(If the JSecure applet doesn't appear above or fails to work, the Java plug-in may not be installed on your computer, or Java may be disabled in your web browser. Please check your security settings. However, most web browsers are Java-averse these days.)

How to Use JSecure

JSecure cannot harm your computer. It's designed to let you test the integrity of the security manager built into your web browser or Java applet viewer. JSecure faithfully reports the results of its tests and never returns any information to the web server. The safety and privacy of your system are assured. But you need to run JSecure because any other applet on the Internet can access the same information that JSecure does -- even without your knowledge!

JSecure never does anything without your command, and it always tells you what it's doing. To start the tests, you must click on the three buttons along the bottom of the applet panel.

[Show System Info] This button launches the most comprehensive series of tests. JSecure will try to access 15 pieces of information from your computer's operating system. It displays everything it finds in the text fields. If your Web browser or applet viewer blocks any of JSecure's attempts, JSecure reports that, too. These tests happen almost instantly, and they will tell you what kind of information any Java applet can retrieve from your computer. Unlike JSecure, which always reports what it's doing, a sneaky applet could access the same information in a background thread without your knowledge.

[Try Disk Read] When you click this button, JSecure tries to read the contents of the current directory (folder) on your computer's hard disk. Java's security model strictly forbids untrusted applets from accessing any of your computer's local storage devices. But it's up to the web browser or applet viewer to enforce this security model. A flawed security manager might not block this kind of illegal access. If JSecure discovers a hole in the security manager, it displays some of the filenames it found.

[Try Disk Write] When you click this button, JSecure tries to create a file on your computer's hard disk. Java's security model strictly forbids untrusted applets from storing files (such as "cookies") on your computer's local storage devices. If your web browser or applet viewer does not block this attempt, it means a hostile Java applet could plant a harmful virus or a Trojan horse program on your system. For that reason, this is the most critical test of all. If JSecure finds a hole in the security manager, it creates a small, harmless text file called JSECURE.TXT in the current directory (folder) to prove the security breach. Otherwise, JSecure reports that the security manager successfully blocked the attempt.


About Java Security

JSecure is a simple applet — almost any Java programmer could use these techniques with little effort. Also, it would be easy to conceal these kinds of probes in a background thread while the applet appears to be doing something else on the screen. That's why it's important to find out how secure your Web browser or applet viewer really is.

To my knowledge, no one has ever written a virus in Java that spreads through Java applets. Although they can do some annoying things, applets that inflict real damage on your system are almost unheard-of. When such applets do appear, it's because the security manager in a web browser or applet viewer is flawed — and it's the integrity of this security manager that JSecure reveals. Every time you install or update a web browser or Java applet viewer, you should run JSecure.


Return to Tom's home page