First questions

Disclaimer - this is my first response to an issue so I will likely mess it up...

>> image_applet.jar is 2.38 mb. Is this the actual applet which will be downloaded to the user's computer?
Yes. I will look into making it smaller, I think I can cut about 1/3 off of the image size now that I am looking at the jar contents. The rest is just the byte-compiled source code that I wrote, so probably there's no easy way to make it smaller.

I don't know about facebook etc. and how they do it. Honestly, I don't use Facebook, myspace etc I only read about them. I'm sure they use a similar technology but you'd assume they have full time staff so maybe they are better at it. Some AJAX magic could make the applet download a little more responsive, anyway. Once the applet is downloaded it can be cached and so it will be a one-time penalty per version of the applet.

>> · has anyone from drupal looked at the java code in this module yet?
Don't know. I have to submit the code to the admins to get a CVS account, whether they look at it or not, hard to say. There is no specific security issue that I"m aware of. I don't use Drupal's form-handling API for the actual download of the images, but I do put some effort into preventing a replay attack and SQL insertion attack. IMO PHP handling of images makes it very vulnerable to denial of service attacks but that is true of anything that uses PHP uploads.

>> is there any way to avoid the applet working quite so 'deceptively'?
Don't know what you mean about that. What is 'deceptive'?

>> · Is there anything we can do about the certificate warning (like buying a certificate)?
Yes. Verisign and Certificate Authority and other vendors will sign your certificate for a fee. What that will get you is you will not get the warning that the certificate is not trusted when you download the applet. I don't know what the rates are but I would imagine it's on the order of hundreds of (American) dollars per cert.

I guess I've answered the question so now this is fixed? sorry I'm new at this.

And thanks for using my module.

OK. Well then maybe I should choose my words more carefully.

By 'fake' certificate, I meant self-signed certificate. I don't think this is deceptive, since the browser will warn the user that the certificate is not real. You should read up on security certificates and what they mean if you are very security conscious.

Maybe faking is more applicable in the second context. The applet sends a form field as if it were a browser. Technically the trusted applet is like a plug-in, so it is part of the browser at that point. So it is no more deceptive than what Javascript does with Ajax etc. But I realize that this is not for everyone, like you point out not everyone trusts Javascript either.