What's up with the Java Security Warning?


BACKGROUND

The ISS Transit Prediction program creates files on your hard drive (Specifically within the 'User Prediction Directory', See the details page).  This requires the program to run without the security restrictions normally provided by Java.  Java applications which need additional security permissions require a digital signature.

Java provides a mechanism for authors to digitally sign their software. This allows the users of the software to know that the software has the author's approval.  The process of digitally signing software typically includes paying a fee (up to $499/year! ouch) to a "certificate authority" (such as VeriSign or Thawte). Certification authorities are entities (typically firms specializing in digital security) that are trusted throughout the industry to sign and issue certificates.

Thawte provides the Personal E-mail Certificate free of charge for the Web of Trust (WOT) community, of which I am a member.  This certificate can also be used to digitally sign software.  Annually I would obtain a new certificate, and sign the program with it.  When running the program, the following warning would pop up, stating that the signature has been validated by a trusted source.



PROBLEM

As of November 16, 2009, Thawte is no longer continuing the free Personal E-mail Certificate service, which leaves me four options:  1) Pay an annual fee to obtain a certificate from a certificate authority, 2) Ask the users to provide a donation to help with the cost, 3) Self-Sign the prediction program, or 4) Continue using the expired Thawte certificate.

SOLUTION

I have
decided to continue to use the Thawte certificate, which has now expired.

What does this mean to the user of the prediction program?  Java will display the following warning message whenever the program is run.




If the user wishes, they can click the box which says "Always trust content from this publisher.", and the warning message will not be shown again.


With Java Version 6 Update 19, the following warning message may pop up when running the program.



This warning is displayed since Java treats expired and self-signed certificates as essentially "unsigned".  The user must click "No" to allow the unsigned components to run.  Java provides ways for users to disable this warning message.  Details here.





Back to the ISS Transits Predictions Page