One of the bigger concerns in the software industry is how to ensure users can trust code that is published on the internet. Browsers typically display a warning message explaining the possible dangers of downloading data, but do nothing in terms of verifying that the code is what it claims to be.
To assist in the trust decision process, software publishers can digitally sign their code. Digital signatures answer the questions of authentication and integrity, that is:
- Who signed the code?
- Has the code been tampered with since it was signed?
- Can I trust the software publisher?
- Does the code contain malware?
Java has taken an active approach towards making the internet a reliable medium for distributing software.
A new requirement from Java 7u51 requires that all browser-based Java applications need to be signed. Rich Internet Applications (RIAs), as they are known, that do not conform to this new requirement will be blocked by the default security slider.
RIAs must now include two things, says the Java Platform Group: Code signatures from a trusted authority (in other words self-signed code will not be accepted), and the manifest attributes specified under the 7u51 release, which was published in January.
The short version, according to the Java Product Group, is as follows:
- You are required to sign all RIAs (Applets and Web Start applications).
- You are required to set the "Permissions" attribute within the Manifest.
- Your application will be affected if it uses Java started through a web browser. Your application will not be affected if it runs anywhere outside of a web browser.
- Applets must contain code signatures from a trusted authority
South African developers and organisations that have not updated their applications risk having them blocked. These updates are intended to provide users with the assurance that a Java web app or Web Start app doesn’t contain malicious code or malware, and, as such, non-compliant code will be considered a security threat.
Developers can sign your code using a self-signed certificate or using a certificate issued by a publicly trusted CA. For user trust and the longevity of your code, it is recommended that you use a certificate issued from a publicly trusted Certificate Authority. Self-signed code that uses self-signed certificates, in particular, is not verified - signatures will provide a trust warning indicating that there was an un-verified publisher and will display “Unknown Publisher” when downloading the code. This means they can be associated with fake identities and are vulnerable to Man-In-The-Middle attacks.
Because self-signed certificates look the same as the publicly trusted certificates issued by a Certificate Authority, it is difficult to know what to trust and these certificates will increasingly become unacceptable as security is tightened up in response to more sophisticated cyber-criminals and increased cyber-crime activity.
Megan Rehbock, LAWtrust, certificate service manager
LAWtrust is a specialist security solutions provider that builds trust in information systems through establishing authenticity, accountability and privacy in data messages. It focuses on applying digital signatures and positive identity to business processes, saving time, lowering costs and reducing risk for businesses. LAWtrust operates the only WebTrust certified trust centre in Africa, is included in both the Adobe and Microsoft Trust Lists as a Trusted Root Certificate Authority and was the first accredited authentication service provider under the ECT Act to provide advanced electronic signatures. LAWtrust is also an experienced security solution integrator playing a key role in many strategic projects in both the private and public sector, such as implementing, integrating and operating the PKI and Key Management System for South African National ID card operation. http://www.lawtrust.co.za