[icedtea-web] Idea - do not start ITW applets automatically

[Adam Domurad]

On 11/16/2012 03:30 AM, helpcrypto helpcrypto wrote:
> [..snip..] So, any Java Applet execution could require an additional 
> "security control" before running, no matter signed or unsigned. 
> Again, IMHO, the real problem is that users are not "skilled enough", 
> and usually click without worrying, what makes the measure useless, 
> and make the user tend to ignore more warnings. (eg: Remember the 
> annoying Vista User UAC?)

I don't think pop-up security controls are good here for exactly the 
reasons you mention.

The idea is more for users who want to use a handful of applets but are 
not interested in applets beyond that. I'm thinking there will be one 
setting that has them on the page with the usual applet area, and a 
'click to begin'. Another setting would disable non-opted in applets 
completely. This would be fairly good against an applet hidden on some 
corner of a site trying to sneak in a sandbox breach - the user would 
probably not even realize it was there (with it not being able to run 
any code).

For signed applets I'm considering whether it'd be useful to have the 
user click to start the applet as well, as you say pop-up security 
controls tend to be auto-accepted.

> I think "trust for domain" is a good alternative, as it will only 
> appear "once" in the event user allow it the first time. What about 
> subdomains? Another thought: altought my applet can import certs into 
> cacerts keystore (hence marking himself as trustworthy), IMHO it 
> shouldn't be possible to add a domain as "trusted-to-run-applets" from 
> an applet. 

Good point. Per-domain is probably better here (although do note you 
would get a mixed signed/unsigned code warning here).

Thanks for the continued interest in/discussion of ITW! It's really 
appreciated.

-Adam