1

Found something related Why aren't application downloads routinely done over HTTPS?

This is a question about general security from a noob. I couldn't find anything relevant about this topic via my Google searches. Google prefers to display actual application problems with java & ssl/https/downloads.

Why does Oracle still offer its official JDK (Java Development Kit) archives via plaintext HTTP?

I'm genuinely curious, because IT tech (Twitter, Google, Facebook, Github, ..., cool stuff) seems to be advancing towards HTTPS end-to-end encryption, so that if we trust in CAs (see below), we should have good guarantee that the software (or code) downloaded from these sites is original., Java and othter communities around JVM seem active, and yet, the company paying the development of the official JVM cannot afford to upgrade its website with downloads to SSL/TLS.

I'm very curious about this in general, because people on Internet seems to write a lot about bugs in crypto software (like Heartbleed and others which I forgot) and yet, many people and companies not actually engaged in software engineering download and run code that can be very easily infected by malicious MITM (and now we almost certainly know that certain powerful entities actually do this).

How much can we rely on Certificate Autorities? AFAIK, some of them are in countries, where single entity (gov) can covertly do whatever it wants on their machines.

sqxmn
  • 13
  • 3

2 Answers2

1

AFAIK, some of them are in countries, where single entity (gov) can covertly do whatever it wants on their machines.

Yes, pretty many countries are like that today.

Sadly, concerning governments, the CA system is not (and never was) secure.

CAs are still good for preventing some people and organisations from attacking, just not all.

deviantfan
  • 3,854
  • 21
  • 22
1

The JDK is offered over HTTP because they also offer a hash for you to confirm over secure channels. Since the hash is over a secure channel, if that hash can't be confirmed you shouldn't use the download. The fact that the part of truth(the hash you check against) is delivered securely means they can offer it over HTTP because you will be able to securely check if the download was modified in transit.

CA authorities weren't really meant to be trusted. They were meant to be a place for people to check if a certificate was issued by them. That's all they confirm, is that the certificate came from them. Does this mean you should be skeptical? Probably not.

Browser/computer trust stores are what you're really relying on here to keep you safe. That's because confirming an SSL CERT is a multi part process of trust between you, your computer, your browser, the DNS server, and the CA server. If all five parts don't agree, you don't trust it, and you don't go to it. Often CAs have their server address(es) stored in those trust stores and if recognized as one of the many large CAs, the browser will trust them and confirm the cert(because they were reviewed in advance and found trustworthy by someone). If the CA is not on the list, you'll probably get a warning that the cert could not be trusted(because the CA isn't trusted yet by one of the steps in the trust chain you're using). Often times this gets you a "Would you REALLY like to proceed" warning that you can say "I really do" to and still connect. However if you're going to a site and they aren't using a CA in the trusted store... Why are you going to that site unless you REALLY do trust it?

Of course that warning can come up if they use their own in house CA as well, but usually at that point you've probably installed the CERT into your browser/computer store, and that warning shouldn't pop up because you've told your system to trust them. In that case the chain of trust is with you, and the server. Everything on your system is along for the ride.

TL,DR

You should be fine unless they aren't already in your trusted list. In that case you'll get a warning. Then it's up to you to trust them or not.

Really you are what decides what certificates get trusted. Browsers and computer offer some by default, and most users accept that and eventually add to the list. Some don't and build their own list of CAs. Both are fine options as long as you yourself are doing safe practices.

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
  • Where can I get this hash please? – sqxmn Jul 23 '16 at 01:12
  • It's right there on the page for the jdk right above the download links next to the license agreement – Robert Mennell Jul 23 '16 at 01:14
  • You're right. I didn't notice these before. Thank you. (https://www.oracle.com/webfolder/s/digest/8u102checksum.html) – sqxmn Jul 23 '16 at 01:24
  • They didn't offer checksums for all JDK downloads. For examples, demos and samples on the JDK page, they contain compiled classes, and I wonder if there is a person on Earth who dares to run them. – wolfrevokcats Feb 23 '18 at 13:36