• ⇤
• ⇽
• ≡
• ⇾
• ⇥

java certificate issuer database "security"

the journal of Michael Werneburg

twenty-seven years and one million words

It turns out that in addition to the other shortcomings of the Java environment, there's essentially no security at all on the way it controls certificate authorities.

In fixing a problem where our bespoke pile o' Java couldn't connect to a SSO service run by a client, we eventually discovered that Java has its own little db of known certificate authorties (CA's). This was password protected, as you might expect. And after we'd asked around the firm, it was clear to us that no one knew this password.

So we Googled it, and as our guy was typing in the search 'default java certificate' Google provided the search term 'default java certificate password'. Going with the first result, we learned that the default password is 'changeit'.

And so, with a stroke of the 'keytool' command, we added some third-rate CA to our system, and were on our way. So any Java environment can be configured to perform encrypted communications with essentially unauthenticated counterparties. I would have expected that Java either a) use the environment's list of valid certificates (e.g. Linux provides this) or b) a central, approved source for valid CA's. I can see the value in adding arbitrary CA's for development purposes, but to have an essentially insecure db of its own hanging around seems like a big short-cut that defeats the purpose of CA's in the first place.

P.S. Hilariously, 'keytool' echoed the password to the screen.