Java 7 update security changes

Laurent Bourgès bourges.laurent at gmail.com
Thu Jan 16 00:39:53 PST 2014


Hi again,

one short question to the IVOA / VO managers:

Is is possible that IVOA provides one single trusted certificate to VO
application deployers ?

Doing so, a single organisation (=IVOA) will pay the trusted
certificate (to global sign for example) ~ few hundred dollars (=563$
for 3 years) !

It will save money for all VO projects and help people facing this
issue... and the IVOA will be more visible to end-users.

Regards,
Laurent

2014/1/15, Laurent Bourgès <bourges.laurent at gmail.com>:
> Hi all,
>
> FYI java 1.7.0_51 release is available since last night (GMT) so
> please check your applications (applets / JNLP) using this JDK 7
> update.
>
> By default, the security level is now set to HIGH => self-signed
> applications are blocked.
>
> As a workaround (no trusted certificate available), you can tell your
> users to set the security level to MEDIUM which let your applications
> run once the user accepts the security warning dialogue !
>
>
>> As far as I can tell this means that WebStart/JNLP applications,
>> as well as applets, will stop working for users who have the latest
>> java installations, until/unless the relevant jar files:
>>
>>    a) have an appropriate "Permissions" attribute in the Manifest
>>    b) are signed by a trusted Certificate Authority
>>
>> This appears to be true even if the applications in question don't
>> need to do any of the things that normally require security permissions.
>>
>> For JNLP deployers, (a) is easy enough to fix.  (b) however may not be,
>> since in general it requires that the jar file is signed with a
>> certificate you have to pay for.  The documentation seems to indicate
>> that self-signed certificates no longer just give you a scarier
>> confirmation dialogue, they stop the thing running at all.
>> So if you can (i.e. if you have access to a trusted certificate),
>> you should make sure that steps (a) and (b) are satisfied in your
>> deployed WebStart applications.  I fixed the topcat webstart links
>> this morning, and JMMC have done theirs.
>
>
> Cheers,
> Laurent
> --
> Laurent Bourgès
> Software engineer
> (Fixed-term Contract)
> +33 4 76 63 55 19
> JMMC, IPAG - CNRS
> France
>


-- 
-- 
Laurent Bourgès
Software engineer
(Fixed-term Contract)
+33 4 76 63 55 19
JMMC, IPAG - CNRS
France


More information about the apps mailing list