|
lol JRE 8 blindly accepts whatever root CA you dump in the jar metadata
|
#
?
Apr 8, 2016 14:36
|
|
|
|
| # ? Apr 27, 2024 00:03 |
|
|
brands are very magnanimous
|
|
#
?
Apr 8, 2016 14:56
|
|
|
Cocoa Crispies posted:jordan "psifertex" wiens had to pay taxes on that million miles too lol that is hosed up, Obama.
|
|
#
?
Apr 8, 2016 14:56
|
|
|
~Coxy posted:lol if your bank doesn't show you the original amount and conversion factor on your statement They do but this was a hold rather than a charge so I had to ask over the phone and they only told me the converted amount
|
|
#
?
Apr 8, 2016 14:58
|
|
|
Shaggar posted:brands are very magnanimous Shaggar you should be a brand.
|
|
#
?
Apr 8, 2016 14:58
|
|
|
Id be really good at branding (the act of being a brand)
|
|
#
?
Apr 8, 2016 15:00
|
|
|
BangersInMyKnickers posted:lol JRE 8 blindly accepts whatever root CA you dump in the jar metadata if this is for signing a jar it makes sense to provide the chain for convenience. The client would still have to have to trust the root, it just wouldn't have to download intermediate certs if they're provided.
|
|
#
?
Apr 8, 2016 15:03
|
|
|
or is it just for like, SSL connections for that specific application? because that seems fine too, if you want to include your own cert that only applies to your application's HTTPS connections (and your jar is signed by something else that is valid)
|
|
#
?
Apr 8, 2016 15:11
|
|
|
also yesterday the gf was asked by the head of the security response team at her company if a word doc from a non-resolving domain that was sent to everyone in the company in an email about IMPORTANT TAX ISSUE that tries to run a macro immediately on launch was legit  she's not even on the security team, though he's going to request to get her transferred now because she is clearly better at security than he is.
|
|
#
?
Apr 8, 2016 15:13
|
|
|
generally if you want to include your own root certs you would include them as separate files in the jar or in a keystore and then sign the jar to prevent tampering w/ the trusted certs.
|
|
#
?
Apr 8, 2016 15:16
|
|
|
or maybe just pin the certs cause lol @ trusting a system keystore especially on a android.
|
|
#
?
Apr 8, 2016 15:18
|
|
|
Shaggar posted:generally if you want to include your own root certs you would include them as separate files in the jar or in a keystore and then sign the jar to prevent tampering w/ the trusted certs. that's what i interpreted "whatever root CA you dump in the jar metadata" as meaning, since "the jar metadata" is generally just whatever junk you throw in the META-INF
|
|
#
?
Apr 8, 2016 15:40
|
|
|
I think certs in meta-inf would be more for signing validation of the jar by clients vs certs somewhere in the jar "proper". I guess you could store certs used by the code in the lib in meta-inf, but I wouldn't rely on it.
|
|
#
?
Apr 8, 2016 15:41
|
|
|
spankmeister posted:Shaggar you should be a brand. 
|
|
#
?
Apr 8, 2016 15:44
|
|
|
gross. please keep your fetishes out of this thread.
|
|
#
?
Apr 8, 2016 15:46
|
|
|
|
|
#
?
Apr 8, 2016 15:47
|
|
|
|
|
#
?
Apr 8, 2016 15:57
|
|
|
Shaggar posted:or maybe just pin the certs cause lol @ trusting a system keystore especially on a android. Including your own CA set is a less brittle version of pinning, and the Android CA store is actually fine tho. Java keystores are dumb as gently caress and slow to load. Just include the files.
|
|
#
?
Apr 8, 2016 16:18
|
|
|
|
|
#
?
Apr 8, 2016 16:18
|
|
|
Messages on Mac uses an embedded Webkit view to display messages complete with clickable links, so guess what http://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/
|
|
#
?
Apr 8, 2016 16:40
|
|
|
Shaggar posted:if this is for signing a jar it makes sense to provide the chain for convenience. The client would still have to have to trust the root, it just wouldn't have to download intermediate certs if they're provided. the client doesn't trust the root and it isn't going out remotely to verify it. just drop the root CA cert in there and it goes OK! SOUNDS GREAT! If you remove the root ca from the jar then the trust chain breaks. and this is with AdTrust so its not like its some obscure one, not that it should really matter in this situation.
|
|
#
?
Apr 8, 2016 16:43
|
|
|
jre is such poo poo
|
|
#
?
Apr 8, 2016 16:43
|
|
|
jre security: make up your own root ca and dump it in your jar and now you can run outside the sandbox no problem yolo
|
|
#
?
Apr 8, 2016 16:45
|
|
|
BangersInMyKnickers posted:the client doesn't trust the root and it isn't going out remotely to verify it. just drop the root CA cert in there and it goes OK! SOUNDS GREAT! If you remove the root ca from the jar then the trust chain breaks. and this is with AdTrust so its not like its some obscure one, not that it should really matter in this situation. that doesn't sound right because then everyone would just throw out self signed applets and take over everything. are you sure the client doesn't already trust the root?
|
|
#
?
Apr 8, 2016 16:48
|
|
|
Shaggar posted:that doesn't sound right because then everyone would just throw out self signed applets and take over everything. are you sure the client doesn't already trust the root? there might be more nuance to the issue, but we're definitely seeing the trust chain break when went you pull it out of the meta-inf and that makes zero drat sense unless your PKI implementation is horseshit. either you have the root ca or you don't, and you don't trust what some arbitrary 3rd party sends you
|
|
#
?
Apr 8, 2016 16:53
|
|
|
my guess is it sticks the entire chain in there because in the event that the root of the chain is not trusted AND you aren't connected to the internet, it can display the full chain to the user and if they wanted they could install that chain into their keystore without going to the internet. so its probably looking for the full chain in the metadata before it even begins the trust check against its local trust store.
|
|
#
?
Apr 8, 2016 16:59
|
|
|
poo poo, think I figured it out. the previous trust chain started with AddTrust but at some point down the line UserTrust also became a root CA. so then you had one root CA chaining to another and that isn't necessary so the new signing ends wit UserTrust as the root ca. jre should be honoring the OS's truststore because MS actually maintains theirs properly and knows UserTrust is a CA but its not even though the feature is enabled so its just making GBS threads all over itself. Oracle.
|
|
#
?
Apr 8, 2016 17:08
|
|
|
Shaggar posted:everyone would just throw out self signed applets everyone rightfully thew out applets altogether
|
|
#
?
Apr 8, 2016 17:33
|
|
|
YOSPOS > Security Fuckup Megathread - v11.4 - there might be more nuance to the issue
|
|
#
?
Apr 8, 2016 17:35
|
|
|
to run Java in the browser at work, you have to get provisioned a special locked-down VM that isolates your poo poo. it's a good policy
|
|
#
?
Apr 8, 2016 17:49
|
|
|
so I'm booting into my win7 partition for the first time in two years and applying updates current restart count: 2 are there any active insta-pwn exploits on 7 as soon as you're on a network
|
|
#
?
Apr 8, 2016 17:52
|
|
|
|
| # ? Apr 27, 2024 00:03 |
|
|
this thread made it exactly one year! here's the new thread: https://forums.somethingawful.com/showthread.php?threadid=3771497
|
|
#
?
Apr 8, 2016 19:12
|
|
