Right now I’m going to focus in making sure it is hard for an outsider to tamper with my Jar file on my server. Hopefully I won’t be buying any certificate or such things. I’m using apache by the way.
I figured out securing my server is better than buying certificates. sob,sob I’m crying tears of joy. :=) @gouessej
One question. What’s the stupid explanation for certificates? If a hacker has enough power to intercept a jar file then he/she has enough power to thwart the verification process for the user. Please someone tell me. I’m so mad at this money grubbing scheme… I can’t even… I can’t even talk. >:(
@Pixelapp said: One question. What's the stupid explanation for certificates? If a hacker has enough power to intercept a jar file then he/she has enough power to thwart the verification process for the user. Please someone tell me. I'm so mad at this money grubbing scheme... I can't even... I can't even talk. >:(
It’s easy to swap out a link for a different one… just hack the web page or impersonate it. It’s difficult to spoof a jar cert and it’s even harder to subvert the whole verification process.
For a web start app, the signed jars all get signed together by your certificate which proves you packaged the app… even if the jars are downloaded separately, etc… They all have to be signed together. Then there is a chain of trust.
So if someone hacks your site or just pretends to be your site by creating a similar one with a link to the jnlp of a malware version of your app, they’d have to have a valid cert and have re-signed the whole app.
@pspeed Yeah but the people who will verify the jars with the certificates are websites too so if my website can get hacked so can theirs, so, certificates are a moronic idea. Certificate people are morons >:(.
@EmpirePhoenix You don’t even need a self signed certificate. You just need to get a certificate wi the same name as mine or very very similar and there is no way of knowing what’s what. You can always fake the information you send to the certificate authority.
Certificates = stupid.
@Pixelapp said: @pspeed Yeah but the people who will verify the jars with the certificates are websites too so if my website can get hacked so can theirs, so, certificates are a moronic idea. Certificate people are morons >:(.
I think you misunderstand how all of this works and I don’t have the time to teach you. So, good luck with your game.
OK. OK. After some thought this is what I’m going to do. I’ll sign with a godaddy certificate everything I need to run my games (JInput, and any other .dll needed). I’ll post those on my site pixelapp.co so everyone can used them. Then I’ll put a donate button for developers that use it. Also, I’ll occasionally update the information below the button to inform how much of the total amount for the year we have funded.
I don’t guarantee any security other than the security the certificate offers. If you would like to know how secure the safe the files are I encourage you to decompile the files and look at them.
What are your thoughts guys/gals?
I’ll be buying the certificate anyways so I might as well do this.
I don’t see any real harm in doing that but it won’t help anyone … since they will have to add their own code to make their app and unless their code is signed everything counts as unsigned (effectively).
Also if someone should manage to contaminate one of those jars (for example you have an undetected virus on your computer when you build them) you could become liable.
<cite>@zarch said:</cite> I don't see any real harm in doing that but it won't help anyone ... since they will have to add their own code to make their app and unless their code is signed everything counts as unsigned (effectively).Also if someone should manage to contaminate one of those jars (for example you have an undetected virus on your computer when you build them) you could become liable.
It will help! As long as the programmer doesn’t request <all-permissions>, their app is treated as a signed jar by Java.
Also, that’s why I say you should decompile the file to ensure safety. Decompiling the file gives you a 100% guarantee they are ok.
You are confused. Try to solve actual problems you can see and provoke instead of ones you make up 
<cite>@normen said:</cite> You are confused. Try to solve actual problems you can see and provoke instead of ones you make up ;)
I don’t understand.
<cite>@normen said:</cite> Exactly.
Now I understand even less. 
Would you be kind enough to elaborate??
@Pixelapp said: Now I understand even less. :/Would you be kind enough to elaborate??
The problem is that you don’t understand how this works and yet try to do something. That will inevitably lead to problems. Just cut it out.
@normen Ok. Done. I won’t do it. I’ve “cut it out”.
Do you care to elaborate what problems this “inevitably leads” to? I would like to know for future reference, please.
Let’s have a conversation here.
@Pixelapp said: @normen Ok. Done. I won't do it. I've "cut it out".Do you care to elaborate what problems this “inevitably leads” to? I would like to know for future reference, please.
Let’s have a conversation here.
Yes, if somebody keeps asking “How can I use this spoon for sword fighting” then even if he asks “But if I wield it like so, then it should work, right?” He will still get the same “No” as an answer and he will still get beheaded by that guy with the hatchet or sword.
Unfortunately the world of computer security is an incredibly horrible can of worms, and to mix a metaphore you are dipping your toe in those waters and we are left watching and waiting for the inevitable shark attack that’s going to take off your leg.
A conversation is a nice idea but there is a lot of fundamental knowledge needed before that conversation can even happen and your best starting point for understanding what certificates are and how they work and why getting certificates from a non-standard authority is essentially useless is the wealth of material about such things available online.
For running anything downloaded from the internet modern computers will throw up warnings. If that thing is not signed then those warnings will become far more severe. It doesn’t matter what privs you request since the java security sandbox has unfortunately now been compromised to the point that no browsers fully trust it.
If you want to run it as a local exe it should be signed. If you want to run it as an applet it should be signed (but applets are dying nearly as fast as flash as most browsers are dropping them over security fears).
In the case of herodex I do not need to sign the individual jar files at all as I sign the installer. Once it is installed it is running from the local hard drive with user privs and no further signing is required.
1 Like
@PixelApp I hope it is ok now. You can prevent anybody from moving your signed JARs without obtaining additional scary warnings thanks to some new features in Java 1.7 update 25, look at the “Codebase” manifest attribute mentioned in the best practices.