[icedtea-web] Idea - do not start ITW applets automatically
Adam Domurad
adomurad at redhat.com
Wed Jan 16 10:59:07 PST 2013
On 11/15/2012 03:30 PM, Adam Domurad wrote:
> So in lieu of requests such as [1] and the potential for unsigned code
> escaping the sandbox (eg, the recent 0day) it could be worth looking
> into a feature that has applets not start automatically, but rather
> require a user confirmation (click?) to begin. Additionally a more
> strict setting could not allow This could be controlled via
> itweb-settings/environment and distributions might want it as the
> default.
>
> There should be some way to opt-in normal execution of signed applets
> based on certificate. When an applet's certificates are all opted in,
> it will start automatically. (Note that we do not need to handle mixed
> signed + unsigned code specially, it already requires a confirmation.)
> Unsigned applets, if we choose to allow them being opted in, can be
> opted in on a full domain name basis.
>
> The main motivation I have for proposing this feature is that many
> applet users only use a handful of applets, and having other applets
> automatically start is mostly an unnecessary attack surface. I have
> seen "Disable java in browser, and turn it on for any applets you need
> to use only" giving as advice following the 0day, and this would be a
> superior option.
>
> [1] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1211
>
> Thoughts?
> -Adam
So hey, yet another 0day since this, good times.
So something like this now has become default in Oracle's plugin.
Starting with the most recent Oracle Java release (the recent 0day fix)
applets in the browser run in 'high security' setting by default. This
setting requires explicitly allowing unsigned content to run.
Oracle implements this via a pop-up window: A 'Do not show this again
for this app' checkbox allows the option of running/not running to be
remembered.
Example of the new default behaviour for unsigned applets:
http://i.imgur.com/RZWIG.png
The pressure is on us to do the same for icedtea-web for applets (JNLP
launched programs will not be affected).
Jiri mentioned the implementation should probably be done in at least
two parts, here is how it could be done:
1.) In icedtea-web settings panel, have a High/Medium switch for
security, defaulted to High. Require user confirmation for all unsigned
applets on Medium.
[The name Medium here corresponds to the related Oracle security level.
We do not really need to implement Very High (no unsigned applets
running) nor Low (all applets run automatically).]
2.) Implement whitelist/blacklist similar to how Oracle does this -- ie,
always/never option while confirming unsigned applet running, and a way
to manage this in icedtea-web.
Open questions:
- Click-to-play, vs pop-up ? (Funny result of click to play is, when
used with browser click to play, unsigned applets need double-click. Not
worse than click+pop-up, though)
- How to implement always/never options?
More information about the distro-pkg-dev
mailing list