Should I trust Oracle? (Sun JDK -vs- Open JDK)

[d4n13]

A few years ago, this would have sounded like the ramblings of a lunatic, but now days... not so much.

There were reports that some bad acting tech companies were coerced into weakening encryption (RNG) at the request of #bigbrother (ref1).

Surveys of public keys (SSH, SSL, PGP) show that are are alarming numbers of collisions. (ref2).

Seeing how Oracle is infinitely more coercible than a distributed open source endeavor, my question is, should Java encryption be done on open JDKs to gaurd against this type of threat?

ref1: http://www.zdnet.com/article/has-the-nsa-broken-ssl-tls-aes/
ref2: http://arstechnica.com/business/2012/02/crypto-shocker-four-of-every-1000-public-keys-provide-no-security/

PS: Favorite quote from (ref2)

It remains unclear exactly what is causing large clusters of keys to use duplicated factors

Hmm... see (ref1)

[1713577433]

1713577433

[1713577433]

1713577433

[1713577433]

1713577433

[1713577433]

1713577433

[tspacepilot]

Thanks for those links (specially the second one), I hadn't seen that.

From what I read recently, nowadays OpenJDK is actually the "standard" jdk.  So, if I were you, I'd turn the question around, is there any reason *not* to use open jdk given that (1) it's free (both kinds of free) and (2) what you mentioned in the OP?

[d4n13]

There is actually fewer Win64 builds of OpenJDK than I thought.  I'm not adverse to building it from scratch, but I'm certainly not advocating that stuff to a new member.

I'll give Zulu a shot which is an OpenJDK distro (ref1).  For the paranoid, only building from scratch will do.  For the truly paroanoid, only open source SW running on open source HW will do.  Ultimately, it may eventually come to that.  If Oracle isn't coerced, then perhaps Intel is.  Doesn't matter who makes bad RNG, once it's bad, it's really bad.

Anyway... I'll post how Zulu works with Multibit and BitcoinJ once that projects pops to top of stack.

ref1: http://www.azulsystems.com/products/zulu/downloads
ref2: http://www.wired.com/2013/09/nsa-backdoor/

PS: found an even scarier article on Crypto-Crippling, this one effects Ecliptic Curve RNG (ref2) (ouch).

[tspacepilot]

There is actually fewer Win64 builds of OpenJDK than I thought.  I'm not adverse to building it from scratch, but I'm certainly not advocating that stuff to a new member.

I'll give Zulu a shot which is an OpenJDK distro (ref1).  For the paranoid, only building from scratch will do.  For the truly paroanoid, only open source SW running on open source HW will do.  Ultimately, it may eventually come to that.  If Oracle isn't coerced, then perhaps Intel is.  Doesn't matter who makes bad RNG, once it's bad, it's really bad.
. 
Anyway... I'll post how Zulu works with Multibit and BitcoinJ once that projects pops to top of stack.

ref1: http://www.azulsystems.com/products/zulu/downloads
ref2: http://www.wired.com/2013/09/nsa-backdoor/

PS: found an even scarier article on Crypto-Crippling, this one effects Ecliptic Curve RNG (ref2) (ouch).

OpenJDK has been the default Java on debian (and downstream, I assume) systems for some time now.  You have to go out of your way to get the Sun Java nowadays on the linux distros I use.  I've never built software on windows so I don't know how it compares but on linux you usually just have to run "./configure && make && make install", a lot of newbies can probably do that okay.  Shit, if you can build a windows java guaranteed without spyware, maybe you can start distributing the binaries for the newbies yourself

[Mike Hearn]

The collections of identical keys are almost always due to hardware devices that generate a key on first boot, before they have any entropy. I doubt the JDK will ever be backdoored given the scrutiny it gets, but using Zulu or compiling OpenJDK yourself is not a bad mitigation if you're worried about it.