If you navigate to JavaFX.com on a Mac, you get this warning – at least, I do, and so does at least one other:
In case you can’t read it, it says:
This applet was signed by “JavaFX 1.0 Runtime,” but Java cannot verify the authenticity of the signature’s certificate. Do you trust this certificate? Click Trust to run this applet and allow it unrestricted access to your computer.
I trusted it anyway. Why? Mainly because it is on Sun’s site, and I doubt Sun was hacked. Second, because I clicked Show Certificate and it said everything was fine. Third, because on balance I think it is more likely that either Sun, Apple or a.n.other messed up either the cert or some other aspect of digital security programming, than that this particular bit of code belongs to a bad guy.
Nevertheless, I mention it because it illustrates the continuing hopeless state of Internet security. How on earth am I meant to know whether I should trust a certificate that “Java” has rejected? Who is this Java guy anyway? Why should I give any applet “unrestricted access” to my computer?
I see this all the time. We are confronted with impossible decisions, where one set of training tells us to click No – the certificate is out of date, the application is unsigned, the requested permissions are unwarranted – and another set of training tells us to click Yes – this is a reputable site, I need this installed to get on with my work, I’ve seen dialogs like this before and not come to any harm.
It might be better not to have the choice. In the scenario above, if the applet just refused to run, then there is a better chance that the problem would be treated as a bug and fixed. As it is, there is little chance that we will always guess right.
I total agree and the browser should never ask the above question. It is actually telling you that the certificate cannot be trusted although it is correctly formatted. It means that I could have created the certificate myself with Sun’s identity. Normally you can’t issue your own certificates, only a recognised entity like verisign has the right.
By answering yes to the above, you are rendering your security useless and only someone with detailed knowledge of SSL would know what it means anyway.
I blame Internet Explorer for starting this as it ask so many pointless questions, people invariable click ‘yes’ to everything. Firefox is not much better and safari only a little better than the others. Too much choice is as bad as too little.
John.
Like you mentioned, it has everything to do with who signed the certificate. For their samples, they include self-signing certs, which will encrypt like normal…just nobody to verify the “you are who you say you are” part. However, it also affects how the app will handle its cross-site scripting.
Either way, keep in mind that JavaFX apps aren’t meant to be simple and pretty flash animation replacements as much as they are meant to be used for RIA solutions. You typically only need to answer the security question once, and if you use the RIA for work or another regular, routine use, you will likely forget you ever had to take the extra second to click the button, since subsequent loads don’t require it. Moreover, a good production-level app ought to be signed properly anyway 🙂