Ask HN: Is Oracle Java 7 no longer secure?

4 points by spydum ↗ HN
Unless I missed something, it seems Oracle's Java 7u9 JRE no longer enables checking of SSL Certificate Revocation Lists (CRLs)[see: http://docs.oracle.com/javase/7/docs/technotes/guides/deployment/deployment-guide/jcp.html#security - search for CRL, notice the default]. Does this mean any ssl certificate that may have been compromised and placed into CRL is no longer validated?

2 comments

[ 3.0 ms ] story [ 10.4 ms ] thread
Yeah, probably. But CRLs were always unreliable (how much software do you think blocks the connection if the CRL/OCSP/... cannot be found? You need to twiddle a well-hidden switch in Firefox to make it check, and the results are not pretty - big CAs like Verisign time out all the time). Something like https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-... is far more likely to actually bite you.
(comment deleted)