Has an Ubuntu Drip
I don't see why anything needs to be installed at all. What exactly are they doing on this site other than banking? Simply allow an HTTPS connection and that's it - the browser handles all of this. As for PKI that's really up to the bank in terms of getting their private key certification for the public key to meet those standards.
sig
Dark Roasted Ubuntu
this is the problem. One can relay on the ssl, but this will not solve the problem of 509 PKI handling. And in many countries I know, the authentication and encryption has be done with full 509 implementation doe to legal directives.
Yes, the operating system like windows or other will handle that, but this is not wanted, as this is bigger risk.
You have to provide software, which can make use of key pair on external media not readable otherwise then by software run at the time of the access.
This is rather standard procedure, number of specialized companies produce software for such smart card access and operations using the keys stored on not accessible partition on the smart card.
So it is not about the bank getting cert on their key, but it is about each client has a key pair on non accessible media, and this media has to be given a crypto task and perform that task and commuicate then with the outside world.
This is the only legal way in number of countries as they will not accept any sort of 'browser will do' ssl as security feature for bank transactions.
This is mainly because the browser is installed as whole on the clients PC and this is basically considered as unusable.
In fact, the initial communication uses ssl, but then the java applet is downlaoded via this ssl, it does some basic intergity check of the java VM and the software to talk to the smart card is then executed and will do the rest of the communication and crypto tasks.
The java applet is deleted at the and of the session.
There also highly protected secure storage servers, in number of countries which use java applets for the whole cryptography process as this is at the end much more secure then any sort of ssl transmission. Here is however more the point, that the data must not be decrypted at the other and of the line which is not the case in a bank traffic.
In fact I do not know any bank around which will relay transactions on ssl as browser function.
Some banks do use the ssl for the traffic, but will use some second path for authetication number of times during the session. They will definitely not relay on authetication message created by the operating system crypto functions.
Has an Ubuntu Drip
I've never had City bank try to use Java for any transaction.
sig
Dark Roasted Ubuntu
yes, but then you have second communication path, independent on browser, computer and your current internet connection for initial authetication and exchange of basic session key parameters.Originally Posted by Hungry Man
Often application via certain cooperating mobile phone providers is used, RSA timer or similar not internet browser based communication needs to be established.
Any procedure using just browser would be highly risky and simply not allowed by the authorities in many countries. Simple browser based authentication was dropped sometimes in the 90ties.
I have one way of using such basic communication for transactions with a bank, but it will allow me only transactions of maximum 100$ and 500$ per month maximal.
The smart card java based system will allow me transactions of 100000$ each up to the full banking limit per month.
From that you can see how the security is probably estimated by the bank and software companies behind the system.
First Cup of Ubuntu
Ok, so you are a Java hater, I get it. But at least have the correct information if you are going to go off about it.
That could be true if Ubuntu actually kept up to date. Except that OpenJDK 7 on Ubuntu is currently at Update 3, while Oracle's is at Update 5, released 2 months ago, with 14 security fixes in it. (of course Ubuntu/Debian has taken to making a bunch of software dependent on OpenJDK rather than make it a recommend, thus forcing users to "roll their own" for these packages, or run a less secure version of Java)
That is ENTIRELY incorrect. Java 7 currently supports both TLS 1.1 and 1.2, neither of which are supported by Firefox yet despite ancient bugs for them.
Has an Ubuntu Drip
I'm not a 'Java' hater. I like the language, I like that it's portable, and I like OOP. In general I dislike the implementation and I think most users shouldn't have it installed as it's one of the most commonly exploited pieces of software.
Not really what I was talking about but yes, it is behind. This is unfortunately the case with quite a few programs in the software center.That could be true if Ubuntu actually kept up to date. Except that OpenJDK 7 on Ubuntu is currently at Update 3, while Oracle's is at Update 5, released 2 months ago, with 14 security fixes in it. (of course Ubuntu/Debian has taken to making a bunch of software dependent on OpenJDK rather than make it a recommend, thus forcing users to "roll their own" for these packages, or run a less secure version of Java)
Good to know. At least they've done something. I know 7 also depreciated some weaker hash functions as well.That is ENTIRELY incorrect. Java 7 currently supports both TLS 1.1 and 1.2, neither of which are supported by Firefox yet despite ancient bugs for them.
sig
Just Give Me the Beans!
OP here, again! (still using Lubuntu)
Thanks for all the answers. As far as I can read out of it all, OpenJDK seems like a safe enough way to go.
Now for another question; how to verify that I have the latest version, and how do I, if necessary, update it?
When I finally managed to install OpenJDK, I wasn't skilled in Linux at all - at least now, I've learned a _little_ more. Therefore, I'm not really sure what I did back then. It seems like I have both the version 6 and 7 installed. If someone could explain possible reasons why this is, I'd be glad=P
Now, for the pressing issue. I remember a while back, my bank encouraged all their users to update their java, as there were some new security threats around. As I can't remember how I installed java, I'm not sure if it ever updates automatically through "sudo apt-get update". At least, when I do a "sudo apt-get install openjdk-7-jre" from OpenJDK's pages, my terminal outputs that I already have the newest version.
Do I?
Should I switch to Oracle instead?=P
Best regards
Ole-Jørgen
What are you planning?
As long as are you are doing regular updates, you should have the latest version of OpenJDK.
Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide
Tomorrow's an illusion and yesterday's a dream, today is a solution...
Just Give Me the Beans!
i try what humgerman said for this since i use firefox , just isnt working
where can i find info on how to use this ?
ty
actually nevermind, ill try find other solution
Last edited by MontrealCorp; February 13th, 2013 at 04:53 PM.
Ubuntu Member
This thread is only six months old but A LOT has changed since then. If you have the java plugin in your browsers, keep them disabled until you need to do banking. Then disable them as soon as you're done.
If you have both versions, remove 6. I'm on Windows right now so I can't test it, but I believe the code is
Then you can make sure you have openjdk 7 by typingCode:sudo apt-get remove --purge openjdk-6* && sudo apt-get remove --purge icedtea-6*
Code:dpkg -l | grep openjdk*
Adv Reply
Bookmarks