Oracle to Block JAR Files Signed with MD5 Starting In April (bleepingcomputer.com) 55
An anonymous reader quotes BleepingComputer:
Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running. Oracle originally planned MD5's deprecation for the current Critical Patch Update, released this week, which included a whopping 270 security fixes, one of the biggest security updates to date. The company decided to give developers and companies more time to prepare and delayed MD5's deprecation for the release of Oracle Java SE 8u131 and the next Java CPU, scheduled for release in April...
Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.
Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.
Re:that's great and all... (Score:4, Insightful)
BUT WHAT ABOUT SOLARIS
It was dead the moment Oracle ate Sun -- it wasn't even their primary target, merely collateral damage in their plan to kill MySQL.
Unrelated: you really should check your keyboard, either your Caps Lock or Shift is stuck. If you can't fix that immediately, try stty iuclc although this helps on terminals only (although elinks is an option). If you did that intentionally, please at least use small caps: apt install tran; echo "But what about Solaris?"|tran smallcaps; that's way less rude. As the Great Runes [catb.org] are dead in England since 11th century, last computer terminals since late 1970s, there's no reason to use them.
Re: (Score:2)
... their plan to kill MySQL.
Did you remember to tell Oracle about this plan? Because I don't think they know anything about it.
Re: (Score:3)
They didn't expect a group of most competent devs jumping ship and making MariaDB. It's nearly impossible for a fork of something as complex to succeed, thus it was a near-sure bet that control of MySQL would let them slowly extinguish their biggest competitor. Well, proper use cases for Oracle-the-DB and MySQL differ but most people who decide don't know the difference: if that wasn't the case, MySQL wouldn't have the massive usage share it enjoys, as if you need real SQL then Postgres is much better, an
The article suggests only 1.8 (Score:2)
Re: (Score:2)
Re: (Score:2)
dude whoever updates Java?
Seriously the joke is it is soo incompatible ... without itself. Too many programs use security exploits to function. I have seen poorly written java version from major US banks that use Java 1.4.2 (yes forces this on companies with accountants) use COM+ objects for Excel to function. Or they use RMI to go to c:\program files\jre\bin to check the version number (face palm).
So no 64 bit computing for YOU! That moves java to program files(x86) which the java applets will error saying
Re: (Score:2)
This. For a "write once, run anywhere" Java is horribly dependent on VM version and host OS. I've honestly code more portable in Perl than Java.
Re: (Score:2)
Java is write once ... with the same version of Java. The problem is the security fixes break the functionality of the platform. RMI or remote method invocation for calling win32 objects as a local admin with no sandbox defeats the purpose of the VM.
Get rid of this and Java is actually secure. THis angers me because Java was awesome and it rotted and went to shit due to bad management. Java still has a rich 100,000 methods and objects to call from and could have been still popular today if management let it
Re: The article suggests only 1.8 (Score:2)
Including a whole bunch of stuff with Sun and Oracle badges on the front........
Re: (Score:2)
I hope not or we will have a lot.of enterprise equipment (printers, copiers, projectors, etc) that will become unmanaged.
Oh don't worry I'm sure the vendors will all provide updates!
Re: (Score:2)
Those who can't write a secure virtual machine... (Score:1)
...write a code-signing infrastructure instead.
You cannot sign with MD5, you hash with MD5. (Score:1)
Re: (Score:2)
Technically you could use several asymmetrical algorithms over MD5. (Not saying it's a good idea, but neither is using MD5.)
Thus saying MD5 covers everything.
Re: You cannot sign with MD5, you hash with MD5. (Score:2)
Part of the RSA signature algorithm is signing a hash of the content you want to sign. They are changing that hashing algorithm.
The funny thing is sha-1 is nolonger fit for this purpose and so Mozilla is requiring sha-2 in all HTTPS certificates from next week (after a major push by all the browser creators for CAs to use sha-256 for the last couple of years), so yeah, Oracle and Java is way behind the times and that is before we get to those that won't update.
Seems to me (Score:3, Interesting)
It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.
I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.
The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.
Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.
I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.
Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.
Re: (Score:2)
There're plenty of well paid IT jobs without Java. Fully agree with your recommendation of keeping up to date on new languages though.
Re: (Score:2)
Thank you.
Pro-tip: learn at least one new language each year
Why would I do that? I have problems to solve, I can't learn a new language every year and be more than a tyro at it. There are those that love the new thing, however, when there are $tens-of-thousands of servers involved, running $i-don't-know-how-many virtual guests, well, proven and solid are more highly valued than simple "new" without any sort of benefit to be had going into it.
Re: (Score:2)
I really think oracle is actively trying to kill Java, with this MD5 signing thing blocking thousands of apps that will never be re-signed and then aggressively pursuing java licensing fees, this would be the icing on the cake.
In case you missed it previously:
https://developers.slashdot.or... [slashdot.org]
Re: (Score:2)
It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.
I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.
The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.
Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.
I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.
Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.
In other words it is more modern version of COBOL the other language that refuses to die that employers scream they can't find qualified applicants. Just a 1990s version with objects and some media support.
Go for smaller or startup companies. Java is here not for new things but for legacy stuff when Java was cool circa 1997 - 2008 timeframe. These systems are so big now and integrated into the business process chain that they can't be removed as jobs were eliminated due Java automation. Sigh
Re: Seems to me (Score:2)
Can't believe Java ever allowed MD5 to begin with (Score:2)
Ever since Dobbertin found a hash collision in 1996 RSA labs themselves were already recommending alternatives such as SHA-1. This was just around the time Java 1.0 was released.
Re: (Score:2)
Re: (Score:2)
Not if Java refuses to load those functions and requires their 'more secure' proprietary functions instead.
This feels like the computer industry trying to lock out the free like in the days of big iron.
Re: (Score:2)
Unsigned Java Applets (Score:2)
These security changes make just make it tougher and tougher to support "legacy" Java applets that are unsigned. Forget Java 8... even the newer versions of Java 7 can't run them anymore.
I guess that it's good that they fix these issues, but they need to offer workarounds or I'm going to have to keep installing Java 6 on some customer machines to keep their legacy crap running.
Remember when (Score:2)
"the current Critical Patch Update, released this week, which included a whopping 270 security fixes,"
Remember when Java was touted as the super-secure language that was supposed to be nearly impossible to exploit? I do.
It was gonna be the "write-once, compile anywhere" language that was going to make all other languages obsolete. It was basically going to take over the world and *everything* was going to be written in Java, "Everything, you'll see!" they said.It was going to be the Uber Language for all t
Re: (Score:2)
It was secure .... then Sun put in RMI which unsandboxed code at admin level could leave the sandbox and full access to the filesystem/environment FACEPALM.
Java is fairly secure at the sever level. It was browser applets that freaking deserve to die using RMI or remote method Interface at local admin to put in God knows what just from visiting a website that created this disaster.
FYI I want java to die now so I am not a fanboy. Php was bad too and still is. Most geeks have moved on from these 2 for these an
Re: (Score:2)
You missed "it's faster than C!! Well, it will be faster than C in the future! Well, it will be faster than C once we have JIT. Well, it will be faster than C once JIT actually optimizes things as promised... Any day now..."
"The year is 2017, and Oracle launches the last of America's deep database probes. After his systems are unexpectedly frozen by garbage collection, Solaris 12 and its pilot Captain Larry 'Buck' Ellison are blown out of their trajectory into an orbit which freezes his life support systems
Re: (Score:2)
This is why I trust no one like The X-Files say.
Thought it said to block Java (Score:2)
Well one could always hope
Ummm, good? (Score:2)
I know it's fashionable to dump on the Java ecosystem around here. However, given the tools and libraries that are available, I find it incredibly easy to write apps quickly and efficiently. Personally, I've started to use Kotlin and it rocks. Between it and Groovy and the massive wealth of libraries in the Java ecosystem, I haven't found anything else that lets me be as productive.
That said, some of the frameworks out there just plain suck. My employer is building a Spring/Hibernate Servlet system, and whi
Yay for legacy appliances (Score:2)