Review #173
closedBug #165: Oracle Java security risks
consider re-implementation as non-Java based version
0%
Description
Hi.
AFAIU, Open eCard uses Java web services to provide the whole system.
One of the main motivations to have the whole project (in contrast to the proprietary solution) is surely security (both to be save from any governmental maleware/etc. and to audit the code - as past has shown, governmental programs tend to have often security issues).
IMHO, the use of Java however makes all moot.
Not only when looking a the last months and weeks, Java applets and web services have always been highly risky and insecure... but, of course, especially the last weeks with nearly a critical hole every few days (not to talk about those which Oracle likely knows about, but just doesn't disclose) show that one would exchange "being attackable by the government" with "being attackable by any criminals" when using a Java web based system.
Java is not even a big advantage from a portability point of view... whenever you go deeper into the OS you loose portability anyway... and for all things that a project like this should need... portable C/C++ libs are available.
My proposal would be to try to port the current code to C++.
One could try to have some client (e.g. browser) independent code for the main functionality... and plugins specifically for the respective browser(s).
Cheers,
Chris.
Updated by Andreas Kuckartz over 11 years ago
- Tracker changed from Bug to Review
- Parent task set to #165
Updated by Tobias Wich over 6 years ago
- Status changed from New to Rejected
The first point delivering via Java Webstart is not true anymore for the upcoming version 1.3.0.
In case Java is not an option, then there is the QT based AusweisApp available as EUPL licensed code on GitHub.