Last year Marsh Ray found a potential vulnerability in TLS renegotiation. The Oracle Java folk responded by disabling renegotiation entirely in the Java Runtime. This is not a fix, as it breaks usage for a large class of security-oriented sites. A rather large group of folk now find that their once-secure applications no longer work - and are not happy.

At first, there was no word from Oracle on a real fix … then I received this email.

Hi Preston, Good to hear from you. Have I told you what a fine group of folks there is at Oracle Java? No? That’s because there isn’t. [snip]

Anyway I ended up talking with some people in Oracle (our SES in DC called the president of Oracle) and several people later a VP of security called me. Anyway the fix will contain 3 implementations low, medium and high security and he claims it will take a significant amount of work in the application software to implement any of them. The release is expected by September. The gotcha is the VP told me that they will only release the JRE to licensed JRE users. I told him the JRE has always been a free download and he responded with “free download not free use”. In order to use the JRE you must have a support contract in place and it appeared to him the DoD was a couple million licenses out of compliance. Apparently it was only free until they came up with this Java for Business thing they have now. In my experience it’s a very Oracle response. Quite the opposite to my dealings with Microsoft.

I guess time will tell…. [snip]

(Emphasis is mine. All identifying information removed.)

Well, we have an answer. Yikes.

To be clear, I believe Oracle is entitled to do whatever they want to make money from Java. Oracle bought Sun, and now they own Java. Sun had a different approach, but Sun failed. Also what Oracle does in the long term may or may not be different from what the above message indicates.

On the flip side, I have to re-consider whether it makes sense to write code for the Java platform. If Oracle is fragmenting the Java platform, and changing the cost to customers … using Java may no longer make sense. This may be the point where I start planning to move all future work off Java and away from the JVM.

Of course, there is open-source Java, but I am not convinced there is the critical mass of interest required to make open-source Java a viable option. I would very much like to be wrong on this point, but for now, I am skeptical.

Is Google’s Dalvik VM potentially a viable option? Might IBM’s investment in Java translate into backing for open-source Java? Is it time to move off the Sun/Oracle JVM entirely?

Time to re-visit choices made long ago….