Re: Applets and SSL

David Brownell - JavaSoft (db@doppio)
Fri, 13 Dec 1996 15:25:59 -0800

Date: Fri, 13 Dec 1996 15:25:59 -0800
From: db@doppio (David Brownell - JavaSoft)
Message-Id: <199612132325.PAA04450@argon.eng.sun.com>
To: cryptix-java@systemics.com, java-security@java, teg@one.net
Subject: Re: Applets and SSL

[ Sorry -- mailtool sent the previous note without my pressing
the "send" button, that never happened before! ]

> Date: Fri, 13 Dec 1996 17:55:43 -0500
> From: Jeff Nelson <teg@one.net>
>
> Has anyone done a thorough analysis of how browser and server-based
> SSL works with Java applets?

I don't think so, but here are a few of my thoughts on the areas
you asked about.

> I would like to know in particular whether applet bytecode is
> distributed securely when an SSL enabled web server talks to an SSL
> enabled web browser.

Depends what you mean by "distributed". If the bytecodes are actually
downloaded over an "https" (HTTP-over-SSL) URL, then they are surely
integrity protected, and the connection probably did not take place
without authenticating that server. That's a useful start.

However, just downloading over an SSL-protected channel doesn't
necessarily involve what folk mean by "secure distribution" unless
there are additional policies in place on that SSL-enabled server. For
example, maybe you know that the web server is administered so that no
Java applets are made available there ... without first having undergone
substantial assurance efforts which establish that that it's reasonable
to grant them unrestricted network access.

Unlike classes sent over SSL channels, signed JAR files can be saved
for purposes of having a verifiable audit trail. Not so with data sent
through an SSL channel; SSL adds no persistent stamp of authenticity.

> Secondly, whether or not the data communicated during an applet
> initiated CGI requests made with the URLConnection object in the JDK
> is SSL authenticated and enciphered.

The JDK itself doesn't supply SSL (at least for now; there are export
control issues). However, some Java environments (including ones that
JavaSoft's planning to provide) support "https" URL connections.

As one example, Netscape Navigator supports "https" URLs.

- Dave