Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: OpenJDK Java 7 Runtime - safe for banking?

  1. #1
    Join Date
    Jul 2012
    Beans
    48

    Question OpenJDK Java 7 Runtime - safe for banking?

    Hey!

    I hope this is the correct forum - let me know if it isn't.


    I need java for my internet bank, so I just installed OpenJDK.

    In windows, I've always used Sun, cause that's the easiest choise, I suppose. As I haven't been robbed yet, I'm presuming that Sun is a safe java-applet when using bank-services on the internet.

    Now I'm wondering - is OpenJDK as safe, or safer, to use with banking?
    I'm relatively new to Linux, so opensource is still a bit blurry to me; therefore I'm prone to thinking "opensource must mean that it's easier to extract bank-information, and I don't know if I can trust someone other than Sun"

    Now, I would appreciate if someone could prove me wrong=P

  2. #2
    Join Date
    Jan 2009
    Beans
    Hidden!

    Re: OpenJDK Java 7 Runtime - safe for banking?

    well I would rather see it so that the java you have installed, it is somthing like an other oprearting system. It is kind of virtual machine. It self it does not do anythning, but sit here and wait for some program written for this machine.

    So the work is done by the program written for the java virtual machine. This is then the applet which you will download from the bank website etc.

    How this applet is written and what quality we dont know, but I would assume that a bank did quite a degree of consulting on that subject before releasing an applet.
    Those applet do often all the cryptography jobs, they create the session keys, sign the messages with the private key, encrypt all to the bank key etc.

    As every system, the java virtual machine can be attacked too, but in this case the integrity of the applet supplied by the bank seems to me much more important.

  3. #3
    Join Date
    Mar 2011
    Beans
    665

    Re: OpenJDK Java 7 Runtime - safe for banking?

    I'm relatively new to Linux, so opensource is still a bit blurry to me; therefore I'm prone to thinking "opensource must mean that it's easier to extract bank-information, and I don't know if I can trust someone other than Sun"
    Well first off the JRE is no longer handled by Sun it's handled by Oracle. You can't trust Oracle for **** because they're one of the worst tech companies that currently exists and I'll resist ranting about that.

    Open source vs closed source is a subject that gets repeated a lot. My stance is that open source is always potentially more secure than closed source. I won't elaborate, it'll end up devolving into an ironically really complicated discussion.

    I think that the current Oracle JRE is actually based on OpenJDK 7. So they're both pretty much as broken as the other most likely.

    If you're using Firefox there's an apparmor profile already built for the plugin. You can enable it with:

    sudo aa-enforce /etc/apparmor.d/**java**

    and if that doesn't work replace 'java' with 'jdk' or whatever it is.

    That should help keep you much safer. If you're using another browser you'll need to generate the profile yourself.

    Pretty sure Java 7 still doesn't support TLS 1.1+ either.

    Which bank is this out of curiosity?

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: OpenJDK Java 7 Runtime - safe for banking?

    Quote Originally Posted by Hungry Man View Post
    Which bank is this out of curiosity?
    I am curious as well. None of the banks I have used have needed Java to access your account. Some have used flash for their homepage, but I don't think any of them have actually used Java.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Mar 2011
    Beans
    665

    Re: OpenJDK Java 7 Runtime - safe for banking?

    I've heard of it before. Honestly I'd just like to see it and then email them explaining why they need to not do that.

  6. #6
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: OpenJDK Java 7 Runtime - safe for banking?

    Yes, some banks do use the Java plugin.

    OpenJDK 7 is the open source reference implementation of Oracle Java 7. If one has security issues, the other is likely to as well. They both get updated at the same time as issues are discovered. In fact, yesterday I read about a cross-platform Social Engineering exploit that targets Java.

    Despite the fact that OpenJDK 7 is the reference implementation of Oracle Java 7, a good part of the world does not recognize it as "Java". If the bank's website developers do not understand the relationship and only look for the Oracle Java plugin, you'll find that the applets won't work.

    (If you install OpenJDK 7 and go to Oracle's site to check to see if you have Java, Oracle recognizes it, of course!)

    If OpenJDK 7's plugin, IcedTea, is not recognized by the bank's website, you will have to install Oracle Java 7 (see the wiki in my signature and look for "Using webupd8.org's strikingly simple method").

    Secure is only good until someone finds an exploit. It's the risk we take. But you should use the apparmor profile.
    Last edited by QIII; July 13th, 2012 at 09:21 PM.
    The Community Java Wiki * The Community ATI Driver Wiki * Find what you need in the Ubuntu Community wikis

    And seeing the terror on the faces of the people, QIII did speak to them, saying "Fear not the Terminal, for it is a road both swift and secure to the Great Mysteries of Linux without passing through the dangers of The Land of Ten Thousand Competing Desktop Environments."

  7. #7
    Join Date
    Jan 2009
    Beans
    Hidden!

    Re: OpenJDK Java 7 Runtime - safe for banking?

    come on, I use at least two banks who need it myself and I am not someone having 20 bank accounts (as I hardly can keep two above minus)

    There is system of identification with simple 509 PKI, but the private key is on a chip card. The process of verification and acces to the card is done by java applet as well as the encryption process, generation of the session key etc.
    This is by the way the standard way of internet bank access in countries like Czech Republic.

    The other application is for swiss banking.

    There are apparently banks in Italy who use similar procedures as well.

    So there will many around as this is a way how to maintain only one software for different operating systems.

    And yes, so far I did not manage to operate either of them under openJDK, so far only under sun/oracle java.

  8. #8
    Join Date
    Jan 2009
    Beans
    Hidden!

    Re: OpenJDK Java 7 Runtime - safe for banking?

    Quote Originally Posted by Hungry Man View Post
    I've heard of it before. Honestly I'd just like to see it and then email them explaining why they need to not do that.
    simple: it is all using an applet which is downloaded at the time of operation and thus little bit more under control of the bank then if there is a software installed on the clients PC.
    Software installed on clients PC is considered as weakest point in the whole authetication and is therefore avoided.

    The java applet is just sent to client PC run inside the java VM and does all the job and is deleted after.

    It is also easy to maintain only one software for different OS.

    In some countries the procedure is standardized by the legal requirements for internet transactions.


    You can go and ask one of the cert authorities why they do it this way: http://www.ica.cz/English
    or one of their customers: http://www.csob.cz/en/Stranky/default.aspx
    Last edited by ottosykora; July 15th, 2012 at 06:17 PM.

  9. #9
    Join Date
    Mar 2011
    Beans
    665

    Re: OpenJDK Java 7 Runtime - safe for banking?

    There are plenty of benefits for programming in JAva like crossplatform code. That doesn't really excuse it. Think of BEAST. Think of MD4 only just being depreciated.

  10. #10
    Join Date
    Jan 2009
    Beans
    Hidden!

    Re: OpenJDK Java 7 Runtime - safe for banking?

    well yes, but what alternative has a bank ?

    Write windows software which the user has to install on his computer? Probably not good idea.
    Use just identification with something like RSA timer? OK, but then for the communication just the standard encryption mechanism provided by the browser? Hmm, possible, but not legal in many countries.

    In number of countries I know, the legal requirement is to use x.509 PKI . How to implement that so to keep the secret key not on the PC and same time use it and carry out encryption process without installing software on client computer?

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •