Re: Basic question about nutual authentication invlving applet and server

Ted Byers wrote: 
Thaqnks speedo.

Question, you say I can hardcode my server's certificate in the applet. How exactly do I do that? Do I include the certificate in the jar file, and read it from there? Since this is the same certificate that is used to sign the jar file, can it be used to verify the applet has not been modified? If so, how? It doesn't seem very secure since presumably the embedded certificate could be used to sign a modified version of the applet. In other words, wouldn't a cracker be able to extract the certificate and use it for whatever evil purpose he wants?

The certificate per se includes a public key needed to verify a digital signature but not the corresponding private key needed to form a signature. Don't send the private key.

...

Is there a way to ensure that the jar file containing the applet is neither cached nor modified on the client machine? 

  You'd have to trust the client machine.

Question: Can an applet create a digest of the jar file in which it was sent to the client browser, and then send that digest to the server for comparison with the digest of the jar file as it exists on the server?

The server would have no way to verify that the alleged hash it receives was sent by the applet itself.

And can the browser be prohibited from caching the jar file containing the applet?

The server can suggest not caching, by sending a no-cache header or a web page with a <meta> tag for no-cache (The exact syntax eludes me.), but the server has no way to enforce it.

Would that enable the server to ensure that the applet had not been modified either on the client machine or between the client and server?

Nothing is going to ensure that the applet has not been modified on the client machine, if the client machine's user is sufficiently determined.


Is it not a significant hole in java security if I can not verify, from my server, that the applet or application trying to connect to my server is in fact the same code I signed? 

  Security for applets is designed to protect the client running them.

--Mike Amling
.

Relevant Pages

  • SSLSocket between application and signet applet dont work
    ... I want a web applet that begin an SSL connection with the server of his ... solution is tu put the certificate in jar file, ...
    (comp.lang.java.programmer)
  • Re: pls test my applet
    ... can't load it and I'm trying to find the reason as it works fine on my ... Have your server do the connect to outside servers. ... There's a lot of mischief you can do with an certificate, ... reasonably wonder why your applet has to contact another server. ...
    (comp.lang.java.programmer)
  • Re: Unsigned applet and SSL
    ... Pratul Chatterjee wrote: ... > signing the applet is not an immediate option. ... Switching on SSL on this server was straightforward. ... > 1) Save the server's certificate and add it to the Java certificate ...
    (comp.lang.java.programmer)
  • Re: Basic question about nutual authentication invlving applet and server
    ... you say I can hardcode my server's certificate in the applet. ... the server will request a client certificate. ...
    (comp.lang.java.security)
  • Re: Retreiving Server Time
    ... I will use a JSP servlet to retrieve the server time, ... time to the applet. ... > Windows XP synchronizes itself to nist, ... > But since you have no control over the client machine you have ...
    (comp.lang.java)