I have a Java applet which doesn’t need any special privileges to run (i.e, it runs fine in the sandbox), but which expects the user to enter some sensitive information. Therefore, I’d like the user to be able to verify the origin of the applet.
I then signed the applet, and everything appears to be working correctly. The browser apparently accepts the signature; for test purposes, I tried executing PrivilegedActions and everything worked. However, the browser doesn’t inform the user that the browser is signed – from user’s perspective, both unsigned and signed versions of the applet appear exactly the same.
So my question is: is there a way to instruct the browser to present the signature authority to the user, or something similar?
Firstly, this is not a valid usage for signing a jar.
Did you at some point ever forget to untick the always trust tickbox?
Back to the first point because it is quite important. By signing a jar you are putting the certificates name to the claim that it is secure. Note that being secure is very much broader than being non-malicious. The security dialog which asks whether the user wants to give full local user access pops up if any code anywhere is encountered is signed. It doesn’t mean that some particular set of pixels are from a trsuted source.
The correct approach is to use https.