Java security

The 1.7.0_51 update of Java has introduced some changes that I thought would be worth addressing.

Recently, you may have heard about security concerns surrounding Java. Since BikeCAD is written in Java, I feel compelled to emphasize that these security concerns are limited to the Java plugin for browsers. Despite this concern, Java is still a thriving language: still ranked #2 in the January 2014 TIOBE Programming Community index which is an indicator of the popularity of programming languages world-wide.

While the Java language is thriving, the use of the Java plugin for web browsers is waning. BikeCAD Pro runs as a standalone Java application and is therefore free of any security concerns. The free version of BikeCAD has always been implemented as a Java applet. Because it used to be a given that everyone would have the Java plugin installed in their browser, deploying BikeCAD as an applet was a convenient way to let people try some of the features of BikeCAD Pro without any special downloads.

There are two main types of Java applets. Java applets can be signed or unsigned. Signed applets have the ability to read and write files both on the web server where they are stored, plus on the local computer on which they are being deployed. Years ago, the free version of BikeCAD was distributed as a signed applet so that users could save and open designs from their own machines. However, under these circumstances, users were confronted with a warning message alerting them to the fact that the applet had this ability to read and write files, and that if the user did not trust the originator of the applet, that they should not proceed.

Although I never had any malicious intent, I knew that not everyone could be expected to know that for sure. To solve this problem, I redesigned the BikeCAD applet to work within the restrictions of an unsigned applet. An unsigned applet has no ability to read or write files on the user's machine. An unsigned applet can only communicate back to the server on which it is stored. The redesigned version of BikeCAD would allow users to save and retrieve their designs but in order to do this, all files would be routed through the BikeCAD web server, and it was always the user controlling where these files were read from or written to on their own machine.

As an unsigned applet, BikeCAD operates within a very strict security sandbox and therefore poses no security risks to the user. Still, because of the possibility of malicious software being deployed through the Java browser plugin, this latest version of Java (1.7.0_51) has default settings that will block the deployment of the BikeCAD applet as well. There are two ways to correct this. Both approaches involve opening the Java control panel.

The first approach is to navigate to the security tab in the Java control panel and lower the security level to medium.

This step alone will allow you to run BikeCAD in your browser. However, if you would like to maintain the recommended higher level of security, you can alternatively leave the security set to High, but click the "Edit Site List..." button and add http://www.bikecad.ca to the list of exceptions. If you need to upload BCAD files from your local computer, you will also need to allow http://bikecad.ca. This is the same as the first URL, but without the www.

This is the dialog box you'll see when you click the "Edit Site List..." button.

Following these instructions should get you back working on BikeCAD again. If any of this makes you feel uneasy, remember that BikeCAD Pro has no security concerns. For a one time fee of $350 (Canadian) you can have all the added functionality available within BikeCAD Pro.