why doen't sun mycrosystem provide signatures of their main dev files?

Discussion in 'Java' started by onetitfemme, Oct 17, 2005.

  1. onetitfemme

    onetitfemme Guest

    onetitfemme, Oct 17, 2005
    #1
    1. Advertising

  2. onetitfemme

    Roedy Green Guest

    On 17 Oct 2005 10:41:52 -0700, "onetitfemme"
    <> wrote or quoted :

    > even though they use https as part of the download steps, they don't
    >if you download their main jsdk, jvm binaries
    >
    >http://java.sun.com/j2se/1.5.0/download.jsp


    https is for something confidential. The contents of the downloads are
    publicly known.
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com Again taking new Java programming contracts.
    Roedy Green, Oct 17, 2005
    #2
    1. Advertising

  3. onetitfemme

    Chris Smith Guest

    Roedy Green <> wrote:
    > On 17 Oct 2005 10:41:52 -0700, "onetitfemme"
    > <> wrote or quoted :
    >
    > > even though they use https as part of the download steps, they don't
    > >if you download their main jsdk, jvm binaries
    > >
    > >http://java.sun.com/j2se/1.5.0/download.jsp

    >
    > https is for something confidential. The contents of the downloads are
    > publicly known.


    HTTPS provides a number of security benefits. These include at least
    (a) encryption and (b) verification of authenticity. The latter avoids
    at least some of the need for checking MD5 checksums and the like; that
    is, if someone were to hijack a router between Sun and you, you could
    tell that it's not Sun that is serving the pages at the other end. You
    would see a security warning in your browser, because either the web
    page you requested (java.sun.com) is not the name on the server
    certificate, or else the certificate will not be signed by a trusted CA.

    The encryption/decryption process would also ensure that data corruption
    during transfer would probably result in a failure to decrypt content,
    rather than a corrupted file on disk. So you'd find out sooner if there
    were a problem with the download, and the user agent would probably
    attempt to re-request the content and clear things up.

    Hope that clears things up.

    --
    www.designacourse.com
    The Easiest Way To Train Anyone... Anywhere.

    Chris Smith - Lead Software Developer/Technical Trainer
    MindIQ Corporation
    Chris Smith, Oct 17, 2005
    #3
  4. onetitfemme

    Roedy Green Guest

    The zip format itself has a crc-32 checksum on each member. Manifests
    have MD5 and SHA-1 digests of each element.
    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com Again taking new Java programming contracts.
    Roedy Green, Oct 18, 2005
    #4
  5. onetitfemme

    Roedy Green Guest

    On Mon, 17 Oct 2005 16:18:25 -0600, Chris Smith <>
    wrote or quoted :

    >HTTPS provides a number of security benefits. These include at least
    >(a) encryption and (b) verification of authenticity. The latter avoids
    >at least some of the need for checking MD5 checksums and the like; that
    >is, if someone were to hijack a router between Sun and you, you could
    >tell that it's not Sun that is serving the pages at the other end. You
    >would see a security warning in your browser, because either the web
    >page you requested (java.sun.com) is not the name on the server
    >certificate, or else the certificate will not be signed by a trusted CA.


    Has there ever been a case of a JDK download being so highjacked? I
    would imagine the checksums would appear shortly after the first
    reported case. They would still not have to use HTTPS which pays a
    heavy penalty for encryption.

    --
    Canadian Mind Products, Roedy Green.
    http://mindprod.com Again taking new Java programming contracts.
    Roedy Green, Oct 18, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    2,846
  2. Joona I Palaste
    Replies:
    9
    Views:
    608
    Peter Shaggy Haywood
    Oct 12, 2003
  3. Mr. SweatyFinger
    Replies:
    2
    Views:
    1,739
    Smokey Grindel
    Dec 2, 2006
  4. =?Utf-8?B?cGF0cmlja2RyZA==?=

    gridview inside datagrid doen't raise RowCommand event

    =?Utf-8?B?cGF0cmlja2RyZA==?=, Apr 3, 2007, in forum: ASP .Net
    Replies:
    7
    Views:
    2,637
    =?Utf-8?B?cGF0cmlja2RyZA==?=
    Apr 4, 2007
  5. Rotwang
    Replies:
    6
    Views:
    116
    Rotwang
    Apr 4, 2013
Loading...

Share This Page