How to use Java run time v1.7 (and newer) exception list for self-signed applets – Lars Werner
Jan 172014
 

Oracle have updated their Java with a lot of annoying popups.

Oracle probably think that this increase the security of their “swiss cheese executable container” called java.

Adito is no longer developed and at the time it was, Java was “the-way-todo-it”.

Adito from my site is a unsigned applet, the default setup action now is to block it.

The best way to get rid of the problem is to decrease the security settings to “Medium”.

But you can add exceptions for your own site, and still keep “security” high.

Below this method is explained.

Here is the problem when you run Adito without rights to run:

java warning 1

java block 1

java failed 1

To fix this go to the control-panel, then run Java-settings:

java controlpanel

Go to the security-tab and push the “Edit site list”:

java security

Add your site to the security list, this is the same as in your browser addressfield:

java security add site

java security add site localhost

Now when you reload your Adito-agent, you will be presented with this prompt:

java in browser accept agent

If you accept the risk, check it and push run.

(The Adito-agent is compiled by me, unchanged from source.)

The agent should be running like before.

 Posted by at 22:44:17

  19 Responses to “How to use Java run time v1.7 (and newer) exception list for self-signed applets”

  1. Thank you for your reply. Good work BTW. It is a shame to see this project fall by the wayside.

  2. Hi Lars,

    Just wondering if I could have a copy of your article on how to sign a existing jar (adito agent) when you have it completed.
    Also, I was wondering if Adito will ever incorporate using TLS1.2 Protocol instead of only TLS1.0?
    My cert testing comes back as A- but when scanning my Adito site it comes back with some insecure SSL ciphers:
    TLS_DH_anon_WITH_AES_128_CBC_SHA [insecure]
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_DH_anon_WITH_3DES_EDE_CBC_SHA [insecure]
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

    Should I be concerned about this and if so is there a way I can better secure it?
    I am using your newest SVN release and it works great BTW but this is my only concern at this point.
    Thanks in advance

    -Ed

    • Hi Ed, article writing is kinda of slow these days 🙂

      Adito will only support TLS 1.0 and development will probably never be updated again. (I just created the installer…)
      Adito is not for production, only to be used at home or simular. It is as good at it can get atm.

      In my setup I have access to RDP only to a “untrusted” source so it is constantly asked for pw for shared etc.

      So please keep that in mind if you think future solutions. I also have a OpenVPN server that gives “real” secure connection to my home. Adito is used as backup…

      -Large

  3. Hi,

    I Have a startssl certificate.

    I works with openvpn als page itself (get the green bar) but it breaks de ability to run Adito agent.

    Any hint?

    Thanks!!

    • Hi Filipe,

      Backup your installation path and run the setup again (through start menu). But my cert on the adito client is out of date. You might need to sign the client by itself.

      • Hi!

        I’m using Ubuntu Server 🙂

        I always get the same error when launching the java applet. If I use the “default” cert or create a new one on the installation process everything works fine.

  4. Thanks Lars,

    I agree completely with you on how Oracle has just been horrible with how they’ve handled the java security problems. Once they realize all they’ve done is train users to lower the security they’ll lock it down tighter and completely miss the point. I only see things getting worse. I see the only option right now to be to comply until enough people get angry and start producing viable alternatives.

    Anyway, ranting aside.. I didn’t know about certum.eu. What made me ask you was that I thought you might have done this before. I’ve been afraid to try this myself because I was afraid I’d screw it up or buy the wrong thing and lose my investment. If your not sure yourself then I wouldn’t want you to feel pressured or anything.

    Certum.eu looks great and now I need to find out if there is a catch like being the project owner or something. Now I’m thinking maybe an even better alternative would be a tutorial on compiling it ourselves using cerium if they allow anybody to apply. I’m going to give it a shot and if I find anything myself, I’ll pass the info along.

    Thanks again for the info!

    -Ed

  5. If I sent a donation to cover the cost of a code signing cert and your time, could you release a signed version for all to benefit from? About how much of a donation would cover it?

    • Hi Ed,

      I’ve never signed an applet before in Java. But I will look into it and check.

      -Lars

    • Hi Ed,

      I’ve checked the cert needed for this operation, and it is not cheap.
      What is needed is a Code signing cert and there is a yearly fee to keep it alive.

      This is what I’ve done so far:
      1. Contacted https://www.certum.eu regarding a open source free-license, asking if there are any hidden fees.
      2. Check the cheapest certs sites here are some results:
      a) $70 a year: https://author.tucows.com/index.php?action=auth&redirect=certs.php
      b) $85 a year: https://cheapsslsecurity.com/comodo/codesigningcertificate.html
      c) $90 a year: https://www.thesslstore.com/promoads/cheap-code-signing.aspx
      3. Reading about alternative like http://www.cacert.org/ or http://www.startssl.com, but these are not trusted CA, meaning that the end user have to add a cert into their PC to make it work.

      Oracle are probably being paid by CAs for implementing this stupid upgrade.
      Signing a applet does not equal a secure applet, it only shows you the name of the author.
      Oracle should used their time to fix the java sandbox!

      I dunno if I will use my time to sign this, I’ll decide after Certum have replied.

      -Lars

      • Just a quick update. I reached out to certum.eu and like you, I haven’t gotten any response yet. I also did some reading and found that apps signed with a code signing cert remain valid even after the code signing cert expires as long as the signed app also includes a signed timestamp from some sort of accepted time authority. I think there are some exceptions to this process so I’m trying to wrap my head around them before moving forward. From the sound of it though, it looks like as long as the adito agent’s code doesn’t change, a 1 year cert from the right authority will be all that’s necessary to sign it forever.

        I also found that digicert has great articles on java signing even though their certificate prices are horrible:

        http://www.digicert.com/code-signing/java-code-signing-guide.htm

        • Hi Ed,

          I have got response from certum.eu and got positive response.
          My cert got thumbs up today and I’m working on getting the applet signed 🙂
          Hopefully a signed version is online soon. Next year I have todo the same procedure again…

          Stay tuned 😉

          -Lars

        • Hi Ed,

          I have just released a signed version of the SVN release. Check the installer page 🙂

          I started working on an article on how to sign a existing jar. That would probably help some developers later on.

          Cheers,
          Lars

        • Hi,
          I use startssl.com certificate for Adito. It costs 59$ for 2 years for a multidomain certificate.
          You’re not right, Startcom LTD is a trusted CA, you can see it in the firefox trusted CA list for example 😉

          Regards

Leave a Reply

%d bloggers like this: