Re: Applets and SSL

David Brownell - JavaSoft (db@doppio)
Fri, 13 Dec 1996 15:10:27 -0800

Date: Fri, 13 Dec 1996 15:10:27 -0800
From: db@doppio (David Brownell - JavaSoft)
Message-Id: <199612132310.PAA04439@argon.eng.sun.com>
To: cryptix-java@systemics.com, java-security@java, teg@one.net
Subject: Re: Applets and SSL

> From teg@one.net Fri Dec 13 14:56:10 1996
> Date: Fri, 13 Dec 1996 17:55:43 -0500
> From: Jeff Nelson <teg@one.net>
> To: cryptix-java@systemics.com, java-security@java
> Subject: Applets and SSL
>
> Has anyone done a thorough analysis of how browser and server-based
> SSL works with Java applets?
>
> I would like to know in particular whether applet bytecode is
> distributed securely when an SSL enabled web server talks to an SSL
> enabled web browser.

Depends what you mean by "distributed". If the bytecodes are
actually downloaded over an "https" (HTTP-over-SSL) URL, then
they are surely integrity protected, and the connection probably
did not take place without authenticating that server.

However, just downloading over an SSL-protected channel doesn't
necessarily involve what folk mean by "secure distribution" unless
there are additional policies in place on that SSL-enabled server.

That's essentially the s

> Secondly, whether or not the data communicated during an applet
> initiated CGI requests made with the URLConnection object in the JDK
> is SSL authenticated and enciphered.
>
> It seems likely that both of these are true, but I would need to read
> the specs and experiment with a secure server to be sure.
>
> - Jeff
>