Java Security

[ecross]

I've read a weekly news article at spywareinfo.com about Phone dialer programs installing itself with lowered ActiveX browsers which can disconnect a victim from their ISP, and dial an expensive long distance call number.

This would be a good idea to turn off ActiveX and assign which sites you trusted in the trusted zone from Internet Explorer. Just curious, what are things to look for something what I already described for Java and taking extra steps to secure a PC on the Internet.

I know some people turn off Java from their web browsers but why would this be? I'm curious to what users can do about Java and what things we need to look for.

Anybody?

[Goodz13]

What you've described is called a parasite. Java has a lot more security that ActiveX. In order for a Java Applet to access anything on your computer, it must be signed. Having said that, there are some ActiveX parasites that have MS digital signatures and ask you if you want to install them. But with Active X, once you trust the control, it may not ask you if you want to install it again. Where as a Signed Jar, each time you use it, it will ask you if you want to trust it.

If anything asks me to trust or install anything, I opt not to trust/install anything unless I trust the site.

Here's a good parasite info page. It even has script to test to see if there are any installed on your browser.

[ecross]

Goodz13,

Thanks for the link. I may find that useful. Can you explain what you mean by "it must be signed" in a little more detail? I don't understand what you mean that it must be signed. Since Java has a lot more security than ActiveX, do we even need to worry about security issues with Java applets?

I hear that some people disable Java. Any reasons why this might be and if it's a security issue? Any known security issues with Java applets?

I do know that applets can read system properties. Can this be a bad thing when it comes to security?

[Goodz13]

When you sign an applet, you are actually signing a JAR file. Steps can be found here.

All applets get downloaded to your local computer when they run on the internet. Much like image files. But the default policy has high security on applets. Applets can only connect back to the computer in which they came from and cannot access anything on your computer. When a signed JAR is downloaded (run) from a website, a dialog comes up with the digital signature asking you (the user) if you wish to trust the applet. If you trust it, then the applet can access local files.

Personally I don't worry about the security with applets unless the dialog comes up asking me to trust it. Then I start thinking... "Humm why does the applet want to access stuff on my computer?"

I hear that some people disable Java. Any reasons why this might be and if it's a security issue? Any known security issues with Java applets?

I don't know of any security issues. I'm more worried about ActiveX than a Java Applet.