Barklund.org

After having written about the inner workings of SnapABug, I have now looked a bit further into signed applets and their permission levels. And the conclusion is, that the trust question is stupid.

SnapABug did the right thing, the only thing they could do. Untrusted (unsigned) code lives in a special sandbox and cannot use functions outside of this sandbox. The end user can change how much this sandbox has access to, but it is not trivial and the normal user would never touch that with a pitch fork. Trusted code lives in another sandbox with almost infinite possibilities. The end user can limit this sandbox too, but again almost no end user does that.

The problem? How is code deemed to be trusted code? Code is trusted, if the publisher is trusted, and the validity of the publisher is guaranteed through the digital signature. The signature is automatically verified by the Java client, and the end user is then asked to do the final step – the Java client asks the end user to trust the code:

We know this code has been written by this person (even though we don’t know what the code does). We know this person/company is, who (s)he says (s)he is. You can therefore safely trust the authenticity of this person. Do you trust that this person has written safe code?

First of all, this is a strange question to ask any end user. Secondly, that if the actual question was written as above, it would have been much better as it would assume that the person has written safe code, but would let the end user decide – instead the question is written in a form that almost suggests, that the end user tries to illegally gain access to your computer by asking:

An applet from “domain” is requesting unrestricted access to your computer

The SnapABug applet trust question

And below that in smaller letters is says that the digital signature has been verified (whatever that means to Average Joe). I am aware, that this might be the more specific question asked by my Java client/browser combination, as Sun seems to indicate, that the dialog looks different on other systems.

In any case: that question is stupid. Would the normal end user install programs, if the standard windows installation flow included the question:

When installing this application, the application could potentially install spamware, adware, take over your computer or copy your banking information. Do you wish to proceed?

Let’s just say that adoptions of small programs from small developers would be a lot lower (which might be a good thing to prevent all those installing spamware because they think they have a virus or silly things like that, but in the long run it would probably be a bad thing). Asking such a question is stupid. This question really should be re-phrased in a way to clearly indicate, that the user should assume that this is a safe, trusted application, but the user has the opportunity to deny access anyway.

Secondly, (trusted) applications should have a way of asking for access to only what they need. The digital signature is simply for verification of origin, but the actual access level needed should be separate from that. As I asked in my previous post: why should the SnapABug applet have access to files on my computer? And they don’t need it, in fact I’m pretty sure, that if they could avoid having that access, they would rather do that. But they can’t.

Thus SnapABug is not to blame – if anyone, Sun is.

Related posts:

1. How SnapABug works – and what they should do
2. If WordPress automatic update fails “silently”…
3. Password-friendly Website Certificate – January 2010 Ideas