Browser security nags (or lack of them!)

[Abuse]

Attempt to launch an exe -> browser nags you.
Launch a jnlp -> Java plugin nags you if necessary & you havn't accepted the certificate.
unsigned Applet -> obviously sandboxed.
signed Applet -> Java nags you if you havn't accepted the certificate.
signed Jar file -> Java nags you if you havn't accepted the certificate.
unsigned Jar file -> no browser nag, no Java nag, not sandboxed?

Given that even moderately security literate people won't realize a .jar file is a security threat that should not be clicked on willy-nilly, this seems to me to be a little bit of a security hole? (obviously in the browser, not Java per-se)
Or have I simply managed to turn off the nag message somehow?

[princec]

Looks like a proper hole to me. Strange that no-one's noticed it before,.

Cas

[zammbi]

I had notice this also a while back and thinking the same thing. But I guess you rarely hear of any harmful jar files.

Games published by our own members! Check 'em out!

[Abuse]

I had notice this also a while back and thinking the same thing. But I guess you rarely hear of any harmful jar files.

If that is indeed the case, it seems to beg the question as to what purpose the scary security warnings are serving in webstart =/ (except the obvious ill effect of scaring off some users)

[princec]

To be honest they serve no useful purpose at all. Any dodgy crim can get their code signed anyway.

Cas

[zammbi]

Seems chrome shows a message that that jar files can be harmful.

[hishadow]

In Firefox, the browser will ask if executing a jar. Maybe you have turned this on auto-accept at a previous time?