On Mon, Nov 24, 2008 at 5:26 PM, Aryeh Gregor Simetrical+wikilist@gmail.com wrote:
On Mon, Nov 24, 2008 at 2:31 PM, Brion Vibber brion@wikimedia.org wrote:
Aryeh Gregor wrote:
They wouldn't have to click through if it was signed, would they?
Yes they would.
If that wasn't the case, then any web site you visited could read all your files without notifying you simply by signing their malware applet.
I don't know anything about Java signing; I was relying on (my possibly incorrect reading of) what Greg Maxwell has said in this thread. I was assuming there was some kind of PKI being used here, as with HTTPS, so that "trusted" applets would silently run with more permissions. If not, then never mind what I said above.
You get no warning *at all* on non-origin network access for applets signed by an approved key. For example: http://www.jcraft.com/jorbis/player/JOrbisPlayer.php?play=http%3A%2F%2Fuploa...
I don't have direct knowledge for file access. I had assumed that it was the same, but I'm guessing there.
For Java Web Start and complete system access I just get a fairly friendly "This was published by Foo Corp. Do you wish to run it. [ ] Always trust content from Foo Corp."