Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

JAVA USERS/DEVELOPERS: Important security information.

6 views

Skip to first unread message

Brad BARCLAY

unread,

Jan 8, 2004, 4:27:37 PM1/8/04

Hey Everyone:

I'm glad I happened upon this today before I pack up the computers
tomorrow morning...

As you may or may not be aware, Java uses public key cryptography for
some functions, such as for signing JAR files and for SSL connections
(with the right libraries installed).

Unfortunately, recently the Verisign Root Certificate expired, which
can cause problems with signed Java applications that use Verisign-based
certificates (presumably Mozilla is also affected by this -- I haven't
checked yet, however).

This _could_ affect you, if you're a developer who wants to sign their
JARs using a Verisign-based certificate, or if you're a user and you try
to run such a Java application. You might get an error from the Java
Runtime preventing you from running some applications.

The good news is that this _is_ fixable, for all of IBM Java 1.3.1,
Innotek Java 1.4.2, and GoldenCode Java 1.4.1. See the following Sun
website for details on how to download the new certificate, and how to
update your Java certificate authority file:

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57436

Brad BARCLAY

--
=-=-=-=-=-=-=-=-=
From the OS/2 WARP v4.5 Desktop of Brad BARCLAY.
The jSyncManager Project: http://www.jsyncmanager.org

William L. Hartzell

unread,

Jan 8, 2004, 10:27:12 PM1/8/04

Sir:

Brad BARCLAY wrote:
> Hey Everyone:
>
> I'm glad I happened upon this today before I pack up the computers
> tomorrow morning...
>
> As you may or may not be aware, Java uses public key cryptography
> for some functions, such as for signing JAR files and for SSL
> connections (with the right libraries installed).
>
> Unfortunately, recently the Verisign Root Certificate expired, which
> can cause problems with signed Java applications that use Verisign-based
> certificates (presumably Mozilla is also affected by this -- I haven't
> checked yet, however).
>
> This _could_ affect you, if you're a developer who wants to sign
> their JARs using a Verisign-based certificate, or if you're a user and
> you try to run such a Java application. You might get an error from the
> Java Runtime preventing you from running some applications.
>
> The good news is that this _is_ fixable, for all of IBM Java 1.3.1,
> Innotek Java 1.4.2, and GoldenCode Java 1.4.1. See the following Sun
> website for details on how to download the new certificate, and how to
> update your Java certificate authority file:
>
> http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57436
>

Thanks for the heads up. I hit such a site yesterday.
--
Bill
Thanks a Million!

0 new messages