When going to Oracle's download site to download JDK for EE the download is over HTTP (not HTTPS) and the executable isn't signed. As far as I can tell, there are also no SHA1 hashes published so I have no way to verify that the code hasn't been altered.
Does anybody know of a way to verify this or has Oracle not given any way to make sure this is secure?
Obviously, those md5 things are out of sight of most of big software providers. Youc an go on Oracle, IBM, Microsoft sites, there will be no md5 signatures available. Even for there most expensive products ! I guess they don't really take this risk as seriously as you do.
Anyway, there seems to be a workaround. Olex seems to provide signed downloads for various open-source/freeware products, and the JDK is in the pack !
