 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / General / October 2005why doen't sun mycrosystem provide signatures of their main dev files?
even though they use https as part of the download steps, they don't if you download their main jsdk, jvm binaries http://java.sun.com/j2se/1.5.0/download.jsp or any othe java librearies? https://jaxb.dev.java.net/jaxb20-ea2/ a la, say, apache which does it fr its main httpd server: http://httpd.apache.org/download.cgi and tomcat: http://tomcat.apache.org/download-55.cgi lbrtchx > even though they use https as part of the download steps, they don't >if you download their main jsdk, jvm binaries > >http://java.sun.com/j2se/1.5.0/download.jsp https is for something confidential. The contents of the downloads are publicly known.  SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. > > even though they use https as part of the download steps, they don't > >if you download their main jsdk, jvm binaries [quoted text clipped - 3 lines] > https is for something confidential. The contents of the downloads are > publicly known. HTTPS provides a number of security benefits. These include at least (a) encryption and (b) verification of authenticity. The latter avoids at least some of the need for checking MD5 checksums and the like; that is, if someone were to hijack a router between Sun and you, you could tell that it's not Sun that is serving the pages at the other end. You would see a security warning in your browser, because either the web page you requested (java.sun.com) is not the name on the server certificate, or else the certificate will not be signed by a trusted CA. The encryption/decryption process would also ensure that data corruption during transfer would probably result in a failure to decrypt content, rather than a corrupted file on disk. So you'd find out sooner if there were a problem with the download, and the user agent would probably attempt to re-request the content and clear things up. Hope that clears things up. Signaturewww.designacourse.com The Easiest Way To Train Anyone... Anywhere. Chris Smith - Lead Software Developer/Technical Trainer MindIQ Corporation >HTTPS provides a number of security benefits. These include at least >(a) encryption and (b) verification of authenticity. The latter avoids [quoted text clipped - 4 lines] >page you requested (java.sun.com) is not the name on the server >certificate, or else the certificate will not be signed by a trusted CA. Has there ever been a case of a JDK download being so highjacked? I would imagine the checksums would appear shortly after the first reported case. They would still not have to use HTTPS which pays a heavy penalty for encryption. SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. The zip format itself has a crc-32 checksum on each member. Manifests have MD5 and SHA-1 digests of each element. SignatureCanadian Mind Products, Roedy Green. http://mindprod.com Again taking new Java programming contracts. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.