Java.com

Download Help

Printable Version

What should I do when I see a security prompt from Java?


This article applies to:
  • Java version(s): 7.0

Java 7 Update 21 introduced changes to the Java browser plug-in behavior that enable you to make more informed decisions before running the Java applet in the browser. A security prompt asks for confirmation before allowing Java content to run in the browser. For users, developers and system administrators who need more technical information refer to the links provided at the end of this article.

Risk Levels
The messages presented depends upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority. Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future.

This page describes the prompts to help you understand the risks of running the Java applet.

Java application prompts which include these images present a lower security risk.
Java logo The Java logo or publishers logo Represents an application that is identified by a valid certificate from a trusted Certificate Authority (CA). See below for more information
Blue information shield icon Blue information shield Indicates that the application can be identified by a valid certificate and more information is available.

Java application prompts which include these images present a higher security risk and should not be run.
Yellow warning triangle icon Yellow warning triangle Represents an application that cannot be identified because the certificate is untrusted or expired. See below for more information
Yellow warning shield icon Yellow warning shield Indicates that the application is unsigned and/or the certificate is not valid. Identification information provided by the certificate should not be trusted.

» More information on the changes regarding signed code


Java application with a certificate from a trusted authority

Applications of this type are typically low risk, This dialog represents the application with valid certificate from trusted authority.

What to look for:
  • Publisher name: Displayed
  • Icons shown: Java or vendor logo and blue info shield
Trusted application with valid certificate
You may see variations of the dialog based on the way application is deployed.
» More information on other Trusted signed certificate dialogs

What to do:
  • Verify Name, Publisher or Location information displayed on the dialog. We recommend you hit Cancel if any of this information does not match.
The message presented in the dialog will differ depending on whether the application requests:
Unrestricted access (Privileged) This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the location and publisher.
Limited access (Sandbox) This application will run with limited access that is intended to protect your computer and personal information.


Java application with no certificate (Unsigned)

Starting with Java 7 Update 51, applications without a certificate (i.e. unsigned apps), or missing application Name and Publisher information are blocked by default. Running this kind of application is potentially unsafe and present higher level of risk.

What to look for:
  • Dialog title: Application Blocked
  • Publisher name: No publisher listed
  • Message:Your security settings have blocked an untrusted application from running.
Unsigned applet - An unsigned application from the location below is requesting permission to run. Running this application may be a security risk

What to do:
  • It is highly recommended to not run this type of application. However if you understand the risk and still want to run the application, you can add the URL of this application to Exception Site List, which is located under the Security tab of the Java Control Panel.
    How to manage and configure Exception Site List?
    On successfully adding this application URL to this list will allow it to run after presenting some security warnings.

Java application with an expired certificate from a trusted authority

Applications of this type present a moderate level of risk because the publisher has not renewed their certificate.

What to look for:
  • Publisher name: Displayed
  • Icons shown: Yellow warning triangle and yellow security shield
  • Dialog title: Security Warning
  • Warning: Running this application may be a security risk
    The certificate used to identify this application has expired or The digital signature for the application has expired
Trusted signed applet with expired certificate

You may see variations of the dialog based on the way application is deployed.
» More information on other expired certificate dialogs

What to do:
  • Verify Name, Publisher or Location information displayed on the dialog. We recommend you hit Cancel if any of this information does not match.
The message presented in the dialog will differ depending on whether the application requests:
Unrestricted access (Privileged) This application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source
Limited access (Sandbox) This application will run with limited access that is intended to protect your computer and personal information.


Java application with a certificate from an untrusted source

Starting with Java 7 Update 51, applications with self-signed certificates are blocked by default. Applications of this type present the highest level of risk because publisher is not identified and the application may be granted access to personal data on your computer.

What to look for:
  • Dialog title: Application Blocked
  • Publisher name: No publisher listed
  • Message displayed: Your security settings have blocked a self-signed sandbox application from running.
Self Signed applet

What to do:
  • It is highly recommended to not run this type of application. However if you understand the risk and still want to run the application, you can add the URL of this application to Exception Site List, which is located under the Security tab of the Java Control Panel.
    How to manage and configure Exception Site List?
    On successfully adding this application URL to this list will allow it to run after presenting some security warnings.

Revocation Checking for Java Applications

Starting with Java 7u25, before attempting to launch any Java application, the signing certificate will be validated against the issuing certificate authority, using Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) to check that the certificate used to sign the application has not been revoked by the issuing Certificate Authority.

This feature will protect end user systems from malicious developers who in the past used stolen certificates, or illicitly purchased certificates to sign applications. Before running any web-deployed application with Java 7u25 (and later), there will be an attempt to contact the certificate authority to check revocation status to help guard against stolen or compromised certificates.

What to look for:
The revocation check can return different messages based on the check:
  • Certificate is revoked
  • Failed to validate certificate
  • Unable to connect to Certificate Authority

Certificate is revoked. Application will not be executed.

This dialog displays when running an application with a certificate that has been revoked by the Certificate Authority (CA). This scenario presents the highest level of risk. The application will not be executed as it can be from a malicious source.

Certificate revoked - The certificate of an application from the listed location is revoked. This application will not be executed

Failed to validate certificate. Application will not be executed.

This dialog displays when running an application with a certificate that cannot be validated by the Certificate Authority (CA). It appears if you have set the security level to Very High within the Java Control Panel, and the certificate cannot be validated.

Certificate validation failed - The certificate for the application from the listed location cannot be validated. This application will not be executed.

Unable to connect to Certificate Authority

This dialog displays when there is a network failure and the Certificate Authority (CA) cannot be reached to validate the certificate. In this case, it is usually safe to run the application because their actions are limited, but may still present a moderate level of risk. We recommend you hit Cancel. if you are not familiar with the publisher of the site you are visiting.

» More information on options to configure revocation settings from within the Java Control Panel.


MORE TECHNICAL INFORMATION



Find expert help on Java installation and setup

Select Language | About Java | Support | Developers
Privacy | Terms of Use | Trademarks | Disclaimer

Oracle