Enabling CRL checking and other important security features in Java Runtime Environment
It’s possible that an exploit may use a previously valid certificate to bypass security settings in the JRE client. Today, on the Daily ISC StormCast it was mentioned that Oracle does not enable CRL (certificate revocation list) checking by default in JRE.
Enable CRL checking for your JRE clients:
Luckily, you can easily enable it using the same strategy you should be using now to deploy a control policy using GPO.
The specific setting is: deployment.security.validation.crl and is covered in the Deployment Configuration File and Properties documentation.
Hardening the rest of the JRE:
While we’re at it, since Oracle won’t do it for us, why don’t we enable several other settings to be deployed to our clients that will make them much more secure:
The following is a recommended config for deployment.properties file:
deployment.security.level=HIGH deployment.security.level.locked deployment.insecure.jres="PROMPT" deployment.insecure.jres.locked deployment.security.jsse.hostmismatch.warning=true deployment.security.sandbox.awtwarningwindow=true deployment.security.sandbox.awtwarningwindow.locked deployment.security.mixcode=ENABLE deployment.security.validation.ocsp=true deployment.security.validation.ocsp.locked deployment.security.validation.crl=true deployment.security.validation.crl.locked
Note that you may have more settings or changed settings, deployment.security.level you may have set to VERY_HIGH, for instance. Some of the above are default settings, but it’s much better to make sure they’re configured than to let Oracle decide for you.
It’s clear that Oracle is erring on the side of usability versus security, judging by the default settings deployed with JRE. This is the opposite of something like Internet Explorer, who doesn’t enable compatibility mode on all web pages (for instance). Yes, I just implied that IE has better security than JRE.
I suppose they expect that 99% of their users will be able to deduce that they must change their settings to make sure they are running securely.
I think it would be better to eliminate apps that you can’t re-sign with your own internal CA or by certificate pinning by adding certificates to the local JRE certificate store. Again, this means that you have the people and skills to do this. In lieu of this, Oracle should really enable CRL and OCSP checking by default.