why doen't sun mycrosystem provide signatures of their main dev files?

[onetitfemme]

even though they use https as part of the download steps, they don't
if you download their main jsdk, jvm binaries

http://java.sun.com/j2se/1.5.0/download.jsp

or any othe java librearies?

https://jaxb.dev.java.net/jaxb20-ea2/


a la, say, apache which does it fr its main httpd server:

http://httpd.apache.org/download.cgi

and tomcat:

http://tomcat.apache.org/download-55.cgi

lbrtchx

 

[Roedy Green]

even though they use https as part of the download steps, they don't
if you download their main jsdk, jvm binaries

http://java.sun.com/j2se/1.5.0/download.jsp

https is for something confidential. The contents of the downloads are
publicly known.

 

[Chris Smith]

https is for something confidential. The contents of the downloads are
publicly known.

HTTPS provides a number of security benefits. These include at least
(a) encryption and (b) verification of authenticity. The latter avoids
at least some of the need for checking MD5 checksums and the like; that
is, if someone were to hijack a router between Sun and you, you could
tell that it's not Sun that is serving the pages at the other end. You
would see a security warning in your browser, because either the web
page you requested (java.sun.com) is not the name on the server
certificate, or else the certificate will not be signed by a trusted CA.

The encryption/decryption process would also ensure that data corruption
during transfer would probably result in a failure to decrypt content,
rather than a corrupted file on disk. So you'd find out sooner if there
were a problem with the download, and the user agent would probably
attempt to re-request the content and clear things up.

Hope that clears things up.

--
www.designacourse.com
The Easiest Way To Train Anyone... Anywhere.

Chris Smith - Lead Software Developer/Technical Trainer
MindIQ Corporation

 

[Roedy Green]

The zip format itself has a crc-32 checksum on each member. Manifests
have MD5 and SHA-1 digests of each element.

 

[Roedy Green]

HTTPS provides a number of security benefits. These include at least
(a) encryption and (b) verification of authenticity. The latter avoids
at least some of the need for checking MD5 checksums and the like; that
is, if someone were to hijack a router between Sun and you, you could
tell that it's not Sun that is serving the pages at the other end. You
would see a security warning in your browser, because either the web
page you requested (java.sun.com) is not the name on the server
certificate, or else the certificate will not be signed by a trusted CA.

Has there ever been a case of a JDK download being so highjacked? I
would imagine the checksums would appear shortly after the first
reported case. They would still not have to use HTTPS which pays a
heavy penalty for encryption.