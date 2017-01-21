Oracle to Block JAR Files Signed with MD5 Starting In April (bleepingcomputer.com) 14
An anonymous reader quotes BleepingComputer: Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running. Oracle originally planned MD5's deprecation for the current Critical Patch Update, released this week, which included a whopping 270 security fixes, one of the biggest security updates to date. The company decided to give developers and companies more time to prepare and delayed MD5's deprecation for the release of Oracle Java SE 8u131 and the next Java CPU, scheduled for release in April...
Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.
Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.
Re: (Score:2)
BUT WHAT ABOUT SOLARIS
It was dead the moment Oracle ate Sun -- it wasn't even their primary target, merely collateral damage in their plan to kill MySQL.
Unrelated: you really should check your keyboard, either your Caps Lock or Shift is stuck. If you can't fix that immediately, try stty iuclc although this helps on terminals only (although elinks is an option). If you did that intentionally, please at least use small caps: apt install tran; echo "But what about Solaris?"|tran smallcaps; that's way less rude. As the Great Rune [catb.org]
The article suggests only 1.8 (Score:2)
Those who can't write a secure virtual machine... (Score:1)
...write a code-signing infrastructure instead.
You cannot sign with MD5, you hash with MD5. (Score:1)
Seems to me (Score:3)
It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.
I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.
The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.
Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.
I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.
Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.
Can't believe Java ever allowed MD5 to begin with (Score:2)
Ever since Dobbertin found a hash collision in 1996 RSA labs themselves were already recommending alternatives such as SHA-1. This was just around the time Java 1.0 was released.