I have a SSL applet I want to connect to a Cpp server. Do I need to self sign the JAR at all? Also do I absolutely need to set up a CA to do it?
I had some luck with trust stores in the past. Do I need a trust/key store to get it working? If so can you please link me a decent page on how to do it?
The difference between signed and unsigned applets is that unsigned applets runs in a security sandbox and is restricted in what they can do. The can make http connections to the server they was loaded from. The can not make http connections to other servers.
So it is not neccesary to sign the applet provided that you host the applet on the server you want to connect to.
Using SSL is a neccesary if you want the connection between the server and the applet to be secure.
Related
I'm hosting a web game on github pages. It's a react app that connects to a websocket server (via wss) running off of a linux box in my living room. I've generated a self-signed certificate for the server, and github-pages already has a Let's Encrypt certificate by default. Presumably because the cert is self signed, the client refuses to connect to the "insecure" server and I am not prompted to install the certificate or anything, because the client does have it's own separate certificate. Would just buying a real certificate solve all my problems? Should I just host the website from the same server and figure out all the stuff associated with that (I realize this is probably the best answer)? What's the public opinion on having separate ssl certificates for client and server?
you can add your self signed certificate to your local truststore, but it's a little work and everyone connecting to your site would have to do it.
buying a certificate would solve this problem, because it is then signed by a trusted certificate authority which allows everyone to verify your servers identity.
on the other hand, if you move your ui to the self signed server too, the web browser will prompt (respectively warn) the user about the untrusted certificate and the user is about to say wether he wants to advance to the site or not. this would "solve" the problem too.
last, but not least. it's quite common to have ui and backend separated and therefore having separated certificates too, but not in such little applications. in a big environment definitely worth it, because it's a separation of concerns.
I want to restrict the direct download of a file on my site (let's say www.me.com/asd.txt)
but permit to my java applet in www.me.com/javaapplet.jar to be able to download it.
Is there a simple way for this?
I'm not sure if it's relevant, but the server is running Apache 2.2.24
Anticipated thanks for your help,
sboda
A secure way to do this is to require client certificate authentication for applets that want to download your file. Here's an example that uses the Apache HTTP Client.
You'll also need to create a self-signed client certificate that you provide to "valid" users through some other channel (like a web page with a required login), and you'll need to tell your HTTP server about the self-signed certificate. Here's a way to set up a self-signed client certificate if you are using Tomcat: Tomcat Server/Client Self-Signed SSL Certificate. Of course, other HTTP servers will have different procedures.
There are some issues using the browser certificates with the java plugin that will require your users do to some work exporting the browser certificates for use with the Java plugin. See http://download.java.net/jdk7/archive/b126/docs/technotes/guides/deployment/deployment-guide/upgrade-guide/article-16.html
Use a private key. The file can only be downloaded if the private key is passed along with the request.
I have made an applet that creates an SSL socket connection with a Cpp server. I understand a truststore is needed to establish a SSL socket connection with a Java client and SSL server. What my question is about regards how to use Java API code to let the applet know the name and password of the truststore I want to use (say mytruststore). I had some old code that used to work but doesn't anymore due to a recent Java update (probably to patch a security concern)
I understand a truststore is needed to establish a SSL socket connection with a Java client and SSL server.
Only if the server uses a self-signed certificate. If it does, and if you can change that, get it changed, it is poor security practice and it is putting additional complexity and cost into your client. If the server uses a CA-signed certificate the default Java truststore will work.
What my question is about regards how to use Java API code to let the applet know the name and password of the truststore I want to use (say mytruststore).
You don't need the password for a truststore, only for a keystore (i.e. containing a private key). If you really have to include your own truststore, just hardcode its name.
I'm new to SSL connections so here goes my question.
I have a desktop Java program in a JAR file. This JAR sends sensitive information over the internet to a remote Tomcat server. Of course I need to encrypt the data.
If I purchase an SSL cerfiticate say from Verisign, will the data sent over SSL be automatically encrypted?
I mean in my JAR, will I still need to do extra work like use Java encryption extensions API to manually encrypt my data over the SSL connection?
Thank you.
I mean in my JAR, will I still need to do extra work like use Java encryption extensions API to manually encrypt my data over the SSL connection?
Encryption will be done for you (with the Java Secure Socket Extension). Just establish your connection using https://. Maybe have a look at HTTP Client for a higher level API.
By the way, the certificate goes on the server side (unless you want to do client-authentication too in which case, well, you'll need a client certificate too).
And yes, you could use a self-signed certificate but one of the benefits of using a certificate signed by a well known Certificate Authority (CA) like Verisign, Thawte, etc is that you won't have to add it to the trust store of the client VM (unless you disable the verification mechanism).
Follow the SSL Configuration HOW-TO on how to setup https.
If your goal is just to get the encryptian, you don't need to buy a certificate. You can make your own. Buying a certificate just creates the verification chain back to verisign (or whomever) to give users a warm fuzzy that you're really who you say you are.
SSLSocket should handle most of the work for you.
All data sent over SSL is by definition encrypted, you do not need to worry about encryption at all. Also, you do not need to by a certificate to achieve that: you can issue one on your own.
If you'll set up the SSL on Tomcat and send your data over HTTPS then the encryption will be done for you. But you don't actually need to purchase a certificate if you only need encryption for your data channel, you could generate a self-signed certificate. Have a look at this page http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html on how to configure SSL for Tomcat. But note that HTTPS can be configured not to use encryption at all (at least on Apache httpd).
To answer your question, SSL implementations automatically encrypt the data. You don't need to worry about using additional encryption routines.
It might be easiest to purchase an SSL certificate because SSL implementations provide easy certification authentication using common root certificates and provide a verification service. However, you could save some money by using a self-signed certificate.
Even with a self-signed certificate, it's important to validate the signature on the server certificate from the desktop application when you connect to the server. This will prevent man in the middle attacks.
You won't have to add your self signed certificate to the store because you should be able to disable the automatic verification mechanism and use your own.
I created a JApplet using Netbeans 6.5.1 that accesses a database. When the program is run by itself, it runs perfectly. The issue is when you try to put it online using a web application in Netbeans, it will not access the database. I was told by somebody that the problem is that Java security will not allow you to do this. Is this correct? How do I fix this problem? Thanks.
As already mentioned, an unsigned applet can only make network connection to the host from which the applet originated. However, if the database is hosted on a different server than the originating applet then you will have to make the applet signed. If the application is not for production use, you can self sign the applet (not suitable in production use where the signing has to be done by a trusted Certificate Authority. Certificate authorities typically charge a fee for the service of validating their clients' credentials.) However, for testing and demo purposes, you can create a self-signed certificate. With self-signed certificates, the browser displays a warning to the user mentioning that the information given in a self-signed certificate has not been validated by a trusted third party (Certificate Authority).
For self signing the applet take a look at the following links:
http://java.sun.com/developer/onlineTraining/Programming/JDCBook/signed.html
http://www-personal.umich.edu/~lsiden/tutorials/signed-applet/signed-applet.html
The other things to keep in mind are the JDBC driver types to use. Type-1 and Type-2 drivers are not suitable to be used within applet due their dependence on native binary code. Type-3 and Type-4 are ones you should be using to connect to database from within an applet.
The best solution is to NOT make database connection from an applet (if possible) but instead use a server side application to connect to the database on behalf of the applet.
as Clint pointed out, an applet is only allowed to connect to it's origin server.
to work around this, you can sign your applet with a certificate from a root authority, but certificates cost 200-400$/year.