Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: OpenJDK Java 7 Runtime - safe for banking?

  1. #11
    Join Date
    Mar 2011
    Beans
    665

    Re: OpenJDK Java 7 Runtime - safe for banking?

    I don't see why anything needs to be installed at all. What exactly are they doing on this site other than banking? Simply allow an HTTPS connection and that's it - the browser handles all of this. As for PKI that's really up to the bank in terms of getting their private key certification for the public key to meet those standards.

  2. #12
    Join Date
    Jan 2009
    Beans
    Hidden!

    Re: OpenJDK Java 7 Runtime - safe for banking?

    this is the problem. One can relay on the ssl, but this will not solve the problem of 509 PKI handling. And in many countries I know, the authentication and encryption has be done with full 509 implementation doe to legal directives.
    Yes, the operating system like windows or other will handle that, but this is not wanted, as this is bigger risk.
    You have to provide software, which can make use of key pair on external media not readable otherwise then by software run at the time of the access.

    This is rather standard procedure, number of specialized companies produce software for such smart card access and operations using the keys stored on not accessible partition on the smart card.

    So it is not about the bank getting cert on their key, but it is about each client has a key pair on non accessible media, and this media has to be given a crypto task and perform that task and commuicate then with the outside world.
    This is the only legal way in number of countries as they will not accept any sort of 'browser will do' ssl as security feature for bank transactions.
    This is mainly because the browser is installed as whole on the clients PC and this is basically considered as unusable.

    In fact, the initial communication uses ssl, but then the java applet is downlaoded via this ssl, it does some basic intergity check of the java VM and the software to talk to the smart card is then executed and will do the rest of the communication and crypto tasks.

    The java applet is deleted at the and of the session.

    There also highly protected secure storage servers, in number of countries which use java applets for the whole cryptography process as this is at the end much more secure then any sort of ssl transmission. Here is however more the point, that the data must not be decrypted at the other and of the line which is not the case in a bank traffic.


    In fact I do not know any bank around which will relay transactions on ssl as browser function.

    Some banks do use the ssl for the traffic, but will use some second path for authetication number of times during the session. They will definitely not relay on authetication message created by the operating system crypto functions.

  3. #13
    Join Date
    Mar 2011
    Beans
    665

    Re: OpenJDK Java 7 Runtime - safe for banking?

    I've never had City bank try to use Java for any transaction.

  4. #14
    Join Date
    Jan 2009
    Beans
    Hidden!

    Re: OpenJDK Java 7 Runtime - safe for banking?

    Quote Originally Posted by Hungry Man View Post
    I've never had City bank try to use Java for any transaction.
    yes, but then you have second communication path, independent on browser, computer and your current internet connection for initial authetication and exchange of basic session key parameters.
    Often application via certain cooperating mobile phone providers is used, RSA timer or similar not internet browser based communication needs to be established.

    Any procedure using just browser would be highly risky and simply not allowed by the authorities in many countries. Simple browser based authentication was dropped sometimes in the 90ties.

    I have one way of using such basic communication for transactions with a bank, but it will allow me only transactions of maximum 100$ and 500$ per month maximal.
    The smart card java based system will allow me transactions of 100000$ each up to the full banking limit per month.
    From that you can see how the security is probably estimated by the bank and software companies behind the system.

  5. #15
    Join Date
    Jun 2007
    Beans
    2

    Re: OpenJDK Java 7 Runtime - safe for banking?

    Ok, so you are a Java hater, I get it. But at least have the correct information if you are going to go off about it.

    Quote Originally Posted by Hungry Man View Post
    Open source vs closed source is a subject that gets repeated a lot. My stance is that open source is always potentially more secure than closed source. I won't elaborate, it'll end up devolving into an ironically really complicated discussion.
    That could be true if Ubuntu actually kept up to date. Except that OpenJDK 7 on Ubuntu is currently at Update 3, while Oracle's is at Update 5, released 2 months ago, with 14 security fixes in it. (of course Ubuntu/Debian has taken to making a bunch of software dependent on OpenJDK rather than make it a recommend, thus forcing users to "roll their own" for these packages, or run a less secure version of Java)



    Quote Originally Posted by Hungry Man View Post
    Pretty sure Java 7 still doesn't support TLS 1.1+ either.
    That is ENTIRELY incorrect. Java 7 currently supports both TLS 1.1 and 1.2, neither of which are supported by Firefox yet despite ancient bugs for them.

  6. #16
    Join Date
    Mar 2011
    Beans
    665

    Re: OpenJDK Java 7 Runtime - safe for banking?

    I'm not a 'Java' hater. I like the language, I like that it's portable, and I like OOP. In general I dislike the implementation and I think most users shouldn't have it installed as it's one of the most commonly exploited pieces of software.

    That could be true if Ubuntu actually kept up to date. Except that OpenJDK 7 on Ubuntu is currently at Update 3, while Oracle's is at Update 5, released 2 months ago, with 14 security fixes in it. (of course Ubuntu/Debian has taken to making a bunch of software dependent on OpenJDK rather than make it a recommend, thus forcing users to "roll their own" for these packages, or run a less secure version of Java)
    Not really what I was talking about but yes, it is behind. This is unfortunately the case with quite a few programs in the software center.

    That is ENTIRELY incorrect. Java 7 currently supports both TLS 1.1 and 1.2, neither of which are supported by Firefox yet despite ancient bugs for them.
    Good to know. At least they've done something. I know 7 also depreciated some weaker hash functions as well.

  7. #17
    Join Date
    Jul 2012
    Beans
    48

    Re: OpenJDK Java 7 Runtime - safe for banking?

    OP here, again! (still using Lubuntu)

    Thanks for all the answers. As far as I can read out of it all, OpenJDK seems like a safe enough way to go.

    Now for another question; how to verify that I have the latest version, and how do I, if necessary, update it?

    When I finally managed to install OpenJDK, I wasn't skilled in Linux at all - at least now, I've learned a _little_ more. Therefore, I'm not really sure what I did back then. It seems like I have both the version 6 and 7 installed. If someone could explain possible reasons why this is, I'd be glad=P

    Now, for the pressing issue. I remember a while back, my bank encouraged all their users to update their java, as there were some new security threats around. As I can't remember how I installed java, I'm not sure if it ever updates automatically through "sudo apt-get update". At least, when I do a "sudo apt-get install openjdk-7-jre" from OpenJDK's pages, my terminal outputs that I already have the newest version.

    Do I?

    Should I switch to Oracle instead?=P

    Best regards

    Ole-Jørgen

  8. #18
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: OpenJDK Java 7 Runtime - safe for banking?

    As long as are you are doing regular updates, you should have the latest version of OpenJDK.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #19
    Join Date
    Jan 2013
    Beans
    48

    Re: OpenJDK Java 7 Runtime - safe for banking?

    Quote Originally Posted by QIII View Post
    Yes, some banks do use the Java plugin.

    OpenJDK 7 is the open source reference implementation of Oracle Java 7. If one has security issues, the other is likely to as well. They both get updated at the same time as issues are discovered. In fact, yesterday I read about a cross-platform Social Engineering exploit that targets Java.

    Despite the fact that OpenJDK 7 is the reference implementation of Oracle Java 7, a good part of the world does not recognize it as "Java". If the bank's website developers do not understand the relationship and only look for the Oracle Java plugin, you'll find that the applets won't work.

    (If you install OpenJDK 7 and go to Oracle's site to check to see if you have Java, Oracle recognizes it, of course!)

    If OpenJDK 7's plugin, IcedTea, is not recognized by the bank's website, you will have to install Oracle Java 7 (see the wiki in my signature and look for "Using webupd8.org's strikingly simple method").

    Secure is only good until someone finds an exploit. It's the risk we take. But you should use the apparmor profile.

    i try what humgerman said for this since i use firefox , just isnt working

    where can i find info on how to use this ?

    ty



    actually nevermind, ill try find other solution
    Last edited by MontrealCorp; February 13th, 2013 at 04:53 PM.

  10. #20
    Join Date
    Sep 2011
    Beans
    1,531

    Re: OpenJDK Java 7 Runtime - safe for banking?

    This thread is only six months old but A LOT has changed since then. If you have the java plugin in your browsers, keep them disabled until you need to do banking. Then disable them as soon as you're done.

    If you have both versions, remove 6. I'm on Windows right now so I can't test it, but I believe the code is
    Code:
    sudo apt-get remove --purge openjdk-6* && sudo apt-get remove --purge icedtea-6*
    Then you can make sure you have openjdk 7 by typing
    Code:
    dpkg -l | grep openjdk*

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •