company details and ownership to Thawte, countersigned by a solicitor.
Cas