Safe to use java

Is Java Safe?

In this article, I am going to showcase some of Java’s security features and security issues in brief. Also, I am going to provide some of the Java secure coding principles. This article applies to Java 8and prior versions. The purpose of this article is to understand why java is safe and why you must install it.

Being an internet friendly language Java has incorporated many security features as part of the language. Some of them are as below,

2. Java SE security overview

2.1. Language features

Some of Java’s built-in features eliminate more subtle programming errors.

• Java is designed to be type-safe
• Automatic memory management and garbage collection- reduces the risk of having too many objects in memory
• Range checking on arrays – eliminates array overflowing scenarios

2.2. Bytecode verification

Java is safe to download to Windows 10 because files are compiled to machine-understandable platform-independent bytecodes. Bytecode verifier ensures only the legitimate bytecode (Java program) is run on Java Runtime. It checks bytecode against Java language specifications, illegal data conversion, memory management violations stack overflows, and underflows. The code is run only when all of these checks pass. This way it is not easy to run malicious code.

2.3. Cryptography support

Java is safe for install because it supports most of the commonly used security algorithms and it includes built-in providers. The most commonly used crypto algorithms like RSA, DSA, SHA-1, SHA-2, AES encryption, and so on are supported by default in Java security architecture. Most of the supporting APIs are part of the java.security and java.crypto packages.

2.4. Public key infrastructure

Public Key Infrastructure(PKI) enables the cryptographic exchange of information using public and private key pairs. PKI encompasses private key, public key, certificate, and Certification Authority.

Java encompasses key and certificate store. java.security.KeyStore stores the keys and java.security.cert.CertStore stores the certificates. Also, Java platsform’s JKS key store and cacert contain certificates for well-known certification authorities. This is another reason to install Java.

2.5. Authentication

Authentication is the process of determining the identity of the user. Java encompasses APIs that enable us to provide user authentication via pluggable authentication modules like Kerberos, SmartCard, Username/Password and so on.

2.6. Secure Communication

We can install and download Java because Data transferred across the network are more prone to risks. It is always important to make sure the data is sent to only the intended party and data hasn’t been modified during the transport. Java platform provides implementations for secure transport protocols like SSL/TLS, SASL (Simple Authentication and Security Layer) Kerberos… etc.

2.7. Access Control

Java access control architecture protects access to sensitive resources and code. All access control decisions are mediated by a security manager.

This information is associated with the code regardless of whether they are downloaded from the internet or loaded from the file system.

3. Security Issues in the past

• Often Java Applets are criticized for making users vulnerable for malware. It was very significant in year 2010. Many malware exploited the Java sandbox environment to run applets. Because of this many browsers stopped supporting Java Plugins (Applets).
• In January 2013 a zero-day-vulnerability was found in all versions of Java 7.
• Prior to Java 7, the Java installers weren’t removing older versions of Java. As a result security flaws in older versions weren’t corrected leaving the user’s machine and software at a security risk.
• Java doesn’t have a self-update mechanism. As a result all patches have to be applied manually. This leaves the security loophole open until the user updates his Java version. Whereas many other tools and framework update to newer versions automatically. This hasn’t been fixed till Java 8.

4. Java’s security compared to other languages

• Java Compiler – Java compiler catches more errors and also it doesn’t allocate memory directly. In Java, it is very unlikely to reference the memory used by other programs and applications.
• Own memory management – Java Platform owns memory management. There is no need to clear the memory in the program. This drastically eliminates the memory management headache from the programmers.
• Access modifiers – Java access modifiers provide additional security mechanism by preventing unintentional overriding.
• Bytecode verification – Java Platform verifies the bytecode before running. This eliminates the risks of running malicious code.
• String immutability – String is immutable in Java. This eliminates the risk of one thread modifying the strings owned by other threads.
• Java doesn’t support pointers – pointers give direct access to memory location.

5. How to protect yourself?

Though Java is very safe to install it is still not perfect. There is scope to improve. Let us see how can we stay safe,

5.1 Stay updated

Make yourself aware of the latest security risks and how Java addresses them If needed update the JVM and JRE o the latest versions. Staying updated helps you to be safe.

5.2 Secure coding principles

• Never trust any input. Validate all the untrusted inputs. Use whitelist instead of blacklist.
• Plan the security well ahead, do not leave it to the end
• Keep the code simple and readable
• Adhere to the least-privilege principle
• Conduct security audits
• Get the code reviewed by more experienced people
• Don’t keep secrets in the code. Externalize the secrets (passwords). Secrets kept in the code will never be a secret.
• Be aware of buffer overflows
• Try to minimize the use of your own crypto algorithms
• Use character sequence for passwords than the String a string stays in memory for a longer time.

6. Common security attacks

In this section to understand why Java is safe to download to Windows 10, I am listing some of the very common types of security attacks. These attacks aren’t specific to Java. They hold good in any programming language.

6.3.1 SQL Injection

In SQL Injection attacker inserts malicious SQL queries are inserted in the form. This can lead to a corrupted database or sometimes leads to exposing sensitive data.

SQL Injection attacks can be minimized or eliminated by validating every input field and by avoiding the dynamic queries (this can be done by using PreparedStatement class)

6.3.2 LDAP injections

Exploiting of LDAP protocol is another common type of attack faced. By input validation and by escaping the special character this risk can be minimized.

6.3.3 Cross-Site Scripting (XSS)

Cross-Site Scripting is another very common type of attacks faced in web applications. This type of attack is normally used to bypass the access controls by injecting the client-side scripts to the web page viewed by the users.

Validation and data sanitization are the keys to protect the application against XSS attack.

6.3.4 Malicious JARs

Some times attackers try to disguise the malicious jars by using other popular file extensions. By some reason, if this malicious class gets loaded to JVM then hackers can easily hack your system. Java has introduced several enhancements to prevent this kind of attack.

One way to mitigate this attack is by signing the jar. Also using the restricted access privileges the damages can be minimized.

7. Is Java Safe?

So is Java safe to download? Is Java safe for Windows 10 to download and install? YES. Java is one of the most secure languages in the market. Java’s security features are far superior to other leading programming languages. However, java applications are at higher risk because of their ubiquitous nature. By making use of the Java security framework and by practicing clean and secure coding practices most of the security risks can be mitigated.

8. More articles

Last updated on Jun. 15th, 2021

Источник

Is Java Safe and Do I Need It?

A reader asks: ‘I’ve been seeing warnings lately that Java has a security flaw, and everyone should remove it. I’m not even sure what Java is. What is Java? Is Java safe? Should I disable or uninstall it?’ Read on to find out.

Should You Allow Java on Your Computer?

If you encounter a website with an embedded Java app, and you don’t have Java installed (or enabled), you’ll just see an empty space where the program (applet) should be displaying. Many sites will provide a helpful link to where you can download the Java runtime environment. Even cell phones commonly push Java at users. But what is Java, and why should you install or enable it?

Java is a both a programming language and a platform for development of applications that work on multiple operating systems, such as Windows or Mac OS or Linux. Java consists of many software components that work together to provide a «cross-platform environment». Essentially, that means a program written in the Java programming language will run on any type of computing platform, not just on an Intel or Apple or Nokia piece of hardware; provided, of course, that the essential Java operating components are present. That’s where the Java runtime environment becomes necessary.

Java is handy for programmers; they need only write a program once and not worry about whether the user has a PC or a Mac computer, or be concerned with which browser is being used. Java applications can be embedded in web pages, cell phones, industrial controls, household thermostats, even coffee makers. So you will run into Java often.

Is Java Safe?

Java is touted as a secure computing environment, one that makes it difficult for bad guys to snoop, cripple, or take over your computer. The Java runtime forces all Java programs to run in what’s called a «sandbox», a portion of computer memory to which they are strictly confined. In the sandbox, a program cannot do certain things without the user’s explicit permission — like read your email or format your hard drive. But a sandbox takes up space.

Java sets up this sandbox in a «virtual machine» which consumes considerable computing resources. The amount of resources required varies according to the needs of a given Java application. A mortgage calculator won’t slow your overall computing down noticeably. A 3D animated game might, if your computer is short on memory and/or processor power.

It’s true that a serious flaw was recently discovered in Java. And yes, many voices have been calling on users to remove or at least disable Java as a result. However, a Java update is available that fixes this issue. If you download the latest version of Java (see link above), you can continue to use Java safely. Or maybe not. some
security experts are warning that the most recent fixes do not fully address all the security concerns.

Do I Really Need Java?

I’ll agree that the usage of Java seems to be waning on the Web. Other development tools, notably HTML5, are gaining in popularity, but I still regularly encounter sites that use it. You may come across online games, financial calculators and other applications that prompt you to run a Java applet on a web page.

• In Chrome, enter chrome://plugins, then click «Disable: link next to Java(TM).
• In Firefox, click the Firefox button, or open the Tools menu. Select Addons, Choose the Plugins tab, select the Java plugin(s) and click disable.
• In Safari, go to Safari Preferences, then Security, and uncheck «Enable Java.»
• In Internet Explorer, it’s a little messier. See this link for instructions on how to disable or Java or completely remove it from your computer.

If you do use or encounter a website that requires Java, chances are you can find an alternative that doesn’t. If you need to use a Java app for work, or there’s just no good alternative, be sure to always keep your Java software updated.

If you want to keep Java for that «just in case» option, or one specific trusted site, I recommend that you disable it in your everyday web browser, and use a second Java-enabled browser just for those apps that require it. For example, if you use Google Chrome or Firefox primarily, disable it there, and let it stay enabled in Internet Explorer. When you need to use a Java app, fire up IE, run the app, then return to your primary browser.

I also suggest you read Leo Notenboom’s excellent article on the Java security mess, for some additional background, and tips on dealing with the issues.

Do you have something to say about Java? Post your comment or question below.

Источник