Cryptographic usage on Indian govt websites: why the java fetish?

I couldnt help but notice that the Indian Income Tax deptt’s website for e-filing tax, asks for installation of a Java plugin for a simple upload of a digital certificate file. It was puzzling for me, until I figured it out that they were using Java for decrypting the private key (using the user provided password).

They wanted to do this clientside, to avoid massive load on their servers. Fair enough, but why the java fetish.

This can just as easily be done using Javascript (no relation to Java), which is built in by default in every web browser. No need for heavy java plugins (Windows XP is notorious for locking up with java based plugins) and very fast and lightweight.

To make things much easier for people who want to do this - there are ready made libraries (like Clipperz and PIDCrypt). In fact PIDCrypt has a nice demo where it shows how fast it can decrypt RSA certificates.

Some people may argue that a java plugin is better, because you cant save the page and get access to the decryption code (which you can using javascript) and play havoc.

For these people, I suggest that they read up on the Man-in-the-Middle type of an attack, which can effectively negate all the apparent advantages of a Java plugin based approach. All it succeeds in doing is worsen the user experience (similar to the pain of signing up for a digital certificate)

Atleast they did not make the site Internet Explorer-only


Cryptographic usage on Indian govt websites: why the java fetish?


July 23, 2009

Find me on Twitter @sandeepssrin

Did i make any mistake? Please consider sending a pull request.