Date: Fri, 13 Dec 1996 19:20:42 -0500
Message-Id: <199612140020.TAA24113@shell.one.net>
From: Jeff Nelson <teg@one.net>
To: david.brownell@Eng
Subject: Re: Applets and SSL
David Brownell wrote:
>Depends what you mean by "distributed". If the bytecodes are actually
>downloaded over an "https" (HTTP-over-SSL) URL, then they are surely
>integrity protected, and the connection probably did not take place
>without authenticating that server. That's a useful start.
Ok, so lets say a user connects with Netscape to a page containing
<APPLET [...] ARCHIVE=https://www.secure-business.com/classes.zip>
The bytecode will be communicated through SSL. That's a great start!
BTW, I really appreciate the almost instantaneous reply to my
questions!
>However, just downloading over an SSL-protected channel doesn't
>necessarily involve what folk mean by "secure distribution" unless
>there are additional policies in place on that SSL-enabled server. For
>example, maybe you know that the web server is administered so that no
>Java applets are made available there ... without first having undergone
>substantial assurance efforts which establish that that it's reasonable
>to grant them unrestricted network access.
I can see your point, we will probably make use of signed Jar files as
well, but my main concern is achieving secure communication between
applet and web server in whatever way possible.
>The JDK itself doesn't supply SSL (at least for now; there are export
>control issues). However, some Java environments (including ones that
>JavaSoft's planning to provide) support "https" URL connections.
>As one example, Netscape Navigator supports "https" URLs.
I'm not quite clear on what you mean above. Would the JDK built into
Navigator take advantage of Navigator's SSL support? Specifically,
would the following code snippet initiate a SSL secured CGI
transaction?
URLConnection serverConnection = new URLConnection(
new URL("https://www.secure-business.com/order.cgi"));
InputStream secureIn = serverConnection.getInputStream();
OutputStream secureOut = serverConnection.getOutputStream();
- Jeff