Java 7 Update 11 and unsigned applets
984653Jan 14 2013 — edited Jan 14 2013Hi there,
after reading
The default security level for Java applets and web start applications has been increased from "Medium" to "High". This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the "High" setting the user is always warned before any unsigned application is run to prevent silent exploitation."
http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
I'm asking me why an unsigned applet running in a security sandbox shows a user warning by default whereas a (according to http://mindprod.com/jgloss/signedapplets.html potentially dangerous) signed applet having full access to local discs does not??
Our company is developing unsigned applets running in a sandbox. Due to the change in 7u11, we are in the need to either recommend all customers to change their security level back to "Medium", or let them again and again click "ok" when the alert window appears. "Dont show this message again for this application" does NOT work, everytime I reload a webpage with the same applet, I get this warning. If the website contains multiple applets, I get a warning for each of them which is even worse!
My questions are:
1. What is the idea to show messages for unsigned applets running in a secure sandbox.. why when running in a sandbox, and why not also for potentially more dangerous signed applets?
2. Does a non-admin user have privileges to change the security level by default?
3. Is there any recommended strategy to sign an applet to work across browsers, platforms, JRE versions?
4. Are there negative side-effects to sign an applet?
Thanks, Peter