A little bit more security for Java in the browser

Oracle just released Java 7 update 21, containing once more many security fixes (install it right away). And some changes for applet usage und handling. First of all, the preference dialog does not contain the low security setting any more. Which forces more user interaction when launching unsigned applets. Unsigned applets therefore require at least some interaction now; they are not launched automatically any more. A future Java update (probably the next update in July) will prevent you from running unsigned applets at all. And there will be a blacklist which will protect you from running applets signed with an invalid or revoked certificate.

For sure this will have a positive impact on Java browser security, but it’s not a big catch. This totally relies on certificate authorities and that they carefully check people buying certificates. And we all know how well that worked out in the past many, many times. It’s just too easy to get valid certificates. And there are no restrictions left when running signed applets.
Yeah, now we ‘know’ who bought the certificate and probably signed the malicious applet and can trace it back. Up to the point where we figure out a faked id was used to buy the certificate. This is not helpful at all. Oracle’s reaction to certificate fraud is to add such an invalid certificate to the frequently(?!) updated JRE certificate blacklist and prevent the JRE from further applet execution. This might work in 80% of the time. The other 20% will receive this update too late. In my eyes this is not a real solution, just another workaround to avoid killing the whole Java applet support at all.

Of course it is not Oracle’s fault that it is that easy to get a valid certificate with a fake id or no check at all. But fixing one broken system with another broken system is simply not going to work. And the loser is Java.