The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Java Buzz Forum
SUN Java Studio Creator and where your serial numbers fly by...

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Adam Kruszewski

Posts: 90
Nickname: phantomik
Registered: Jan, 2005

Adam Kruszewski is (mostly) Java developer and linux system administrator.
SUN Java Studio Creator and where your serial numbers fly by... Posted: May 26, 2005 3:48 PM
Reply to this message Reply

This post originated from an RSS feed registered with Java Buzz by Adam Kruszewski.
Original Post: SUN Java Studio Creator and where your serial numbers fly by...
Feed Title: Adam Kruszewski :: WebLog();
Feed URL: http://adam.kruszewski.name/blojsom/blog/adam.kruszewski/?flavor=rss2
Feed Description: Thoughts about linux, open source, programming, ... 		Latest Java Buzz Posts
Latest Java Buzz Posts by Adam Kruszewski
Latest Posts From Adam Kruszewski :: WebLog();

Advertisement

Probably many owners of Sun Java Studio Creator (and very likely also other Sun Studio products) had sometimes problems connecting to update center. It wouldn't be such issue if it wouldn't persist whole day or even two and the error message would mean something useful (it is always a 'connection refused' msg. even if it try to connect for a few minutes and exchange a couple of kilobytes in both directions)
Last time when I couldn't connect I decided to investigate this issue. So armed with tcpdump I tried to unveil ip addres of update server. You can imagine my how much I was surprised when I saw raw HTTP session with my serial number in it. It is 2005 and I saw unencrypted http session with some sensitive information!!! (one can argue if serial number is a sensitive information but it is directly connected to my personal data in vendor's database, and besides -- it costs me 99 bucks to have one). First rational (besides WTF) question that came to my mind was "how hard it would be to enbrace https for SUN?!" It takes me 3 minutes to proxy tomcat with ssl enabled Apache Web Server. It could even have a self signed certificate, cause they could "teach" JSC to trust it "out of the box". I wonder how many products with auto update ability send such data on unencrypted wires? (and how much products send sensitive informations without user knowledge at all)

PS. if you own JSC and want to know if update site is alive or crawling with OOM exception just enter this url a browser substituting <SN> with your serial number (without SN you should get "auth error" response):

(it is all on one line)
http:// wwwavs.java.sun.com//services/qmds/query/metaCreator/catalog.xml? idev=4.26.2&auv=&lc=en&ibr=creator&osname=Linux&osarch=i386& osversion=2.6.12-1-686&sn=<SN>

Read: SUN Java Studio Creator and where your serial numbers fly by...

Topic: How To Create Always Visible (Frozen) Header Rows in Microsoft Microsoft Excel Previous Topic   Next Topic Topic: GUI Design and SWT
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use