

Ask HN: Is Oracle Java 7 no longer secure? - spydum

Unless I missed something, it seems Oracle's Java 7u9 JRE no longer enables checking of SSL Certificate Revocation Lists (CRLs)[see: http://docs.oracle.com/javase/7/docs/technotes/guides/deployment/deployment-guide/jcp.html#security - search for CRL, notice the default]. Does this mean any ssl certificate that may have been compromised and placed into CRL is no longer validated?
======
JoachimSchipper
Yeah, probably. But CRLs were always unreliable (how much software do you
think blocks the connection if the CRL/OCSP/... cannot be found? You need to
twiddle a well-hidden switch in Firefox to make it check, and the results are
not pretty - big CAs like Verisign time out all the time). Something like
[https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-
client-...](https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-
bugs.html) is far more likely to actually bite you.

