French E-voting portal requires insecure Java plugin

Summary: The French E-voting portal doesn't support the latest version of Java, and recommends users to continue using an insecure version of it if they want to vote.

By Dancho Danchev for Zero Day | June 7, 2012 -- 09:57 GMT (02:57 PDT)

Follow @danchodanchev

Imagine you're an ordinary citizen who wants to vote online. As an IT security conscious user knowing that in 2012 the majority of vulnerabilities are found in third-party applications compared to Microsoft's products, you regularly check Mozilla's Plugin Check service to ensure that you're not using outdated browser plugins exposing you to client-side exploitation attacks served by web malware exploitation kits.

What seems to be the problem? According to Benoit Jacob, the problem starts if you're a French citizen wanting to vote online, as the country's E-voting portal currently doesn't support the latest version of Java. If that's not enough, the portal recommends users to switch to an alternative browser since Firefox blocks older Java plugins for security reasons, or use the insecure Java version 1.6.0_32.

What we've got here is a great example of a security trade off. Basically if you want to vote online you would have to expose yourself to the client-side exploits targeting older Java versions.

The administrators behind the E-voting portal could not be reached for a comment. Let's hope the situation will be resolved soon.

Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.

Topic: Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments

Log in or register to join the discussion

RE: French E-voting portal requires insecure Java plugin

From the article:
[i]the portal recommends users to switch to an alternative browser since Firefox blocks older Java plugins for security reasons, or use the insecure Java version 1.6.0_32[/i]

Isn't Java version 1.6.0_32 the current version of Java SE 6? The security baseline is actually Java version 1.6.0_31, no? And isn't Java SE 6 supported until November, 2012?

P.S. I believe that the next update for Java SE 6 is this month, June, 2012. However, Java version 1.6.0_32 is currently offered for download on Oracle's web site.

Rabid Howler Monkey

7 June, 2012 10:44

Reply Vote

insecure?

does 'previous version from the current' = 'insecure'?

did the update address a specific known insecurity?

So sick of sensationalistic faux news stories just to fill virtual space.

g_ludlow

7 June, 2012 10:52

Reply Vote

The best of ZDNet, delivered

White Papers, Webcasts, & Resources

TCO Analysis of Traditional vs. Containerized Data Centers

Standardized, scalable, pre-assembled, integrated data center facility power and cooling modules provide significant savings compared to a traditional infrastructure. This white paper provides a quantitative total cost of ownership (TCO) analysis of the two architectures.
CBS eBook: Oracle Database

Check out this eBook to learn more about the Oracle database and why it could be the database you need.
IBM Storwize V3700: Ideal for Microsoft Environments

The high-performing IBM Storwize V3700 offers support for Microsoft applications and platforms. Read this white paper to learn how to increase flexibility, reduce implementation risk and deliver a more robust information infrastructure.