"Sun Endorsed" extensions

[princec]

That's exactly the problem. Train users to press OK every time a security dialog pops up and the next thing you know, they click OK on everything.

The funny thing about signing, too, is that it only proves a bit of code hasn't been tampered with by anyone else. There is nothing at all to prevent a fraudster obtaining a certificate and signing phishing code. Nothing. Signed code is not safe. It's just provably untampered with.

So it's really all rather pointless as far as the human element of security goes.

Cas

[erikd]

That's exactly the problem. Train users to press OK every time a security dialog pops up and the next thing you know, they click OK on everything.

The funny thing about signing, too, is that it only proves a bit of code hasn't been tampered with by anyone else. There is nothing at all to prevent a fraudster obtaining a certificate and signing phishing code. Nothing. Signed code is not safe. It's just provably untampered with.

So it's really all rather pointless as far as the human element of security goes.

Cas

Of course signed code is not necessarily safe code, but the resulting security dialog is good feedback that this program will run outside of the security sandbox.

Many users might choose to ignore it because they click OK on everything, but imho that doesn't mean it's pointless for everyone. That's not the problem of security dialogs but the problem of the users that ignore them (and of their friends and relatives that have to reinstall their PC for the umpteenth time again  ).
I for one like to know if running some java applet or webstart app requires some additional trust from my side so that I have a choice to run the program or not.

But not considering exceptions at all is a big problem, too, because it means that things that should be considered sandbox safe now need to be out of the sandbox, which is a security flaw - people should never need to grant permission to their entire system just to allow something to use their graphics card, but under the current model they do.

Oh I absolutely agree that the current security model is too coarse, but that's a bit of a different discussion isn't it? (I mean, endorsed libraries won't fix that)

For the record, I do agree with Cas' proposition. Not so much because security dialogs are pointless, but as a way to make the scope of the security sandbox a bit more flexible, yet still controlled.
But one thing I'm not really confident about is the following scenario:
What if endorsed libraries start showing up, and one version of a library turns out to have a serious security flaw? What would stop dubious parties to keep using this particular version of this library? An expired certificate?

[princec]

Same way as any other security flaw - JRE gets patched, certificate revoked in the patch.

Cas

Games published by our own members! Check 'em out!

[erikd]

Same way as any other security flaw - JRE gets patched, certificate revoked in the patch.

Cas

Hm yes, as long as 'revoked' doesn't mean breaking all software using it in the process, but instead having the good-ole security dialog pop-up again...

[Mr. Gol]

The solution here is to do exactly what Flash does - show an overlay that says "Press ESC to exit full screen mode" and then hard code the escape key to do so, without the programmer having any choice in the matter.  Also, IIRC the fullscreen mode can only be entered as a result of a user interface action, not a pure programmatic one.  These are technical issues, not fundamental security ones.

There are some problems with this though, the message "press escape to ..." is localized in the language of Flash Player, which might be a different language from the actual SWF (obviously, but it can look weird to viewers if the whole thing is in Dutch and then this one message is in English).

One thing that you didn't mention is that the owner of the website needs to add a "allowFullscreen=true" parameter to the embed code. This means that both the owner of the website and the owner of the SWF need to allow fullscreen mode, and only then this becomes possible.