On Sat, Jan 07, 2006 at 07:44:10PM -0500, [EMAIL PROTECTED] wrote: > Running relatively up-to-date Debian sarge system. > > Followed a link to a rater nice site, www.irateradio.com > > It runs a Java applet that > (1) downloads some random music files > (2) plays them and allows you to rate them > (3) compares your ratins with the ratings others provided in its > database so as to download files you actually might like next time > > And, indeed, it does this quite nicely. > > Now I thought I might like to keep one of these tracks. After findiing > no gadgets anywhere to ask it so store these things on my hard disk > somewhere, I start doind ls *.mp3 in various directories, and discover > that it has created a ~/irate/download/ directory and has stuffed its > downloads there. > > The trouble is, I don't recall ever giving it permission to store > anything on my hard disk (except cookies), nor telling it where to put > them (which is what firefox usually asks me when it starts a download). > And the java applet was, as far as I could see, started within the > browser. > > Now I ask you. What security policy could Firefox be following that > would allow this and prevent some wild application from putting junk all > over my hard drive? Can I ever run Firefox again? > > -- hendrik >
Well. I found out. It used a thing called Java Web Start, which puts up a rewuest whether to honour a certificate from some certificate issuing organisation, and, if you approve it, it proceeds to start the java program as an application rather than as an applet.... Trouble is, the user (in this case, me) has been conditioned to provisionally accept certificates from all kinds of web sites -- Firefox itself does that when deciding whether it should even bother to look at a web site, under circumstances where the worst would be that thje web site would be in the same sandbox as all the other web sites that don't bother with security certificates -- essentially benign, but you are warned not to reveal dire secrets. But I don't recall anything that told me that accepting this certificate might be dangerous in a more direct way. Maybe it was there, but I dodn't see it. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
