Re: possible firefix security problem??

On Sat, Jan 07, 2006 at 07:44:10PM -0500, hendrik@xxxxxxxxxxxxxx wrote:
> Running relatively up-to-date Debian sarge system.
>
> Followed a link to a rater nice site, www.irateradio.com
>
> It runs a Java applet that
> (1) downloads some random music files
> (2) plays them and allows you to rate them
> (3) compares your ratins with the ratings others provided in its
> database so as to download files you actually might like next time
>
> And, indeed, it does this quite nicely.
>
> Now I thought I might like to keep one of these tracks. After findiing
> no gadgets anywhere to ask it so store these things on my hard disk
> somewhere, I start doind ls *.mp3 in various directories, and discover
> that it has created a ~/irate/download/ directory and has stuffed its
> downloads there.
>
> The trouble is, I don't recall ever giving it permission to store
> anything on my hard disk (except cookies), nor telling it where to put
> them (which is what firefox usually asks me when it starts a download).
> And the java applet was, as far as I could see, started within the
> browser.
>
> Now I ask you. What security policy could Firefox be following that
> would allow this and prevent some wild application from putting junk all
> over my hard drive? Can I ever run Firefox again?
>
> -- hendrik
>

Well. I found out. It used a thing called Java Web Start, which puts up
a rewuest whether to honour a certificate from some certificate issuing
organisation, and, if you approve it, it proceeds to start the java
program as an application rather than as an applet.... Trouble is, the
user (in this case, me) has been conditioned to provisionally accept
certificates from all kinds of web sites -- Firefox itself does that
when deciding whether it should even bother to look at a web site, under
circumstances where the worst would be that thje web site would be in
the same sandbox as all the other web sites that don't bother with
security certificates -- essentially benign, but you are warned not
to reveal dire secrets. But I don't recall anything that told me that
accepting this certificate might be dangerous in a more direct way.
Maybe it was there, but I dodn't see it.

-- hendrik


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

Relevant Pages

  • Re: "The Publisher could not be verified. etc."
    ... >> You can buy an authenticode digital signature and sign ... >> your downloads, like the spyware companies do. ... certain that a digital certificate is adequate to stop ...
    (microsoft.public.vb.general.discussion)
  • Re: "The Publisher could not be verified. etc."
    ... > potentially risky downloads being identifiable. ... > certain that a digital certificate is adequate to stop ... > wild about the default setting to check for updates.... ... > kind of permanent beta on a drip feed of updates.!) ...
    (microsoft.public.vb.general.discussion)
  • Re: source for downloadable music?
    ... but they ahve a decent selection. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ... certificate on the ASSIST site all I get is an invalid certificate ... Given the VERY low cost of their downloads and the fact that ...
    (Debian-User)
  • Security certificates
    ... >Recently at every secure site I deal with has called for ... >new security certificate. ... >the steps are performed and I'm told the certificate has ... After several downloads of the ...
    (microsoft.public.windowsxp.general)
  • Newbie question: Signing a Java applet
    ... I have a question regarding signing a Java applet. ... on what kind of certificate I need for that purpose. ... "RSA certificates may be purchased from a Certificate Authority ...
    (comp.lang.java.programmer)