OpenWebStart, Java Web Start (JWS): Modern Browser Interactions and “Compatibility” Challenges

OpenWebStart (OWS) is an open-source implementation of Java Web Start (JWS), a technology that allowed launching Java applications directly from a web browser. While OWS aims to provide a modern and maintained solution for JWS applications, it faces several security considerations, particularly in the context of modern browser security models.

Here's a breakdown of security issues with OpenWebStart and modern browsers:

1. The Fundamental Shift in Browser Security:

Modern web browsers have fundamentally shifted away from technologies like Java applets and JWS due to inherent security risks. Browsers are designed to be "sandboxed," meaning they isolate web content from the user's local system. JWS, by its nature, allows applications to run outside this strict browser sandbox, directly on the client's Java Virtual Machine (JVM). This capability, while convenient for deploying rich client applications, creates a broader attack surface.

2. Deprecation and Lack of Native Browser Support:

• Java Web Start (JWS) is deprecated: Oracle officially deprecated JWS in Java 9 and removed it from JDK distributions starting with Java 11. This means there's no longer official support or security updates for native JWS functionality in modern Java versions.

• Browser plug-in model is dead: Modern browsers no longer support NPAPI plugins, which were historically used to integrate technologies like Java Applets and JWS directly into the browser. This means you can't simply click a JNLP link in your browser and expect it to run directly within the browser window. Instead, browsers will download the JNLP file, and then you need a separate application (like OpenWebStart) to launch it.

3. OpenWebStart's Approach and Its Implications:

OpenWebStart bridges this gap by providing an external launcher for JNLP files. This means:

• Reliance on an external application: Instead of running within the browser, OpenWebStart acts as a separate application that the browser hands the JNLP file to. This bypasses the browser's sandbox for the Java application itself.

• Trust model: When you launch a JNLP application via OpenWebStart, you are essentially trusting that application to run on your system with the permissions it requests. This is where security concerns arise.

4. Specific Security Concerns with OpenWebStart:

• Digital Signatures and Trust:

  • JWS and OWS applications rely heavily on digital signatures to verify the origin and integrity of the application. If an application is not properly signed, or if the certificate is revoked or untrusted, OWS will (or should) present security warnings.
  • Users might be conditioned to click "OK" on security pop-ups, potentially running malicious unsigned or improperly signed applications.
  • Managing trusted certificates and ensuring their validity is crucial for secure deployment.

• Permissions and Sandbox Escapes:

  • While Java applications can run in a "sandbox" with limited permissions, a signed application can request broader permissions (e.g., access to the file system, network access). If a malicious application is signed by a trusted (or compromised) certificate, it could potentially exploit vulnerabilities to escape the sandbox and perform malicious actions on the user's system.
  • The deployment.policy file and other configuration settings in OpenWebStart determine the security policies applied to launched applications. Incorrect or overly permissive configurations can weaken security.

• JVM Vulnerabilities:

  • OpenWebStart manages JVMs, including downloading them. If there are vulnerabilities in the specific JVM version used by an application, and OWS is not configured to update or select secure JVMs, it could expose the system to exploits.
  • OWS allows whitelisting of JVM arguments and JVM download servers, which are critical security features to prevent unauthorized code execution or downloads.

• Outdated Libraries:

  • Like any software, the Java applications launched via OWS can rely on various libraries. If these libraries are outdated and contain known vulnerabilities, the application becomes susceptible to attacks. This is not unique to OWS but a general software security best practice.

• Configuration Complexity:

  • OpenWebStart offers various configuration options (e.g., deployment.properties, server whitelists, JVM argument whitelists) that directly impact security. Misconfigurations can easily introduce vulnerabilities. For example, allowing JVM server download from JNLP files without a strict whitelist could be risky.

• Screen Recording Prompts (MacOS specific issue observed):

  • Some users have reported OpenWebStart (or the applications launched through it) sometimes triggering macOS system prompts for screen recording. While OWS developers state they don't implement this feature, it highlights how OS-level security features can interact with OWS and raise user concerns, even if the underlying cause is benign or related to the launched application.

5. Modern Browser Interactions and "Compatibility" Challenges:

• Downloaded JNLP files: Modern browsers will download JNLP files to the user's "Downloads" folder. The user then needs to explicitly open this file with OpenWebStart. This "extra step" acts as a minor security gate, requiring user intent.

• Gatekeeper/SmartScreen warnings: Operating systems like macOS (Gatekeeper) and Windows (SmartScreen) might flag downloaded JNLP files or the OpenWebStart application itself as potentially untrusted, requiring the user to manually approve their execution. This is a security measure to prevent accidental execution of unknown software.

• Caching issues: While OWS aims to manage cached applications, issues can arise where different versions of an application with the same JNLP name but different codebases might interfere with each other if caching isn't handled precisely, potentially leading to the wrong application version being launched.

In summary:

OpenWebStart provides a valuable solution for organizations with legacy Java Web Start applications. However, its security model is fundamentally different from modern web applications. The primary security considerations revolve around:

• Trusting the JNLP application's origin and signature.

• Properly configuring OpenWebStart's security settings (whitelists, policies).

• Ensuring the JVM and application libraries are up-to-date and free of known vulnerabilities.

• Educating users about security prompts and the implications of running JNLP applications.

While OpenWebStart aims to provide a secure environment, the shift in web technology and browser security practices means that applications delivered via OWS require a different and often more stringent security posture compared to purely web-based solutions.