The Full Monty

The Full Monty (Film) – Image courtesy of www.fmvmagazine.com

I love this film. Six unemployed steelworkers from Sheffield decide to make a few bob by performing a strip show, doing the “Full Monty” (strip all the way).

My personal message from this film is: if you do something, do it right, from beginning to end, regardless of how cumbersome, difficult or (in the guys’ case) embarrassing it is – do it properly or leave it. It pays (sometimes literally) off, you are proud of the achievement and you might even get some credit.

“The Full Monty”, that’s what came into my mind, when I read Eric Romang’s blog about a problem he discovered recently with signed Java apps.

His findings in a nutshell: Java JARs can be digitally signed in order to allow them to operate outside their sandbox, effectively allowing them to download / install additional software on the target computer. The digital fingerprint is a token of trust, which is issued by a (legitimate) company using its own digital certificate. In other words signed apps are deemed to be secure and trustworthy.

Java control panel

Java control panel

That’s the fundamental concept of trust in PKIs.

However, one of the problems Eric Romang discovered was that the Java runtime environment verifies the fingerprint of a JAR file, but does not check by default the signer’s certificate for revocation. This option needs to be manually enabled (see the Java control panel on the right).

This is a major faux pas in the Java environment and resulted in a situation, where a “trusted” but malicious app (that was signed by a revoked certificate) installed an exploit kit on host computers.

Here in OSNA we are working on PKI solutions for M2M communication in isolated networks, basically configurations where OCSP (Online Certificate Status Protocol) is not available and the management and distribution of CRLs (Certificate Revocation List) is tricky.

However, despite these constraints we are working on the Full Monty, as a PKI without revocation is useless and gives a wrong sense of security to users.

In the above film, Horse, one of the main characters, gasped “Nobody said anything to me about the Full Monty!” when the group’s intentions were made public. Well, we in OSNA have been told.

Speak Your Mind

*