• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Ron McLeod
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Rob Spoor
  • Devaka Cooray
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • Tim Holloway
Bartenders:
  • Jj Roberts
  • Al Hobbs
  • Piet Souris

javased.com -- any experiences?

 
Jesse Silverman
Saloon Keeper
Posts: 1600
51
Eclipse IDE Postgres Database C++ Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is definitely an example of Yak Shaving, so hopefully someone will help me out here.

I was evaluating a site with a bunch of Java information on it to see what I really thought of it on further examination (I already added it as a link on one of our pages because it is at least okay, is still updated and covers the topic).

While doing so I noticed they tended to refer the user to the following site somewhat often:

http://www.javased.com/?action=source-search

I certainly like the idea of a curated search that will yield better results than just whatever I get "on the street".

The first thing I disliked is that the site doesn't use https:// and has no certificate, but I feel that way about almost any site.

Getting past that, I started playing around with it a little to see if it really gave me results of any better quality than we would get just using our preferred Google-Alternatives in a generic fashion.

Of course, I wound up going down the Rabbit-Hole and am now reading some fascinating discussions about diverse Java topics, so I wanted to come back here and ask whether anyone has played around with that site for finding:
1. sources
2. examples
3. discussion topics

And finds it either super-useful, downright dangerous, or just useless or pointless versus using general searches.

It superficially appears to have been around for just about 7 years or so -- I had never taken notice of it prior to the site I was on repeatedly referring to it as a useful tool...
 
Tim Holloway
Saloon Keeper
Posts: 24493
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Lack of SSL I can forgive. Of all the things that snooping on my Internet traffic could reveal, my choices in source code searches are fairly low.

However, there is no identification of who is providing that site and the page carries a hefty load of JavaScript in it, so even via SSL, it's potentially dangerous.

I always find my source code via Google and do my discussions on the Ranch.
 
Matthew Bendford
Master Rancher
Posts: 180
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't see the lack of TLS as something to really worry about. Unless you exchange sensitive data with it doesn't really matter anyways. And lets be honest: We all used to freely enter credentials reused on other sites about 20 years ago and not worried about if the data were transmitted over a secured channel, although ssl/tls are around since the 90s when the browser war happened. And most users today still have that mindset if a browser warns about unsecured transmission they ignore it anyway.
I once played around with simple rsa/aes encryption based on some simple javascript - and done "properly" one can replicate the security of modern pki tls without using it. But this goes towards "don't roll your own crypto".
 
Ron McLeod
Marshal
Posts: 3707
523
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In addition to the privacy that TLS brings, using TLS also protects against site hijacking (via spoofed DNS), and injection of malware/spyware/adware (via a man-in-the-middle).  

This may not be a big concern on your home network, but could be a real issue on when using networks in hotels/restaurants/shopping malls/etc. (even some mobile operator networks).
 
Tim Holloway
Saloon Keeper
Posts: 24493
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Unfortunately, DNS can be poisoned independently of HTTP traffic. DNS lookups are not done in HTTP(S), but rather by the client invoking the OS resolver subsystem.

Attempts have been made to make DNS more secure, but there was a big stink just this week about the latest way to break that mechanism.
 
Ron McLeod
Marshal
Posts: 3707
523
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
True - TLS doesn't prevent DNS spoofing, but unless the spoofed-to location has a valid certificate for the site, the TLS connection will fail.
 
Tim Holloway
Saloon Keeper
Posts: 24493
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ron McLeod wrote:True - TLS doesn't prevent DNS spoofing, but unless the spoofed-to location has a valid certificate for the site, the TLS connection will fail.

The latest attack apparently works through some sort of side channel protocol violation. So I wouldn't trust in certs alone.
 
Matthew Bendford
Master Rancher
Posts: 180
5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Although this starts to get off-topic (Sorry, I didn't meant to hijack.), as you all tagged with the staff badge I guess one of you may decide to split this off eventually.

Back to my point: I agree with you with my todays knowledge and concerns, but even running a dnssec and dns-over-https enabled local full recursive resolver it's still no guarantee to be safe against the mentioned attack vectors. DNS spoofing is possible at all levels, even up at verisign as the root zone maintainer. Sure, we all can witness the key ceremonies live on youtube - but what about the us-administration telling verisign to do some changes to the .com tld also maintained by them? They're also a major big player in the tls pki industry. So, with just one order the us government can silently and fully take over any .com domain while still maintain full dnssec and provide a valid certificate.
Seen from this point there's effictively no difference between a good secured site an another one without any at all. That's why at least for me as long as I just read stuff from such site without actively interact with it like sending over user credentials it doesn't matter if it's secured or not.
Don't get me. I have my own domain secured pretty well (at least I hope so) and all I use it for since the past years is for my own e-mail and host a bit of stuff. I don't really need it and it sometimes bothers me to maintain it - but aside from a maybe worse anti-spam score rating it wouldn't affect my domain or my visitors at all.
 
Jesse Silverman
Saloon Keeper
Posts: 1600
51
Eclipse IDE Postgres Database C++ Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't mind a bit, tho if someone looked at it enough to see if it actually gave any better quality results than just hitting our favorite Google substitute, that would be interesting too.

Security is something that all professionals should be thinking and learning about all the time, because what we knew a year ago often looks hopelessly naive a year later.  So this is at least as important, and probably more so.

I am not crazy about the fact that several years ago I felt I could always, or at least very often tell who was behind whatever website, and now I very often can't -- in general I feel like the changes have unintentionally harmed good guys and protected bad ones -- this is bigger than any of us.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic