Like many common software systems, JavaScript has a history of security problems. Many of these problems could allow a person with malevolent intent to steal sensitive information from a visitor. The number and type of such holes in security vary among browsers and operating system versions. Most JavaScript security holes have been caught and fixed, but new ones are being discovered all the time. For a list of current security holes check out your browser's and operating system's Web pages. As a Web site author, it is your responsibility to keep up-to-date on the current status of known security holes in the applications you create.
In Chapter 11, I explained that JavaScript does not provide the ability to directly access files on the client computer. This can be a very large hurdle to overcome if you're trying to upload a file to a server from the client computer. Fortunately, file uploading is one of many functional enhancements that signed scripts provide. Signed scripts are specially packaged scripts that have been verified and signed to be correct and non-threatening. These scripts have additional rights on the client computer that allow a programmer to do many things that he wouldn't otherwise be able to.
With the introduction of Netscape 4.0, a new security model was put in place that would allow digitally signed scripts to bypass some of the restrictions that had previously been placed on them. A signed script can request expanded privileges from the visitor and, with the visitor's permission, gain access to restricted data. A signed script requests these additional permissions through LiveConnect, which allows your JavaScript code to communicate with the Java Capabilities API. The security model allows JavaScript to access certain classes in Java in order to extend its functionality while still maintaining tight security for the client.
A digital signature is a fingerprint of the original programmer, and it allows the security model of the browser to detect where (or from whom) it originated. A script signer can be a person or an organization. By signing a script, you acknowledge yourself as the author and accept responsibility for the program's actions. A signed script contains a cryptographic checksum, which is just a special value that ensures the signed script has not been changed. When a digital signature is detected, you are assured that the code has not been tampered with since the programmer signed it.
Once you finish writing a script, you can use the Netscape Signing Tool to digitally sign it. Signing a script does the following:
Unambiguously assigns ownership of the script to a person or organization.
Allows an HTML page to use multiple signed scripts.
Places the signed script into a Java Archive (JAR) file.
Places the source of the script in the JAR file.
Once a user confirms the origin of the script and is assured that it has not been tampered with since its signing, he or she can then decide whether to grant the privileges requested by the script based on the validated identity of the certificate owner and validated integrity of the script.
The latest version of the Netscape Signing Tool can be downloaded for free from http://developer.netscape.com/software/signedobj/jarpack.html. In order to use the signing tool, you first need to acquire an object-signing certificate. There are two ways to do obtain this certificate—you can use the tool itself to create one for you, or you can purchase a certificate from a third-party company that specializes in object signing such as VeriSign (http://www.verisign.com). A certificate created by using the tool itself is only to be used for testing purposes, according
to the Netscape Web site. In order to use signed scripts in a production environment, you will need to get a certificate from either an independent certificate authority that can authenticate your identity (and will charge you a fee) or from certificate-authority server software running on your corporate intranet or extranet.
Once you've downloaded the Netscape Signing Tool, you'll be ready to create an object-signing certificate for testing purposes. In order to create a certificate, you will need to locate the files key3.db and cert7.db in your Netscape directory. Once you have found these two files, you'll need to back them up somewhere safe, in case you accidentally damage the databases.
To generate a certificate, use the Netscape Signing Tool command, which is as follows:
signtool -G <certificate name>-d <path to key3.db and cert7.db>
The −G option lets you specify the name of the certificate you are creating. The −d must be used to specify the directory in which the key and certificate databases are located. If the databases are located in the same directory as the signing tool, you can use the option −d. An actual example of a command that would sign a script could be as follows:
signtool -G MyCert -d C:\Program Files\NETSCAPE\USERS\jdow\
This command will create a certificate named MyCert in the certificate database of user jdow on a Windows NT machine. After running the command, the program will ask you for your identification data, which will then be digitally included in the signed scripts you create with the certificate.
Once you have acquired an object-signing certificate, either through a third party or by using the signing tool, you are ready to start signing files.
Follow these simple steps to create a signed script:
Create an empty directory and put some script files into it. Files can include JavaScript files or entire HTML files.
Specify the name of your object-signing certificate and sign the directory. Use the following command (as one line):
signtool -d <path to certificate database> -k <certificate name> -Z <jar file name> <directory with script files>
Type the password to your private-key database.
Test the archive you just created using the following command:
signtool -v <jar file name>
You can use the Netscape Signing Tool from within a Windows script file. Here is an example script file that is provided on the Netscape Web site:
REM Expand the jar file into a new directory unzip -qq myjar.jar -d signjar del myjar.jar rem Sign everything in the new directory and recompress signtool -k MySignCert -Z myjar.jar signdir
This script unpacks a JAR file containing script files, signs them, and then repacks them into the JAR file.
The aspects of the Netscape Signing Tool covered here are only a fraction of what the Signing Tool can do. I encourage you to visit Netscape's documentation of their Signing Tool at http://developer.netscape.com/docs/manuals/cms/41/adm_gide/app_sign.htm.