The point about certificates and signing
If you ever tried to use BitLet, you should have encountered a window that says you that the signature of the applet cannot be verified (see the screenshot below).
Since some users appear to be quite puzzled about what is the exact meaning of that message, we will try to shed some light on this issue.
Let's start from the beginning...
In order to protect users from malicious applets, the JVM (Java Virtual Machine) considers the code of applets that are embedded in web pages to be untrusted, and it is executed in a sort of sandbox, which prevents it from executing any action that could (possibly) harm the client system.
This means that, by default, common Java applets are not allowed to perform some tasks, including opening network connections to other servers or to access the filesystem of the client machine on which they are running.
Obviously, any bittorrent client (including BitLet) needs to perform both those operations to be of some use, even without intending to do any harm.
In order to overcome this problem, the applet is digitally signed, i.e. it is signed using a digital certificate that ensures that the applet comes from the certificate holder.
This brings us back to the first line of this post. You are seeing that annoying message because the certificate used to sign BitLet is not issued by a trusted Certificate Authority. Actually, it was generated on a common development box. Why?
Because code signing certificates cost. And they cost a lot of money, too.
If you know any CA that issues that kind of certificates without charging outrageously high prices, don't hesitate to let us know or drop us a line in the comments.
Since some users appear to be quite puzzled about what is the exact meaning of that message, we will try to shed some light on this issue.
Let's start from the beginning...
In order to protect users from malicious applets, the JVM (Java Virtual Machine) considers the code of applets that are embedded in web pages to be untrusted, and it is executed in a sort of sandbox, which prevents it from executing any action that could (possibly) harm the client system.
This means that, by default, common Java applets are not allowed to perform some tasks, including opening network connections to other servers or to access the filesystem of the client machine on which they are running.
Obviously, any bittorrent client (including BitLet) needs to perform both those operations to be of some use, even without intending to do any harm.
In order to overcome this problem, the applet is digitally signed, i.e. it is signed using a digital certificate that ensures that the applet comes from the certificate holder.
This brings us back to the first line of this post. You are seeing that annoying message because the certificate used to sign BitLet is not issued by a trusted Certificate Authority. Actually, it was generated on a common development box. Why?
Because code signing certificates cost. And they cost a lot of money, too.
If you know any CA that issues that kind of certificates without charging outrageously high prices, don't hesitate to let us know or drop us a line in the comments.
Posted by Alessandro Bahgat at
3:23 PM
8 Comments:
WOW!! Ilke this Site :D
Is there any way i can save the files in my server. Like i will put the ftp url/user name, password and it will start saving it in my ftp server?
thanx
Shuvo.
Hello xxx, I think that what you're looking for is quite different from bitlet. Take a look here, it could be a more suitable option for your needs.
Maybe CACert works, i was trying to find how to request a free certificate for software (i use it for e-mail), i remember that option was on the site. Anyway, CACert is not in the default trusted roots for the official Java Virtual Machine, so the message of untrusted source will still appears.
Maybe looking in the "Security" tab of the Java applet in the Windows control panel (or the binary ControlPanel on /usr/java/ in Linux) there's a list of the default trusted roots for Signing Certificates. I hope one of them have to be free.
I accidently press No to accepting the certificate. How can I get the certificate now as can't seem to get the message anymore.
Please help.
Thanks
thawte have certificates for applets which are free, and are widely used.
instructions here:
http://www.dallaway.com/acad/webstart/
(instructions are for webstart but a signed jar using the same procedure will work as a signed applet)
you should consider providing a webstart client as well - would be useful for longer lived torrents.
Thank you very much rhyd for your advice.
As you can see, we updated the certificate and now we are using the thawte one.
The webstart client would be a great option.
We already considered that, and we hope we'll find time to develop it in the future.
Regards,
Daniele
Seria muito bom também que pudessemos baixar torrents através dos arquivos torrents, e não somente pela suas respectivas URLs. Seria interessante
Hello, I just wanted to say that your blog has been really useful for me..
I need all the help I can get, lol.. Thnx
Post a Comment
Subscribe to Post Comments [Atom]
<< Home