Re:Requires self-signed applet with full privilege (Score 1)

A security researcher asking people to blindly trust strangers........

IMO they really aren't. As it is uploaded unobfusacated and anyone can download it. It then takes 2 seconds to drop it in to the one of many java decompilers and you can read it yourself.

Who can blame them for not spending a couple of hundred dollars on a sining cert? I can't for a proof of concept.

If end users are expected to decompile the code and inspect it every time it downloads (or updates) then this isn't a solution for the +99% of internet users who don't know Java. As for me, I'd rather spend the little extra time typing in a second password without this CAPTCHA scheme and not decompiling & inspecting code.

My point is that this is a proof of concept. For some reason people are irrationally flipping out (imo). When the fact is they could have distributed it in a desktop launchable (just the jar) form (requiring more user work(executing a command and or more complicated.. java != your friend) and people would never see any code signing issue. The fact is that to make it easier you get a warning since they don't want to shell out hundreds for a proof of concept. Can you blame them? My statement was more of a blanket that they aren't trying to hide anything. Since they chose to deliver it in the fashion they did everyone flipped out. As a java dev I see where they are coming from and wanted to make the point that they aren't doing anything fishy and could be easily checked on. Just logical.