Java's encrypted communications no panacea for security problems

Transport Level Security mitigates but doesn't resolve Java's security vulnerabilities

The next version of standard Java, due in mid-March, will have Transport Level Security (TLS) 1.2 set by default, thus providing encrypted Internet communications. But the move is not a solution for Java's ongoing security woes.

TLS 1.2 will be enabled in Java Development Kit (JDK) 8, set to ship March 18. Version 1.2 strengthens the protection of Internet communications against eavesdropping and is backward-compatible with versions 1.1 and 1.0, the Java Platform Group said in a blog post this week. "TLS is designed to encrypt conversations between two parties and ensure that others can neither read nor modify the conversation. When combined with certificate authorities, a proper level of trust is established: we know who is on the other end of the conversation and that conversation is protected from eavesdropping/modification."

Client-side Java has been beset with security problems in recent years, particularly within the browser. The TLS plan, however, would not solve those problems, analysts said.

"Turning on TLS by default is like installing steel pipes between communication points instead of using a tube of chain-link fencing. It helps battle exposure of data to third parties, ensures the recipient doesn't get a substituted malware-ridden message and can in some cases enable the parties to confirm that they're talking to the right partner," said Eve Maler, security analyst at Forrester Research.

"But the main problems with Java have to do with the ubiquity of old versions of the Java platform; they keep a number of vulnerabilities alive," she added.

Oracle has emphasized a need for users to upgrade to the latest version of Java, but applications may be tied to older versions, thus making it difficult for some users to upgrade.

"Upgrading to a new version may disrupt how programs work and it's a bit of a hassle to do the upgrade, but this kind of 'security hygiene' would change things more dramatically," Maler said.

TLS is the successor to Secure Sockets Layer. While TLS 1.2 appeared in JDK 7 in 2011, it was disabled on clients but enabled by default on server sockets.

Copyright © 2014 IDG Communications, Inc.