Java-Gaming.org    
Featured games (79)
games approved by the League of Dukes
Games in Showcase (475)
Games in Android Showcase (106)
games submitted by our members
Games in WIP (530)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  Yay, Java Security Again!  (Read 2472 times)
0 Members and 1 Guest are viewing this topic.
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Posted 2011-01-10 18:19:42 »

If last years mass publicised java flaws weren't bad enough, Java's on the front pages of the tech sites again.

http://developers.slashdot.org/story/11/01/10/1520236/Browser-Exploit-Kits-Using-Built-In-Java-Feature

Shame really, since Java Applets are really starting to shape up pretty nicely these days and becoming pretty usable.
Offline hishadow

Senior Newbie





« Reply #1 - Posted 2011-01-10 18:57:45 »

Remember, it only takes Oracle one patch to remove those signed applets.  persecutioncomplex
Offline JL235

JGO Coder


Medals: 10



« Reply #2 - Posted 2011-01-10 19:02:31 »

This, this (linked to from Slashdot) and learning that the JS-Java bridge is now permanently on have all really put me off applets. I get that a user has to click that they trust it to run, but the same is also true with accepting to install a dodgy app or running an ActiveX component. It points out to me that Java ban really be in the same league as ActiveX. That's a pretty bad place to be!

Remember, it only takes Oracle one patch to remove those signed applets.  persecutioncomplex
Given the slow popularity of current versions of Java, if Oracle changed this tomorrow it'll take several years before it's spread to anywhere near 90% penetration (if ever). Flash and web browsers beat that hands down!

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline DzzD
« Reply #3 - Posted 2011-01-10 19:46:13 »

heu.. I probably again miss  something ? user is asked to accept securitty popup ? if it trust/answer yes, provider of the applet get all right on its computer ?! nothing new signed Applet get all right and are dangerous from unknow provider, where is the security hole ? nothing different then a standard ActiveX/OCX and what the difference with a link to an executable file ?

1  
<A href="virus.exe"> start game </a>

Offline DzzD
« Reply #4 - Posted 2011-01-10 19:49:53 »

there are hundreds software infected that are distributed by all those software bank downloade website...  java at least show a scaring security popup...

Offline DzzD
« Reply #5 - Posted 2011-01-10 19:59:43 »

what is funny is that I detect this one a cupple of weeks ago on my computer Smiley probably from a signed Applet/JWS here on JGO  

tam tam tam tam tamm (scared emoticon)

http://www.java-gaming.org/topics/troj-javadl-a/23187/view.html


Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Reply #6 - Posted 2011-01-10 20:25:13 »

heu.. I probably again miss  something ? user is asked to accept securitty popup ? if it trust/answer yes, provider of the applet get all right on its computer ?! nothing new signed Applet get all right and are dangerous from unknow provider, where is the security hole ? nothing different then a standard ActiveX/OCX and what the difference with a link to an executable file ?

1  
<A href="virus.exe"> start game </a>


True, in this case the problem sits between the computer screen and chair, not much that can be done about that other then to restrict what's possible in the software. Unfortunately since its done through Java, it gets the blame.

Banning self signed certificates or at least turning of their support by default (making users go to the control panel to enable them) might be the quick fix here but again would be a major annoyance for many java programmers as their are not many (if any) free alternatives to obtain a proper certificates.
Offline DzzD
« Reply #7 - Posted 2011-01-10 20:31:19 »

my philosophical quote Smiley

"in a long term I believe that the only solution is that people get more informed about security risk on their personal data on a computer, as they already are for guns, cars, drugs, alcool, etc..."

Offline gouessej
« Reply #8 - Posted 2011-01-10 23:58:46 »

my philosophical quote Smiley

"in a long term I believe that the only solution is that people get more informed about security risk on their personal data on a computer, as they already are for guns, cars, drugs, alcool, etc..."
+ ", capitalism, Monsanto, Microsoft, Apple, Adobe, Veolia, genetically modified organisms, homophobia, sexism, racism, etc..."

Offline DzzD
« Reply #9 - Posted 2011-01-11 00:04:48 »

hum... but apple pie are pretty good   Smiley persecutioncomplex

Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline gouessej
« Reply #10 - Posted 2011-01-11 15:38:14 »

hum... but apple pie are pretty good   Smiley persecutioncomplex
Lol it tastes better than software patents.

Offline xinaesthetic

Senior Member


Medals: 1



« Reply #11 - Posted 2011-01-11 15:49:00 »

my philosophical quote Smiley

"in a long term I believe that the only solution is that people get more informed about security risk on their personal data on a computer, as they already are for guns, cars, drugs, alcool, etc..."
Well, with those things we have a mixture of information, legislation to 'protect people from themselves' etc... Apple style lockdown approach fits this well.  As with drugs etc, it is deemed that people would rather not have the hassle of taking responsibility or having to think too much.

Of course I agree that the proper solution would be for people to be well informed.  In practice people often can't be bothered learning all the subtle intricacies and can't always be trusted to make rational decisions.
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Reply #12 - Posted 2011-02-17 22:58:07 »

wow, latest java update fixes 21 security issues with java !!!

http://www.theregister.co.uk/2011/02/17/java_security_threat/

Didn't think things had gotten so bad, but at least they're being patches quickly now.
Offline Riven
« League of Dukes »

JGO Overlord


Medals: 742
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #13 - Posted 2011-02-17 23:11:24 »

And obviously 6u24 fails to install  Undecided

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Alan_W

JGO Knight


Medals: 8
Projects: 3


Java tames rock!


« Reply #14 - Posted 2011-02-18 00:39:42 »

I read two articles about this and both recommended uninstalling Java.  The problem isn't so much with bugs, but with people clicking through the warning. Possibly the answer is to only allow verifiable signed applets and to check these against an online blacklist of known rogue signatures.  Malware writers would then have to obtain a verifiable code signing certificate, which could then be invalidated when the malware surfaces.
Obviously self-signed certificates would no longer be any use, unless installed as a root certificate (which isn't difficult - just click on the certificate in your browser and it will happily install it, although there may be some dialogs regarding which certificate store to use IIRC)

A more draconian solution would be not to allow signed applets.  Signed Extensions could still be used but would have to be explicitly installed by the user (only once though), with a veritable plethera of interactive dialogs.

Time flies like a bird. Fruit flies like a banana.
Offline kappa
« League of Dukes »

JGO Kernel


Medals: 74
Projects: 15


★★★★★


« Reply #15 - Posted 2011-02-18 00:45:24 »

yeh, switching off self signed certificates by default would pretty much fix everything, just leave them as an option which you would need to enable in the java control panel to use.
Offline Alan_W

JGO Knight


Medals: 8
Projects: 3


Java tames rock!


« Reply #16 - Posted 2011-02-18 01:05:46 »

yeh, switching off self signed certificates by default would pretty much fix everything, just leave them as an option which you would need to enable in the java control panel to use.

Now I come to look, there is an option for this.  I unchecked it and lo and behold, my self-signed applets get a warning dialog stating that they will be run in the sandbox.  I think unchecked should be the default (even though it would inconvenience me - my Java4k entry Mage Wars still runs, but without multiplayer). 

Time flies like a bird. Fruit flies like a banana.
Offline hishadow

Senior Newbie





« Reply #17 - Posted 2011-02-18 01:41:37 »

I think a lot of these problems could be resolved with a better security dialog. Even I find it a little vague. An alternative could be a multi-page wizard dialog that tells the user what rights the applet is asking for and tells of their security implications, and where the user must manually enable each right. Self-signed applets should be restricted to the domain where it's distributed from and its certificate should convey this information.
Offline bobjob

JGO Knight


Medals: 10
Projects: 4


David Aaron Muhar


« Reply #18 - Posted 2011-02-18 02:30:52 »

It really is an issue with the users, people dont want to read the possible issues they will face. Just like they dont want to read license agreements.

The only "good" outcome is that all advanced content is managed in a standardised way via HTML5 and such. And when running an out of the normal plugin you should consult a trusted site like Applet or Microsoft to see if its trustworthy, because naturally a non-profit alternative wouldnt be trustworthy.
Right guys?? RIGHT??


Why do people have to use technology they know nothing about, and stop making it boring for the rest of us. Its as though PC's are slowly being taken away from geeks.

My Projects
Games, Webcam chat, Video screencast, PDF tools.

Javagaming.org with chat room
Offline Alan_W

JGO Knight


Medals: 8
Projects: 3


Java tames rock!


« Reply #19 - Posted 2011-02-20 12:11:20 »

I've noticed a slight change in 6u24 with self signed certs.  They used to display '(Unverified)Publisher Name'.  Now they just display 'UNKNOWN'.  Probably this is to discourage malware authors self-signing as Sun or Oracle, and relying upon the user not understanding what Unverified means.

Time flies like a bird. Fruit flies like a banana.
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

ctomni231 (32 views)
2014-07-18 06:55:21

Zero Volt (28 views)
2014-07-17 23:47:54

danieldean (24 views)
2014-07-17 23:41:23

MustardPeter (25 views)
2014-07-16 23:30:00

Cero (40 views)
2014-07-16 00:42:17

Riven (42 views)
2014-07-14 18:02:53

OpenGLShaders (29 views)
2014-07-14 16:23:47

Riven (29 views)
2014-07-14 11:51:35

quew8 (26 views)
2014-07-13 13:57:52

SHC (63 views)
2014-07-12 17:50:04
HotSpot Options
by dleskov
2014-07-08 03:59:08

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:58:24

Java and Game Development Tutorials
by SwordsMiner
2014-06-14 00:47:22

How do I start Java Game Development?
by ra4king
2014-05-17 11:13:37

HotSpot Options
by Roquen
2014-05-15 09:59:54

HotSpot Options
by Roquen
2014-05-06 15:03:10

Escape Analysis
by Roquen
2014-04-29 22:16:43

Experimental Toys
by Roquen
2014-04-28 13:24:22
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!