Thanks for your input to this discussion!

But CA certificates are worthless protection: You buy em with a stolen or one time use credit card #, and access through a proxy.

The unsigned code prompt includes an “Always allow this app” optional checkbox (I think its that JAR + hash, but I don’t know for sure and haven’t verified semantics).

Signed code has always had an “always allow this publisher” (read, signing key) checkbox.

And since the prompting is very early in the code execution path, before any attacker Java starts running, its going to be far harder to find a vulnerability compared with the privilege escalation vulnerabilities in Java since the code paths are both much smaller and has far fewer attacker-sourced semantics[1].

Getting rid of Java is AMAZINGLY GOOD ADVICE, especially with the everpresent and unremovable architectural flaw that “Signed Code + User says Yes == full ownership” [2]. But the prompting for unsigned code is a huge change in how Java works and the exploitability of Java.

Attackers are economically rational: Far better now to try again for Flash, Shockwave, Silverlight, Acrobat, and individual browser exploits, since those are always-run-unprompted, with Java being targeted almost exclusively with old exploits and “Prompt to P0wn” which no Java patch can fix.

Thus although Java is still a FESTERING PIT OF AWFULNESS THAT MUST BE REMOVED UNLESS ABSOLUTELY NEEDED BECAUSE OF THE SEMANTICS OF SIGNED CODE’S “PROMPT TO P0WN” [3], this change is far more than a simple “Band-Aid”, but a fundamental shift in Java’s attractiveness as an exploit target.

[1] Java in its sandbox for unsigned code is basically like a Unix system with a ton of SUID programs lying around: any single one of these programs which has a flaw results in a privilege escalation attack which is why its a security nightmare. Thus the difficulty in securing the sandbox, there are thousands of code paths that involve Java’s support code having to run at higher privileges, any one of which may have exploits.

[2] This is an architectural flaw that they CAN NOT REMOVE, since this is why you get business critical sites written in Java, like, eg, GoToMeeting’s previous web-based system.

If Oracle made it so signed code ran in the sandbox, it would kill Java on the web completely, since it would both break a ton of existing code and Java would offer no benefit over the more ubiquitous Flash which has comparable semantics to ‘working-sandbox’ Java, and actually has a more-flexible same-origin policy.

[3] Yes, I say this as the developer of a widely used (~3/4 of a million executions), signed-Java network measurement application, which takes significant advantage that signed Java has full privilege. A complete eradication of Java would eradicate our current implementation of Netalyzr. It is a price I am WILLING TO PAY

I think the “always run” (aka tick-box for “do not show me this again”) is still available (at least for signed applets), is it not?

And perhaps the tick-box should only exist/be an option for signed applets as opposed to unsigned ones?

Brian is right, malware writers can just sign their code for new zero-day infestations, but at least that puts malware writers “on the grid” for tracing and legal prosecution.

First we have “the experts” telling us to disable Java.

Now we have push back from “the experts” claiming that the first “experts” are wrong because companies need to have Java (or whatever other technology, such as older IE) installed for corporate reasons and therefore telling people to “dump it” is bad advice. They claim that other “mitigation” measures are better.

The reality is that both sides are wrong. What needs to happen is for corporations to realize that every technology is insecure and to stop locking themselves into insecure technologies such that they CANNOT “dump” them when proven to be insecure.

This of course is a “Catch 22″ situation – because all technologies are insecure and yet corporations “have to” commit to writing apps or buying software from companies that lock them into a given technology.

What I question is the “have to” mentality that corporations seem to have.

So we’re back to my meme: “There is no security. Deal.”

What irritates me is this back and forth between “the experts” who appear to be using this issue as a means to differentiate themselves in the industry, not to actually help the end users.