|
 |
9beafa1 |
gcjwebplugin is a Firefox plugin for running Java applets. It is now
|
|
|
9beafa1 |
included in the libgcj sub-package, though it is not enabled by
|
|
|
9beafa1 |
default.
|
|
|
9beafa1 |
|
|
|
9beafa1 |
GNU Classpath and libgcj's security implementation is under active
|
|
|
9beafa1 |
development, but it is not ready to be declared secure. Specifically,
|
|
|
9beafa1 |
it cannot run untrusted applets safely.
|
|
|
9beafa1 |
|
|
|
9beafa1 |
When gcjwebplugin is enabled, it prompts you with a dialog before
|
|
|
9beafa1 |
loading an applet. The dialog tells you that a certain URL would like
|
|
|
9beafa1 |
to load an applet, and asks if you trust the applet. Be aware though
|
|
|
9beafa1 |
that this dialog is mostly informative and doesn't provide much
|
|
|
9beafa1 |
protection:
|
|
|
9beafa1 |
|
|
|
9beafa1 |
- http and DNS can be spoofed meaning that the URL named in the
|
|
|
9beafa1 |
warning dialog cannot be trusted
|
|
|
9beafa1 |
|
|
|
9beafa1 |
- someone could create a browser denial-of-service attack by creating a
|
|
|
9beafa1 |
page with hundreds of applet tags, causing gcjwebplugin to create
|
|
|
9beafa1 |
warning dialog after warning dialog. The browser would have to be
|
|
|
9beafa1 |
closed to eliminate the latest dialog
|
|
|
9beafa1 |
|
|
|
9beafa1 |
- the whitelist is provided as a convenience, but it is unsafe because a
|
|
|
9beafa1 |
domain may change hands from a trusted owner to an untrusted owner.
|
|
|
9beafa1 |
If that domain is in the whitelist then the warning dialog will not
|
|
|
9beafa1 |
appear when loading the new malicious applet.
|
|
|
9beafa1 |
|
|
|
9beafa1 |
CURRENTLY GCJWEBPLUGIN RUNS WITH NO SECURITY MANAGER. THIS MEANS THAT
|
|
|
9beafa1 |
APPLETS CAN DO ANYTHING A JAVA APPLICATION THAT YOU DOWNLOAD AND RUN
|
|
|
9beafa1 |
COULD DO. BE *VERY* CAREFUL WHICH APPLETS YOU RUN. DO NOT USE
|
|
|
9beafa1 |
GCJWEBPLUGIN ON YOUR SYSTEM IF YOUR SYSTEM STORES IMPORTANT DATA.
|
|
|
9beafa1 |
THIS DATA CAN BE DESTROYED OR STOLEN.
|
|
|
9beafa1 |
|
|
|
9beafa1 |
The same warning applies to gappletviewer, which also runs with no
|
|
|
9beafa1 |
security manager (in fact, gcjwebplugin spawns gappletviewer to do the
|
|
|
9beafa1 |
applet loading). When run on the command line, gappletviewer issues a
|
|
|
9beafa1 |
warning on startup and asks you if you want to continue.
|
|
|
9beafa1 |
|
|
|
9beafa1 |
Even considering the risks involved, you may still want to try
|
|
|
9beafa1 |
gcjwebplugin. GNU Classpath's AWT and Swing implementations are now
|
|
|
9beafa1 |
sufficiently mature that they're able to run many applets deployed on
|
|
|
9beafa1 |
the web. If you're interested in trying gcjwebplugin, you can do so
|
|
|
9beafa1 |
by creating a symbolic link in ~/.mozilla/plugins like so:
|
|
|
9beafa1 |
|
|
|
ed083d2 |
ln -s /usr/lib/gcj-@VERSION@/libgcjwebplugin.so ~/.mozilla/plugins/
|
|
|
9beafa1 |
|
|
|
9beafa1 |
Type about:plugins in Firefox's URL bar to confirm that the plugin has
|
|
|
9beafa1 |
been loaded. To see gcjwebplugin debugging output, run:
|
|
|
9beafa1 |
|
|
|
9beafa1 |
firefox -g
|
|
|
9beafa1 |
|
|
|
9beafa1 |
then at the GDB prompt, type
|
|
|
9beafa1 |
|
|
|
9beafa1 |
run
|
|
|
9beafa1 |
|
|
|
9beafa1 |
Please report bugs in Red Hat Bugzilla: http://bugzilla.redhat.com
|