I read on whizlabs that if a firewall or server filters packets by ip address, it would be possible for a downloaded applet to be trusted automatically by the firewall/server.
Does this mean that if I download an applet from a particular site, e.g. http://mysite.com - it would be possible to setup rules on my firewall to ensure the applet is trusted automatically, i.e. user is not prompted to trust the applet. If so does it apply to all applets regardless of whether they are signed or not
It's the browser, or more specifically the Java plug-in, which asks you whether you want to trust a signed applet the first time you download it. I don't believe there's any "security features" which allow the browser to delegate that decision to some other component.
As for what you read on whizlabs, you didn't quote it so there's no possible way for me to say whether it means what you said or not.
Joined: Mar 02, 2009
Just wanted to provide some more information on this question as my initial posting was not entirely accurate. On whizlabs giving the description to a particular applet question they provided the following additional information relating to applet security:
"If a firewall or server filters packets by IP address, then it would be possible for a downloaded applet to be trusted automatically by the firewall/server(a downloaded applet sending requests from your machine would be sending them with your trusted IP address). "
Just wondering if the above makes sense to anyone? I am not sure if it means the applet would be somehow trusted whilst it is been downloaded or if it means that if an untrusted applet attempts to make calls make to what is not the host from where it was downloaded it would somehow allow such requests
That doesn't sound like it has anything to do with the normal meaning of trusted applets, i.e. the user telling the browser to trust the applet with respect to its actions on the client. It sounds more like the scenario of there being a server somewhere, and the applet is sending requests to it, and that server is hard-coded to accept requests only from a certain IP address, so the firewall could send those requests as if they came from that IP address.
But I don't know what that has to do with applets. The firewall could just as well do that with all requests going to that server, and I'm not persuaded that the firewall could even tell that such a request came from an applet. Or that it could be configured to make that distinction.
In other words I guess what I'm saying is that it sounds extremely implausible to me. But then I'm no expert on firewalls.
Joined: Mar 02, 2009
Thanks for the response Paul
Does not make a huge amount of sense to me either. I thought I'd ask as I seen in across a number of the whizlabs mock exams