What should I do when I see a security prompt from Java?
This article applies to:
- Java version(s): 7.0, 8.0
Java 7 Update 21 introduced changes to the Java browser plug-in behavior that enable you to make more informed decisions before running the Java applet in the browser. A security prompt asks for confirmation before allowing Java content to run in the browser. For users, developers and system administrators who need more technical information refer to the links provided at the end of this article.
Risk Levels
The messages presented depends upon different risk factors, such as using old versions of Java or running applet code that is not signed from a trusted Certificate Authority.
Apps that present a lower risk display a simple informational message. This includes an option to prevent showing similar messages for apps from the same publisher in the future.
This page describes the prompts to help you understand the risks of running the Java applet.
| Java application prompts which include these images present a lower security risk. | ||
|---|---|---|
 |
The Java logo or publishers logo | Represents an application that is identified by a valid certificate from a trusted Certificate Authority (CA). See below for more information |
|
Blue information shield | Indicates that the application can be identified by a valid certificate and more information is available. |
| Java application prompts which include these images present a higher security risk and should not be run. | ||
|---|---|---|
|
Yellow warning triangle | Represents an application that cannot be identified because the certificate is untrusted or expired. See below for more information |
|
Yellow warning shield | Indicates that the application is unsigned and/or the certificate is not valid. Identification information provided by the certificate should not be trusted. |
» More information on the changes regarding signed code
Java application with a certificate from a trusted authority
Applications of this type are typically low risk This dialog represents the application with valid certificate from trusted authority.What to look for:
- Publisher name: Displayed
- Icons shown: Java or vendor logo and blue info shield
.jpg)
You may see variations of the dialog based on the way application is deployed.
» More information on other Trusted signed certificate dialogs
What to do:
- Verify Name, Publisher or Location information displayed on the dialog. We recommend you hit Cancel if any of this information does not match.
| The message presented in the dialog will differ depending on whether the application requests: | |
|---|---|
| Unrestricted access (Privileged) | This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the location and publisher. |
| Limited access (Sandbox) | This application will run with limited access that is intended to protect your computer and personal information. |
Java application with no certificate (Unsigned)
Starting with Java 7 Update 51, applications without a certificate (i.e. unsigned apps), or missing application Name and Publisher information are blocked by default. Running this kind of application is potentially unsafe and present higher level of risk.
What to look for:- Dialog title: Application Blocked or Java Application Blocked (Java 8)
- Publisher name: No publisher listed
- Message title: Application Blocked by Security Settings or Application Blocked by Java Security (Java 8)
- Message: Your security settings have blocked an untrusted application from running
For security, applications must now meet the requirements for the High or Very High security settings, or be part of the Exception Site List, to be allowed to run. (8u20 and above)
What to do:
It is highly recommended not to run this type of application. However if you understand the risk and still want to run the application, you can add the URL of this application to Exception Site List which is located under the Security tab of the Java Control Panel. Adding this application URL to this list will allow it to run after presenting some security warnings.
» How to manage and configure Exception Site List
Java application with an expired certificate from a trusted authority
Applications of this type present a moderate level of risk because the publisher has not renewed their certificate.
What to look for:
- Dialog title: Application Blocked or Java Application Blocked (Java 8)
- Message title: Application Blocked by Security Settings or Application Blocked by Java Security (Java 8)
- Warning: Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running
For security, applications must now meet the requirements for the High or Very High security settings, or be part of the Exception Site List, to be allowed to run. (8u20 and above)
.jpg)
You may see variations of the dialog when running an older Java version.
What to do:
It is highly recommended not to run this type of application. However if you understand the risk and still want to run the application, you can add the URL of this application to Exception Site List which is located under the Security tab of the Java Control Panel. Adding this application URL to this list will allow it to run after presenting some security warnings.
» How to manage and configure Exception Site List
| The message presented in the dialog will differ depending on whether the application requests: | |
|---|---|
| Unrestricted access (Privileged) | This application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source |
| Limited access (Sandbox) | This application will run with limited access that is intended to protect your computer and personal information. |
Java application with a certificate from an untrusted source
Starting with Java 7 Update 51, applications with self-signed certificates are blocked by default. Applications of this type present the highest level of risk because publisher is not identified and the application may be granted access to personal data on your computer.
What to look for:
- Dialog title: Application Blocked or Java Application Blocked (Java 8)
- Publisher name: No publisher listed
- Message title: Application Blocked by Security Settings or Application Blocked by Java Security (Java 8)
- Message displayed: Your security settings have blocked a self-signed application from running
For security, applications must now meet the requirements for the High or Very High security settings, or be part of the Exception Site List, to be allowed to run. (8u20 and above)
.jpg)
It is highly recommended not to run this type of application. However if you understand the risk and still want to run the application, you can add the URL of this application to Exception Site List which is located under the Security tab of the Java Control Panel. Adding this application URL to this list will allow it to run after presenting some security warnings.
» How to manage and configure Exception Site List
Revocation Checking for Java Applications
Starting with Java 7u25, before attempting to launch any Java application, the signing certificate will be validated against the issuing certificate authority, using Certificate Revocation Lists (CRL) and Online Certificate Status Protocol (OCSP) to check that the certificate used to sign the application has not been revoked by the issuing Certificate Authority.This feature will protect end user systems from malicious developers who in the past used stolen certificates, or illicitly purchased certificates to sign applications. Before running any web-deployed application with Java 7u25 (and later), there will be an attempt to contact the certificate authority to check revocation status to help guard against stolen or compromised certificates.
What to look for:
The revocation check can return different messages based on the check:
- Certificate is revoked
- Failed to validate certificate
- Unable to connect to Certificate Authority
Certificate is revoked. Application will not be executed.
This dialog displays when running an application with a certificate that has been revoked by the Certificate Authority (CA). This scenario presents the highest level of risk. The application will not be executed as it can be from a malicious source..jpg)
Failed to validate certificate. Application will not be executed.
This dialog displays when running an application with a certificate that cannot be validated by the Certificate Authority (CA). It appears if you have set the security level to Very High within the Java Control Panel, and the certificate cannot be validated..jpg)
Unable to connect to Certificate Authority
This dialog displays when there is a network failure and the Certificate Authority (CA) cannot be reached to validate the certificate. In this case, it is usually safe to run the application because their actions are limited, but may still present a moderate level of risk. We recommend you hit Cancel. if you are not familiar with the publisher of the site you are visiting.» More information on options to configure revocation settings from within the Java Control Panel.
MORE TECHNICAL INFORMATION
- More information on the security prompts can be found in the Code Signing FAQ.
- Developers and system administrators should look at the Java Applet and Web Start Code Signing article. (OTN)