Hacking midlet signing
in [Java Help]
|
From: Lew on 29 Mar 2010 15:01 bashizip wrote: > But my problem stays unsolved: I'm looking for a free way,no-payment > way. > I made a celf-signed root certifate , installed it to the phone, > signed my Midlet with my public key, > and installed the midlet into the midlet manager.But always the same > result : the midlet's not trusted,need to confirm any network and file > system access !!! > Doesn't this beg the trust question that certificates are designed to resolve? "Trust me! I am telling you that I am trustworthy!" Trust has to begin somewhere trusted. Your certificate trust store must have a way to add root certificates, otherwise Thawte and Verisign could never have gotten in there in the first place. > Is there any way to hack the virtual machine ? > Whaaaa? That's not a very good approach, even if it were feasible. Which it isn't. I suppose you could rebuild the VM from source and hack away all the things that make it useful. I would wager that that will not work, will cost you far more time and energy than a root certificate is worth, and will only cause trouble. -- Lew
From: Roedy Green on 29 Mar 2010 15:46 On Mon, 29 Mar 2010 11:30:36 -0700 (PDT), bashizip <bashizip(a)gmail.com> wrote, quoted or indirectly quoted someone who said : >I made a celf-signed root certifate , installed it to the phone, >signed my Midlet with my public key, >and installed the midlet into the midlet manager.But always the same >result : the midlet's not trusted,need to confirm any network and file >system access !!! >Is there any way to hack the virtual machine ? There is probably a way to fiddle the policy file to treat your cert or your domain as trusted. This fixes the problem for YOU, but not for your clients, unless they will let you adjust their policy files too. What is the equivalent of the policy file for Midlets? Is there something both on the upload site and the phone itself? Is there a way to upload root trusted certs into your phone? If so an approach may be to create the equivalent of the root cert for your phony cert and upload it as if you were a tiny ca. see http://mindprod.com/jgloss/policyfile.html -- Roedy Green Canadian Mind Products http://mindprod.com If you tell a computer the same fact in more than one place, unless you have an automated mechanism to ensure they stay in sync, the versions of the fact will eventually get out of sync.
From: Roedy Green on 29 Mar 2010 15:52 On Mon, 29 Mar 2010 12:01:27 -0700 (PDT), Lew <lew(a)lewscanon.com> wrote, quoted or indirectly quoted someone who said : >Your certificate trust store must have a way to add root certificates, >otherwise Thawte and Verisign could never have gotten in there in the >first place. Not necessarily. I notice at various browser sites that there is a procedure for a ca to get his root certs built-in to the browser. It would be sensible for there also to be a mechanism to add other root certs, but not strictly necessary. Phones are consumer items, and providers do all sorts of dodgy things to limit the phone's abilities. I would not assume that all phones necessarily have a way to add additional root certs. It is just one more way for the provider to control what apps can run on the phone. This would apply even more so to Apple, Blackberry and the less generic phone makers. I am not saying don't look, just don't count on it being there unless you verify it is. -- Roedy Green Canadian Mind Products http://mindprod.com If you tell a computer the same fact in more than one place, unless you have an automated mechanism to ensure they stay in sync, the versions of the fact will eventually get out of sync.
From: Lew on 29 Mar 2010 16:41 Lew wrote, quoted or indirectly quoted someone who said : >> Your certificate trust store must have a way to add root certificates, >> otherwise Thawte and Verisign could never have gotten in there in the >> first place. > Roedy Green wrote: > Not necessarily. > Yes, necessarily. > I notice at various browser sites that there is a > procedure for a ca to get his root certs built-in to the browser. It > would be sensible for there also to be a mechanism to add other root > certs, but not strictly necessary. > > Phones are consumer items, and providers do all sorts of dodgy things > to limit the phone's abilities. I would not assume that all phones > necessarily have a way to add additional root certs. It is just one > more way for the provider to control what apps can run on the phone. > This would apply even more so to Apple, Blackberry and the less > generic phone makers. > > I am not saying don't look, just don't count on it being there unless > you verify it is. > There must be a way to add root certificates, otherwise Thawte and Verisign could never have gotten in there in the first place. That is ineluctable. From what you're saying, that way might involve striking a business deal with the cell-phone manufacturer or provider. So be it. There's still a way. When you see a ship in a bottle, it is silly to assert that there's no way to get a ship into a bottle. You see in front of you the hard evidence that there is. The question for the OP is whether that way is easier or cheaper than the alternative, like, oh, I don't know, going ahead and buying a real certificate? -- Lew
From: Roedy Green on 3 Apr 2010 17:15 On Mon, 29 Mar 2010 13:41:05 -0700 (PDT), Lew <lew(a)lewscanon.com> wrote, quoted or indirectly quoted someone who said : >There must be a way to add root certificates, otherwise Thawte and >Verisign could never have gotten in there in the first place. That is >ineluctable. Browsers and Java and Windows come with root certs pre-installed. It certainly would be sensible for there to be a mechanism to add more, but not logically necessary. This applies even more so for cell phones where lockin-mechanisms are more tolerated. -- Roedy Green Canadian Mind Products http://mindprod.com By 2009, computers will disappear. Displays will be written directly onto our retinas by devices in our eyeglasses and contact lenses. ~ Ray Kurzweil (born: 1948-02-12 age: 62)
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: Buffered RandomAccessFile Next: RFC perfectjpattern new release 1.0.3 |