Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
4.2.2
Description
The constructor signatures for creating an SSLSocketFactory take a java.lang.String as a parameter. This can lead to potential attack vectors because the password will be stored within the string pool of the VM. As a suggestion, in a future version, deprecate this API and add a signature taking a char[] parameter. This way the value of the password will not be cached for an excessive duration and will be garbage collected when out of reference.
This is based on recommendations from the GIAC Secure Software Programmer for Java course.