Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Java Oracle

Oracle to Block JAR Files Signed with MD5 Starting In April (bleepingcomputer.com) 55

An anonymous reader quotes BleepingComputer: Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running. Oracle originally planned MD5's deprecation for the current Critical Patch Update, released this week, which included a whopping 270 security fixes, one of the biggest security updates to date. The company decided to give developers and companies more time to prepare and delayed MD5's deprecation for the release of Oracle Java SE 8u131 and the next Java CPU, scheduled for release in April...

Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.

This discussion has been archived. No new comments can be posted.

Oracle to Block JAR Files Signed with MD5 Starting In April

Comments Filter:
  • The article suggests only 1.8, but will this also be pushed to 1.6 and 1.7 too?
    • Holy shit, MD5 and 512-bit keys, Oracle are literally twenty years behind the times in crypto. It's no wonder that a company that cares this little about security is having to push out patches that fix 270 vulnerabilities at once.
  • ...write a code-signing infrastructure instead.

  • Presumably they mean that they wont accept RSA signatures over MD5 hashes.
    • Technically you could use several asymmetrical algorithms over MD5. (Not saying it's a good idea, but neither is using MD5.)
      Thus saying MD5 covers everything.

    • Part of the RSA signature algorithm is signing a hash of the content you want to sign. They are changing that hashing algorithm.

      The funny thing is sha-1 is nolonger fit for this purpose and so Mozilla is requiring sha-2 in all HTTPS certificates from next week (after a major push by all the browser creators for CAs to use sha-256 for the last couple of years), so yeah, Oracle and Java is way behind the times and that is before we get to those that won't update.

  • Seems to me (Score:3, Interesting)

    by buss_error ( 142273 ) on Saturday January 21, 2017 @04:40PM (#53712397) Homepage Journal

    It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.

    I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.

    The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.

    Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.

    I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.

    Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.

    • by Hylandr ( 813770 )

      I really think oracle is actively trying to kill Java, with this MD5 signing thing blocking thousands of apps that will never be re-signed and then aggressively pursuing java licensing fees, this would be the icing on the cake.

      In case you missed it previously:
      https://developers.slashdot.or... [slashdot.org]

    • It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.

      I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.

      The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.

      Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.

      I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.

      Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.

      In other words it is more modern version of COBOL the other language that refuses to die that employers scream they can't find qualified applicants. Just a 1990s version with objects and some media support.

      Go for smaller or startup companies. Java is here not for new things but for legacy stuff when Java was cool circa 1997 - 2008 timeframe. These systems are so big now and integrated into the business process chain that they can't be removed as jobs were eliminated due Java automation. Sigh

      • You insult COBOL, if written to be portable COBOL apps can run everywhere and for decades, unlike Java which breaks its API with minor point releases Signed, Fed up J2ee server admin
  • Ever since Dobbertin found a hash collision in 1996 RSA labs themselves were already recommending alternatives such as SHA-1. This was just around the time Java 1.0 was released.

  • These security changes make just make it tougher and tougher to support "legacy" Java applets that are unsigned. Forget Java 8... even the newer versions of Java 7 can't run them anymore.

    I guess that it's good that they fix these issues, but they need to offer workarounds or I'm going to have to keep installing Java 6 on some customer machines to keep their legacy crap running.

  • "the current Critical Patch Update, released this week, which included a whopping 270 security fixes,"

    Remember when Java was touted as the super-secure language that was supposed to be nearly impossible to exploit? I do.

    It was gonna be the "write-once, compile anywhere" language that was going to make all other languages obsolete. It was basically going to take over the world and *everything* was going to be written in Java, "Everything, you'll see!" they said.It was going to be the Uber Language for all t

    • It was secure .... then Sun put in RMI which unsandboxed code at admin level could leave the sandbox and full access to the filesystem/environment FACEPALM.

      Java is fairly secure at the sever level. It was browser applets that freaking deserve to die using RMI or remote method Interface at local admin to put in God knows what just from visiting a website that created this disaster.

      FYI I want java to die now so I am not a fanboy. Php was bad too and still is. Most geeks have moved on from these 2 for these an

    • You missed "it's faster than C!! Well, it will be faster than C in the future! Well, it will be faster than C once we have JIT. Well, it will be faster than C once JIT actually optimizes things as promised... Any day now..."

      "The year is 2017, and Oracle launches the last of America's deep database probes. After his systems are unexpectedly frozen by garbage collection, Solaris 12 and its pilot Captain Larry 'Buck' Ellison are blown out of their trajectory into an orbit which freezes his life support systems

    • by antdude ( 79039 )

      This is why I trust no one like The X-Files say.

  • Well one could always hope

  • I know it's fashionable to dump on the Java ecosystem around here. However, given the tools and libraries that are available, I find it incredibly easy to write apps quickly and efficiently. Personally, I've started to use Kotlin and it rocks. Between it and Groovy and the massive wealth of libraries in the Java ecosystem, I haven't found anything else that lets me be as productive.

    That said, some of the frameworks out there just plain suck. My employer is building a Spring/Hibernate Servlet system, and whi

  • It is a joy for IT to keep around a bunch of old java client environments to access old printers, NAS, switches, kvm switches, motherboard controllers (iLO etc), blade server management all "conveniently" accessed through a web browser (and requiring an old obsolete java and old insecure java features).

Keep up the good work! But please don't ask me to help.

Working...