Another Online Banking - Java

roth21cz
edited January 2013 in Safepay

Almost all banks in Czech republic using JAVA for online banking, so, what i read, is impossible to use Safepay now. Is it some deadline to fully operational Safepay with JAVA? And if using JAVA is a risk, why banks using it?

Comments

  • Hello,


    Thank you for your feedback!


    Allowing Java in Safepay is under analysis. Our Lead Developer has discussed it in this topic. We do not have a deadline for this yet.


    You can read here about the latest critical Java exploit. We are not in the position to answer your question - why banks are using Java - as it is a decision of their own.


    Best regards!


    Andrei Burdun


    QA Engineer

  • camarie
    camarie Principal Software Developer BD Staff
    First of all it would be great if the drivers actually worked properly and then we can worry about java used by online banking systems.


    Things are more complex regarding Java (that is, almost *any* program assuming everything is running in the user Default desktop, unfortunately).


    I have tried for almost 3 weeks to enable Java in Safepay (and I have to put this on hold because of other implementations).


    I understand that this is quite a limitation - albeit one that conflicts with what Safepay is, in one hand (a browser with an attack surface limited as humanly possible) and Java, on the other hand (which runs external contents on local machine).


    Actually I have enabled Java (in a development) and the plugin is loading in Safepay context. It a combination between a number of factors (the WebKit runtime, Java plugin itself, the the fact the plugin is windowed and not windowless as Flash is, for example) which allows loading on the plugin but it is the *content* of the plugin (the JAR files, more specifically) which are not working correctly.


    I will resume ASAP the working on this, but I cannot release an implementation which is not working as expected. It seems nobody tried to run a plugin in a desktop and the Java runtime in another desktop, that is what I suspect as being the main reason here.


    I will post news in the Java-related forum thread as soon as I have news, either good or bad (let's hope good).


    Regards,


    Cristian

  • I was not talking about the implementation of the java plugin in your Safepay application.


    The issue is that the filters of your firewall drivers and the drivers for the Safepay application "Sanboxing" driver do not work properly anyway, thus making you vulnerable using your Safepay application for online transactions. Even implementing the java plugin would not make a difference whatsoever.


    I don't know how Safepay works but my guess is that it works like avast! Safezone which does not sandbox anything. Sandboxing keeps everything in the sandbox including bad stuff you have downloaded using a program that is sandboxed. The bad stuff it still on your computer even when using a sandbox, but the sandbox prevents the bad stuff from getting out and infecting your entire system. Their Safezone works differently. It basically is surfing in stealth mode and keeps bad stuff from getting onto your computer. In otherwords sandboxing works inside out by preventing bad stuff from getting out into your system and their Safezone works outside in by using stealth technology and preventing bad stuff from getting in in the first place.


    I don't know but I would guess Safepay works along the same principles as Safezone and does not sandbox anything.


    As far as the driver issues go please provide a link to a proof of concept on this issue as I would love to read it. Thanks.

  • I have already provided my findings in regards of the driver issues to the tech team which i never received an answer or any response from the tech team btw.


    As you can see also in my post here i have replied to a moderator of this forum which again in this case he did not even bother answering to my reply towards him.


    According to my findings they have disabled some features in order to fix another issue and since there was no response from them whatsoever i don't need to provide any proof.


    I think every Bitdefender user has a right to see what you found out.


    Seems kind of odd that you won't make the information publicly available but make your complaint pretty darn public.


    There are a number of tech savy people on this forum.


    Sorry pal but I am a doubter of all kinds of "public" claims without public substantiation.