WebSDR problem with the latest Java update

On January 14, 2014, Oracle released Java 7 update 51, and with that update using WebSDR receivers has become more difficult.

[Note: this text does not apply if you use the HTML5 audio feature supported by many WebSDR servers and many browsers. See below under "Long-term solution".]

Cause and background

The WebSDR project has, since its beginning, used Java applets to play sound and show the waterfall display. These are so-called "unsigned" applets, which run in a restricted environment (called "sandbox"), where they cannot do any harm to your computer and thus are totally safe, in principle.
Java and this sandbox are made by Oracle, and apparently Oracle has trouble making this sandbox totally safe. These bugs can be exploited by malicious applets to harm your computer. In the latest Java release, they apparently gave up the hope of fixing all sandbox bugs; instead, they now make it as difficult as possible to run unsigned applets at all, both the malicious and the good ones.

Short-term solution

Fortunately, it still is possible to run unsigned applets, but only if you explicitly tell your computer from which websites applets should be accepted. So in order to use a WebSDR, you first have to add its URL to a list of acceptable Java sites. (Applets from other sites, including malicious ones, will still be blocked.)

On Windows/Mac, you can find this list by going to the system control panel or System Preferences and choosing Java (you may want to use the control panel's search function); then choose the Security tab, and click on "Manage Site List". Then there's an "Add" button to add a URL to the list. Put the complete URL there, like http://websdr.ewi.utwente.nl:8901/ , so including the http part.

On Linux/Solaris, open a terminal and type jcontrol there; then choose the Security tab, and the rest of the instructions are as for Windows/Mac.

More detailed instructions can be found here: https://blogs.oracle.com/java-platform-group/entry/upcoming_exception_site_list_in.
And DK2RV wrote detailed instructions in German for Firefox here.

Alternatively, you can edit the file %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites by hand.

Longer-term solution

Of course, the above situation is pretty inconvenient. For the future, there are two options, assuming Oracle's policy does not change:

Signing the applets. Oracle now wants every applet to be "signed". This means that the applet gets a cryptographic "signature" by which it can be verified that the applet was written by a specific person (e.g., me), so if you trust that person, you can trust the applet. Unfortunately, this signature apparently would cost me several hundred dollars/euros per year...

Switching to HTML5 WebAudio. After extensive testing at my own WebSDR site at http://websdr.ewi.utwente.nl:8901, in July 2014 I distributed an update of the WebSDR software to all WebSDR operators which no longer needs Java, but uses recent HTML5 features instead.
However, this is not a total solution: it doesn't work on Internet Explorer, and generally not on older versions of browsers.

If you have more questions about this, e-mail me at pa3fwm@websdr.org.