Is Java safe to install and download to any version of Windows and mostly at Windows 10 version? Nearly half of the enterprise applications written in Java in the last 15 years making it the ubiquitous language in the enterprise world. Being so popular means applications written in Java are more prone to security threats. So we can answer the question is java safe to download and install it?
Though Java platform is written giving utmost importance to security, third party libraries and poorly written code make the applications vulnerable to security attacks. Som libre of the Java security vulnerabilities can be listed as,
- Loopholes in the Java Code libraries
- Vulnerabilities in third-party libraries
- Poorly written code
1. Introduction
In this article, I am going to showcase some of Java’s security features and security issues in brief. Also, I am going to provide some of the Java secure coding principles. This article applies to Java 8and prior versions. The purpose of this article is to understand why java is safe and why you must install it.
Being an internet friendly language Java has incorporated many security features as part of the language. Some of them are as below,
2. Java SE security overview
2.1. Language features
Some of Java’s built-in features eliminate more subtle programming errors.
- Java is designed to be type-safe
- Automatic memory management and garbage collection- reduces the risk of having too many objects in memory
- Range checking on arrays – eliminates array overflowing scenarios
2.2. Bytecode verification
Java is safe to download to Windows 10 because files are compiled to machine-understandable platform-independent bytecodes. Bytecode verifier ensures only the legitimate bytecode (Java program) is run on Java Runtime. It checks bytecode against Java language specifications, illegal data conversion, memory management violations stack overflows, and underflows. The code is run only when all of these checks pass. This way it is not easy to run malicious code.
2.3. Cryptography support
Java is safe for install because it supports most of the commonly used security algorithms and it includes built-in providers. The most commonly used crypto algorithms like RSA, DSA, SHA-1, SHA-2, AES encryption, and so on are supported by default in Java security architecture. Most of the supporting APIs are part of the java.security and java.crypto packages.
2.4. Public key infrastructure
Public Key Infrastructure(PKI) enables the cryptographic exchange of information using public and private key pairs. PKI encompasses private key, public key, certificate, and Certification Authority.
Java encompasses key and certificate store. java.security.KeyStore stores the keys and java.security.cert.CertStore stores the certificates. Also, Java platsform’s JKS key store and cacert contain certificates for well-known certification authorities. This is another reason to install Java.
2.5. Authentication
Authentication is the process of determining the identity of the user. Java encompasses APIs that enable us to provide user authentication via pluggable authentication modules like Kerberos, SmartCard, Username/Password and so on.
2.6. Secure Communication
We can install and download Java because Data transferred across the network are more prone to risks. It is always important to make sure the data is sent to only the intended party and data hasn’t been modified during the transport. Java platform provides implementations for secure transport protocols like SSL/TLS, SASL (Simple Authentication and Security Layer) Kerberos… etc.
2.7. Access Control
Java access control architecture protects access to sensitive resources and code. All access control decisions are mediated by a security manager.
When Java code is loaded by the ClassLoader, it associates the information like,
- Origin of the code
- Signing Authority information (if any)
- Granted permissions
This information is associated with the code regardless of whether they are downloaded from the internet or loaded from the file system.
3. Security Issues in the past
Some of the major security concerns raised in the past and security issues faced are listed as below,
- Often Java Applets are criticized for making users vulnerable for malware. It was very significant in year 2010. Many malware exploited the Java sandbox environment to run applets. Because of this many browsers stopped supporting Java Plugins (Applets).
- In January 2013 a zero-day-vulnerability was found in all versions of Java 7.
- Prior to Java 7, the Java installers weren’t removing older versions of Java. As a result security flaws in older versions weren’t corrected leaving the user’s machine and software at a security risk.
- Java doesn’t have a self-update mechanism. As a result all patches have to be applied manually. This leaves the security loophole open until the user updates his Java version. Whereas many other tools and framework update to newer versions automatically. This hasn’t been fixed till Java 8.
4. Java’s security compared to other languages
Java is considered as more secure as compared to other programming languages. Some of the reasons to back the argument are as follows,
- Java Compiler – Java compiler catches more errors and also it doesn’t allocate memory directly. In Java, it is very unlikely to reference the memory used by other programs and applications.
- Own memory management – Java Platform owns memory management. There is no need to clear the memory in the program. This drastically eliminates the memory management headache from the programmers.
- Access modifiers – Java access modifiers provide additional security mechanism by preventing unintentional overriding.
- Bytecode verification – Java Platform verifies the bytecode before running. This eliminates the risks of running malicious code.
- String immutability – String is immutable in Java. This eliminates the risk of one thread modifying the strings owned by other threads.
- Java doesn’t support pointers – pointers give direct access to memory location.
5. How to protect yourself?
Though Java is very safe to install it is still not perfect. There is scope to improve. Let us see how can we stay safe,
5.1 Stay updated
Make yourself aware of the latest security risks and how Java addresses them If needed update the JVM and JRE o the latest versions. Staying updated helps you to be safe.
5.2 Secure coding principles
As developers, you need to know how to write flawless code. By following some of the coding guidelines many of the security vulnerabilities can be eliminated. Some of the secure coding principles are listed below,
- Never trust any input. Validate all the untrusted inputs. Use whitelist instead of blacklist.
- Plan the security well ahead, do not leave it to the end
- Keep the code simple and readable
- Adhere to the least-privilege principle
- Conduct security audits
- Get the code reviewed by more experienced people
- Don’t keep secrets in the code. Externalize the secrets (passwords). Secrets kept in the code will never be a secret.
- Be aware of buffer overflows
- Try to minimize the use of your own crypto algorithms
- Use character sequence for passwords than the String a string stays in memory for a longer time.
6. Common security attacks
In this section to understand why Java is safe to download to Windows 10, I am listing some of the very common types of security attacks. These attacks aren’t specific to Java. They hold good in any programming language.
6.3.1 SQL Injection
In SQL Injection attacker inserts malicious SQL queries are inserted in the form. This can lead to a corrupted database or sometimes leads to exposing sensitive data.
SQL Injection attacks can be minimized or eliminated by validating every input field and by avoiding the dynamic queries (this can be done by using PreparedStatement class)
6.3.2 LDAP injections
Exploiting of LDAP protocol is another common type of attack faced. By input validation and by escaping the special character this risk can be minimized.
6.3.3 Cross-Site Scripting (XSS)
Cross-Site Scripting is another very common type of attacks faced in web applications. This type of attack is normally used to bypass the access controls by injecting the client-side scripts to the web page viewed by the users.
Validation and data sanitization are the keys to protect the application against XSS attack.
6.3.4 Malicious JARs
Some times attackers try to disguise the malicious jars by using other popular file extensions. By some reason, if this malicious class gets loaded to JVM then hackers can easily hack your system. Java has introduced several enhancements to prevent this kind of attack.
One way to mitigate this attack is by signing the jar. Also using the restricted access privileges the damages can be minimized.
7. Is Java Safe?
So is Java safe to download? Is Java safe for Windows 10 to download and install? YES. Java is one of the most secure languages in the market. Java’s security features are far superior to other leading programming languages. However, java applications are at higher risk because of their ubiquitous nature. By making use of the Java security framework and by practicing clean and secure coding practices most of the security risks can be mitigated.
8. More articles
- What is Java used for
- Best Way to Learn Java Programming Online
- Java Tutorial for Beginners (with video)
- Online Java Compiler – What options are there
- 150 Java Interview Questions and Answers
Last updated on Jun. 15th, 2021
