Blog of the Bittorrent Applet

Sunday, September 2, 2007

The point about certificates and signing

If you ever tried to use BitLet, you should have encountered a window that says you that the signature of the applet cannot be verified (see the screenshot below).




Since some users appear to be quite puzzled about what is the exact meaning of that message, we will try to shed some light on this issue.

Let's start from the beginning...
In order to protect users from malicious applets, the JVM (Java Virtual Machine) considers the code of applets that are embedded in web pages to be untrusted, and it is executed in a sort of sandbox, which prevents it from executing any action that could (possibly) harm the client system.

This means that, by default, common Java applets are not allowed to perform some tasks, including opening network connections to other servers or to access the filesystem of the client machine on which they are running.

Obviously, any bittorrent client (including BitLet) needs to perform both those operations to be of some use, even without intending to do any harm.

In order to overcome this problem, the applet is digitally signed, i.e. it is signed using a digital certificate that ensures that the applet comes from the certificate holder.

This brings us back to the first line of this post. You are seeing that annoying message because the certificate used to sign BitLet is not issued by a trusted Certificate Authority. Actually, it was generated on a common development box. Why?

Because code signing certificates cost. And they cost a lot of money, too.

If you know any CA that issues that kind of certificates without charging outrageously high prices, don't hesitate to let us know or drop us a line in the comments.

9 Comments:

Blogger xXx said...

WOW!! Ilke this Site :D

Is there any way i can save the files in my server. Like i will put the ftp url/user name, password and it will start saving it in my ftp server?

thanx
Shuvo.

September 12, 2007 at 5:47 PM  
Blogger Daniele said...

Hello xxx, I think that what you're looking for is quite different from bitlet. Take a look here, it could be a more suitable option for your needs.

September 12, 2007 at 7:54 PM  
Blogger ICeman said...

Maybe CACert works, i was trying to find how to request a free certificate for software (i use it for e-mail), i remember that option was on the site. Anyway, CACert is not in the default trusted roots for the official Java Virtual Machine, so the message of untrusted source will still appears.
Maybe looking in the "Security" tab of the Java applet in the Windows control panel (or the binary ControlPanel on /usr/java/ in Linux) there's a list of the default trusted roots for Signing Certificates. I hope one of them have to be free.

October 3, 2007 at 11:45 PM  
Anonymous Anonymous said...

I accidently press No to accepting the certificate. How can I get the certificate now as can't seem to get the message anymore.

Please help.
Thanks

October 10, 2007 at 10:48 AM  
Blogger rhyd said...

thawte have certificates for applets which are free, and are widely used.

instructions here:

http://www.dallaway.com/acad/webstart/

(instructions are for webstart but a signed jar using the same procedure will work as a signed applet)

you should consider providing a webstart client as well - would be useful for longer lived torrents.

December 20, 2007 at 6:18 AM  
Blogger Daniele said...

Thank you very much rhyd for your advice.

As you can see, we updated the certificate and now we are using the thawte one.

The webstart client would be a great option.
We already considered that, and we hope we'll find time to develop it in the future.

Regards,

Daniele

January 2, 2008 at 9:10 PM  
Blogger norbertojr1 said...

Seria muito bom também que pudessemos baixar torrents através dos arquivos torrents, e não somente pela suas respectivas URLs. Seria interessante

February 14, 2008 at 8:50 PM  
Anonymous Erica said...

Hello, I just wanted to say that your blog has been really useful for me..
I need all the help I can get, lol.. Thnx

January 10, 2012 at 1:21 PM  
Blogger mary Brown said...

Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Java developer learn from Java Training in Chennai. or learn thru Java Online Training in India . Nowadays Java has tons of job opportunities on various vertical industry.

November 21, 2017 at 6:28 AM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home