Highest Voted 'java' Questions - IT Security Stack Exchange

143

votes

5 answers

How can I export my private key from a Java Keytool keystore?

I would like to export my private key from a Java Keytool keystore, so I can use it with openssl. How can I do that?

asked May 13 '11 at 11:11

Jonas

5,063
7
32
35

109

votes

8 answers

Why do I hear about so many Java insecurities? Are other languages more secure?

I really like the Java programming language, but I continuously hear about how insecure it is. Googling 'java insecure' or 'java vulnerabilities' brings up multiple articles talking about why you should uninstall or disable Java to protect your…

exploit java

asked May 09 '14 at 17:39

gsgx

1,225
2
12
13

68

votes

21 answers

Lessons learned and misconceptions regarding encryption and cryptology

Cryptology is such a broad subject that even experienced coders will almost always make mistakes the first few times around. However encryption is such an important topic, often we can't afford to have these mistakes. The intent of this question…

cryptography encryption .net java

asked Feb 19 '11 at 19:25

makerofthings7

50,090
54
250
536

39

votes

2 answers

How should an application store its credentials

Context When developing desktop applications, you will occasionally have to store credentials somewhere to be able to authenticate your application. An example of this is a Facebook app ID + secret, another one is MySQL credentials. Storing these…

java storage credentials

asked Sep 17 '12 at 17:50

Zar

492
1
4
7

38

votes

8 answers

Client side password hashing

Edit: Updated to put more emphasis on the goal - peace of mind for the user, and not beefing up the security. After reading through a few discussions here about client side hashing of passwords, I'm still wondering whether it might be OK to use it…

hash java client-side bcrypt pbkdf2

asked Oct 23 '12 at 00:47

Foy Stip

391
1
3
7

36

votes

8 answers

Should I worry about remote timing attacks on string comparison?

Say we have a Java web application which uses a shared secret to verify the identity of the client. The secret is stored on the server, and the client transmits the secret over SSL where it is checked: String SECRET_ON_SERVER =…

java timing-attack side-channel

asked Jan 18 '16 at 17:29

George Powell

1,508
12
14

35

votes

3 answers

Am I protected from Log4j vulnerability if I run Java 8u121 or newer?

According to the notes for CVE-2021-44228 at mitre.org: Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase"…

vulnerability java log4shell

asked Dec 13 '21 at 18:19

Appleoddity

503
1
4
7

34

votes

4 answers

Deleting a Java Object securely

I know that in order to delete a Java object I should use character array instead of String, since I can safely erase (rewrite the character array with other data) its content. This seems not to be feasible for the String objects. Now on BlackBerry…

passwords java blackberry

asked Sep 01 '11 at 08:13

smiley

1,214
2
13
21

29

votes

7 answers

How to keep an eye on upgrades, patches and security issues for used open-source libraries?

For a project with many open-source libraries as a part of it, I began to search for information source concerning all upgrades and security issues. The kind of sources I gathered are either announcement list or issue/bug tracker in the form of RSS…

professional-education tools known-vulnerabilities java

asked Nov 26 '10 at 10:32

Eldros

391
2
6

29

votes

6 answers

Poor error handling source code review

I received a report from the security team today. The report contains the below mentioned vulnerabilities and descriptions: 1) Poor Error Handling: Overly Broad Throws The methods in program1.java throws a generic exception making it harder for…

web-application appsec java

asked Jan 16 '20 at 11:35

useradmin1234

449
1
7
9

27

votes

3 answers

Why did Java (JRE) vulnerabilities peak in 2012-2013?

I've taken a graph of the amount of CVE reports concerning the JRE per Year. Now as you can see this spiked in 2012-2013, which could have been guessed easily, if you look at the amount of news items concerning java in the past years. However, I'm…

java cve

asked Apr 07 '14 at 14:01

Glenn Vandamme

373
3
9

27

votes

4 answers

What is the purpose/role of the "alias" attribute in Java keystore files?

I've heard conflicting information about the purpose of the alias attribute in Java keystore files. Can someone please clarify on what exactly this attribute is, and what it should be set to when creating a new java keystore for leaf and…

certificates java

asked May 23 '16 at 05:16

Mike B

3,336
4
29
39

24

votes

5 answers

Java SecureRandom doesn't block? How?

I know from experience that reading from /dev/random blocks when the Linux kernel entropy pool runs out of entropy. Also, I've seen many articles and blog entries stating that when running on Linux, java.security.SecureRandom uses /dev/random as…

linux java random entropy

asked Aug 14 '13 at 18:46

user1483512

417
1
4
8

24

votes

3 answers

Should I be disabling Java?

First it was Apple, now it's the US government... U.S. urges users to disable Java; Apple disables some remotely New malware exploiting Java 7 in Windows and Unix systems How serious is this "unspecified vulnerability"? Should all users be…

known-vulnerabilities java zero-day

asked Jan 12 '13 at 20:00

Django Reinhardt

938
2
8
20

24

votes

3 answers

Java SE 8, Update 51 Added "Native Sandbox" Protection for Windows PCs. Wait, what?

So I was doing a little research about differences (if any) between the sandboxing models for Windows 8/8.1 applications and windows 10 applications when I stumbled across something rather interesting: when Oracle shipped Java package 8 update 51 a…

windows java sandbox

asked Sep 14 '15 at 22:49

mostlyinformed

2,715
16
38

Questions tagged [java]