D-Link Forums

The Graveyard - Products No Longer Supported => IP Cameras => DCS-930L => Topic started by: nullit on July 05, 2018, 06:43:59 AM

Title: Java (or D-Link) Strikes Again ?
Post by: nullit on July 05, 2018, 06:43:59 AM
Suddenly one cannot get live video at the cam's browser setup page, nor at any other cam viewer application using Java.
The pop-up message box reads : Application Blocked for Security. Certification has been revoked. The application will not be executed.

The error message's "More Information" button shows that java.security.cert. got revoked for reason:UNSPECIFIED on Jul 03, 2018, apparently by Symantec.
However, proceeding to "View Certificate Details" reveals it is valid till "Thu Sep 20 19:59:59 EDT 2018".
Closing the error message and following the setup page's invitation in the "Live Video" window to "Click for details" reveals the Name: of the application as "cvcs" and, under button "More Information", that "User has denied the privileges to the code".

So, D-Link either requested the certification revoked, or they simply removed the "cvcs" code without warning. I have not been able to find a D-Link rep. or tech. with an answer other than DCS-930L is being discontinued and that there are newer cams around.

I have 7 of these cams operating and an associate of mine another 4, but all virtually dead since July 3. Any info as to what is going on is urgently needed.

Thanks in advance.
.....
PS.: Browsers: FF ESR 52.9.0 and IE 11.112.171340. DCS-930L FV=1.16
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 05, 2018, 07:16:01 AM
D-Link recently discovered that two of its code signing certificates were misappropriated. Upon discovery, we immediately decommissioned the certificates and investigated the issue. Like several other companies in Asia, D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong. The two affected D-Link certificates were revoked, effective July 3rd, 2018. New certificates have been issued to resolve this problem.

Most D-Link customers will not be affected by this issue. However, if you have concerns, please check your local D-Link Support website regularly for updates. D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. D-Link will continuously provide updates signed using our new digital certificates.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: Vesku on July 09, 2018, 11:30:32 PM
so, I can’t use my 5020 camera because of this and I don’t find any updates. What should I do to get the camera work?
Title: Re: Java (or D-Link) Strikes Again ?
Post by: Dossier on July 10, 2018, 06:24:46 AM
Hello.  Where can I obtain the new certificate(s) referred to?  We are using DCS-5009L cameras.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 10, 2018, 07:31:10 AM
D-Link is working on the new certificates. I am not sure if this will only affect the plug-in and/or new firmware for affected products.

You can still use the mydlink Lite or mydlink apps to configure/view your cameras.

View this periodically for updates - https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10089 (https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10089)

As stated in the above link,

1. New firmware for affected models are being developed and tested.  The mydlink mobile application will notify you to update for registered cameras in the event of a new firmware release.

2. This issue will not affect the mydlink mobile applications.  This certificate revocation affects viewing and configuring the camera from within a web-browser.

3. if you require the use of the web-browser, you can reconfigure your browser temporarily to ignore the revoked cert. Please note this setting should only be used during the use of camera, and otherwise turned back to default.

For Mac OSX:
Go System Preferences> Java> Advanced> Perform signed code certificate revocation checks on, select "Do not check (not recommended)" 

For Windows:
Go Control Panel> All Control Panel Items>Java> Advanced> Perform signed code certificate revocation checks on, select "Do not check (not recommended)"
Title: Re: Java (or D-Link) Strikes Again ?
Post by: Libertarian on July 11, 2018, 09:19:04 AM
 >:(

I've had it.  I'm never buying another DLink camera again.

The ONLY browser you can use to connect to the camera is IE, run as admin because JAVA is insecure.

Now I can't even set up the cameras I've bought in the last year because the certificate has been revoked.  And changing  the setting under JAVA in the control panel does nothing to fix the inability to set the motion detection.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 11, 2018, 09:37:05 AM
You should be able to use FF ESR browser with these cameras.
http://forums.dlink.com/index.php?topic=66483.0 (http://forums.dlink.com/index.php?topic=66483.0)
Some browsers like Chrome and FF standard browser now block plug-ins. FF ESR still allows plug ins.

D-Link is working on new certificates...

FYI:
     "This product has been discontinued.
    Free support for this product will end on 10/31/2018"

>:(

I've had it.  I'm never buying another DLink camera again.

The ONLY browser you can use to connect to the camera is IE, run as admin because JAVA is insecure.

Now I can't even set up the cameras I've bought in the last year because the certificate has been revoked.  And changing  the setting under JAVA in the control panel does nothing to fix the inability to set the motion detection.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on July 12, 2018, 06:29:44 AM
So, we've been down for over a week now. May we expect new certificates/firmware before "free" support ends or will we need to pay D-Link for firmware updates after 10/31/2018, - or will they be offered at all after that date ?? 

.....
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 12, 2018, 06:52:46 AM
You should be able to use FF ESR browser with these cameras.
http://forums.dlink.com/index.php?topic=66483.0 (http://forums.dlink.com/index.php?topic=66483.0)
Some browsers like Chrome and FF standard browser now block plug-ins. FF ESR still allows plug ins. This works for my 933L.

D-Link is working on new certificates...Will probably come in a FW update.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 12, 2018, 07:02:00 AM
D-Link doesn't charge for firmware upgrades. They will only charge if you call in tech support after the "last day of support" date which is on the support website.
 
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on July 13, 2018, 08:15:13 AM
My concern is that there may indeed be no firmware update to fix the DCS-930L when support ends in a couple of months, - much like what was the case with the DCS-920 when support for that cam ended in July 2013 and a similar Java security problem killed browser-based live video virtually the same month !

.....
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 13, 2018, 08:28:36 AM
Well from what I heard this issue is with the plug-in, not the camera so hopefully no need for firmware upgrades. Most security fixes still happen with discontinued products. The DCS-930L is new enough to still get updates for a while. Generally when updates stop is when the vendor no longer exists or the chip is too outdated to fix.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on July 15, 2018, 03:41:06 PM
We've been down for over two weeks now with no tangible remedy or updated news forthcoming. Seems a safe bet to immediately move to alternate cam hardware options as D-Link's "dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures" have yet to meet and seriously address this past-evolving issue and service their current customer base.
 
Yes, we are not happy !!

....
Title: Re: Java (or D-Link) Strikes Again ?
Post by: Dossier on July 16, 2018, 12:55:16 PM
Down for 2 weeks as well.  We are a small company but it would still cost hundreds of dollars to replace the cameras.  Not to mention the time involved.  Very disappointing but par for the course today.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 16, 2018, 12:57:17 PM
Has anyone used IE x32 version browser to access and view the cameras video on it's web page? Its working for me and my 933L.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on July 18, 2018, 03:10:20 PM
My 32bit IE does not work. Same message "Application Blocked". Show us your date stamped screen shot, please ! 
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 18, 2018, 03:33:35 PM
(https://image.ibb.co/my92eJ/DCS933_LIE11x32.png)
Both Windows 7 and 10 x64 versions
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on July 19, 2018, 10:23:43 AM
Great shot, but your 933L has different firmware, viz. different live video options.
Options for 930L are ActiveX and Java only, - and one wonders what's stopped D-Link from fixing evolving Java and ActiveX security issues a long time ago for the 930L (and 930LB). Incidentally, have yet to hear of long obsolete ActiveX actually worked for anyone.
Wonders also if 933L firmware might install on the 930L. May be worth a try since the cams are virtually dead anyways.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 19, 2018, 11:37:15 AM
The 933L still uses JAVA. I set up the IP address in Java exceptions as well.

You might check your activeX settings as well.

The FW won't load on the 930L.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on July 19, 2018, 03:52:14 PM
But your 933L likely won't show a live image using Java. Try it !.  So, too bad current 930L firmwares didn't get H.264 and MJPEG options. Seems like an easy fix for D-Link to implement. - - - Yet, we are waiting !!
 
Meantime, let me check my ActiveX and Java settings/exceptions. Back to you shortly.
 
.....
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 20, 2018, 08:37:47 AM
The 930L will never get h.264 and mjpeg options since has been discontinued for a while and the vendor/chipset may not support it therefore it is not an "easy fix to implement". It was one of the first mydlink cameras (I still have mine working 24/7 for years, still going strong) so it will not have a feature set of newer models.

Are you viewing your camera for large amounts of time using the GUI or mydlink.com? If you read the advisement --> https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10089 (https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10089) under recommendations there are instructions for temporarily disable certificate verification, or you can use the mydlink apps since they were not affected.

I know this can put things at risk ONLY AND ONLY IF you go to web sites or use applications with untrusted certificates at the same time as you are viewing your camera. So you can disable certs verification, view your camera, and the enable it again before web browsing until D-Link gets this fixed, or use the app. Obvioulsy not the best solution but it is a temp workaround until this gets fixed.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on July 21, 2018, 10:42:30 AM
@ FurryNutz : Live video in 930L's set-up web page works when configuring old ActiveX for IE following Micro$oft's online instructions but, re. same, we're compromising security much like with the current D-Link recommended revoked Java certificate work-around (SAP10089).
Seems ActiveX hasn't worked with Firefox since version 3, and I really won't bother experimenting with complicated IE emulation for Chrome, - if still applicable.
In Java, using the exceptions list doesn't seem to work, neither for IE 11 nor for FF ESR. Error message reads "- because jar file on different domain is not included on the list", - and how the heck is one to tell where the "jar" is located ?

@GreenBay42 : Interesting remark that 930L will never get mjpeg option. Like for the DCS-920 the datasheet specifies MJPEG as an available video codec and Firmware Release Notes do not mention it was ever removed. Perhaps still there in a hidden WebGUI page which could be (re)enabled.
And yes, there is the awkward temporary work-arounds but I cannot expect people I share the video with via the internet to fiddle around with their PC setting on a daily basis. So, after nearly three weeks in the dark, - and judging by the DCS-920 experience, it's doubtful we'll be notified "- in the event of a new firmware release" this close to the end of support.
It was another short D-Link IP cam run, - too short !

..... Cheers.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: TelfordPa on July 21, 2018, 11:06:42 AM
we don't need java for the camara's    they work just fine without java...I don have java on the wnidows 10 laptop im on now
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 21, 2018, 12:54:23 PM
The use of IE11 and activeX is only a short term work around until D-Link comes out with a fix for this.

Also you can use other means to access video from cameras as well, D-View Cam comes to mind...

You sure you have Java installed correctly? I'm using Java x32 on Windows 10x64 and it's working here for me...

@ FurryNutz : Live video in 930L's set-up web page works when configuring old ActiveX for IE following Micro$oft's online instructions but, re. same, we're compromising security much like with the current D-Link recommended revoked Java certificate work-around (SAP10089).
Seems ActiveX hasn't worked with Firefox since version 3, and I really won't bother experimenting with complicated IE emulation for Chrome, - if still applicable.
In Java, using the exceptions list doesn't seem to work, neither for IE 11 nor for FF ESR. Error message reads "- because jar file on different domain is not included on the list", - and how the heck is one to tell where the "jar" is located ?

@GreenBay42 : Interesting remark that 930L will never get mjpeg option. Like for the DCS-920 the datasheet specifies MJPEG as an available video codec and Firmware Release Notes do not mention it was ever removed. Perhaps still there in a hidden WebGUI page which could be (re)enabled.
And yes, there is the awkward temporary work-arounds but I cannot expect people I share the video with via the internet to fiddle around with their PC setting on a daily basis. So, after nearly three weeks in the dark, - and judging by the DCS-920 experience, it's doubtful we'll be notified "- in the event of a new firmware release" this close to the end of support.
It was another short D-Link IP cam run, - too short !

..... Cheers.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: pspens on July 22, 2018, 09:24:27 AM
>:(

I've had it.  I'm never buying another DLink camera again.

The ONLY browser you can use to connect to the camera is IE, run as admin because JAVA is insecure.

Now I can't even set up the cameras I've bought in the last year because the certificate has been revoked.  And changing  the setting under JAVA in the control panel does nothing to fix the inability to set the motion detection.

I was able to set the motion detection after disabling Java certificate revocation check in the Java Control Panel (I have a 5030L).  So this is a workaround.  Important to change the setting back after ur done configuring Motion/Sound detection, otherwise other Java applications are insecure.

To admins:  once a new certificate is created, how do we obtain it?
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 22, 2018, 12:10:38 PM
Will come from D-Link. Probably a FW update. D-Link is aware of this. Please be patient.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 24, 2018, 07:49:48 AM
This fix will come via firmware for your camera. Unfortunately depending on the vendor and age of the camera updates may take several weeks or longer.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 24, 2018, 09:34:53 AM
I just received DCS-930L Revision B and DCS-932L Revision B firmware to fix the certificate issue. I will post shortly.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on July 24, 2018, 09:46:01 AM
YAY. Hope the 933L gets one too.  ;D
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on July 24, 2018, 10:20:06 AM
DCS-930L - Revision B1/B2 - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-930L/REVB/DCS-930L_REVB_FIRMWARE_v2.16.01.zip (ftp://FTP2.DLINK.COM/PRODUCTS/DCS-930L/REVB/DCS-930L_REVB_FIRMWARE_v2.16.01.zip)


DCS-932L - Revision B1/B2 - ftp://FTP2.DLINK.COM/PRODUCTS/DCS-932L/REVB/DCS-932L_REVB_FIRMWARE_v2.17.01.zip (ftp://FTP2.DLINK.COM/PRODUCTS/DCS-932L/REVB/DCS-932L_REVB_FIRMWARE_v2.17.01.zip)
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on August 12, 2018, 08:25:20 AM
There's likely way more DCS-930L out-there than newer DCS-930LB so why did this cam get fixed and not the DCS-930L, and why didn't they get fixed kind of simultaneously. Both got killed at the same time!
Oct. 31, 2018 still lists as end of support for DCS-930L but absence of a firmware update now after another three weeks delay would imply its "End of Life" date quietly got moved ahead of its "End of Support" date, or did D-Link just forget ?

Title: Re: Java (or D-Link) Strikes Again ?
Post by: FurryNutz on August 12, 2018, 11:28:56 AM
Rev A model getting a fix:
http://forums.dlink.com/index.php?topic=73913.0
 (http://forums.dlink.com/index.php?topic=73913.0)
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on August 13, 2018, 07:52:56 AM
End-Sept'18. Remarkable!
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on August 13, 2018, 09:06:03 AM
Rev A and B had difference chipsets. Rev A is from Oct 2010 which as you know it tech years a long time ago. D-Link has to contact the vendor for a fix and then write into the D-Link firmware. Unfortunately this can be a long process.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on August 14, 2018, 12:56:12 PM
I appreciate your point, but three months is an unreasonable long time when, while D-Link is no Micro$oft, ancient WinXP got updates each month until 2014 (and again in early 2017 to fix WannaCry), and 2009's Win7 will receive automatic security fixes until 2020. Wish D-Link could keep up.

.....
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on August 14, 2018, 01:15:36 PM
I agree it is a longer time frame than expected but the difference is Microsoft is the manufacture (and software, and have like 6 products) - they are the programmers, and software does not need to go through certifications such as FCC, CE, WI-Fi, etc like hardware does. That all takes time. Apples and oranges.

We apologize for the wait and inconvenience. There are work arounds if you need to configure and/or view your camera via web browser/mydlink.com.  The mydlink apps are not affected so you can use it to configure and view your camera.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on October 08, 2018, 02:15:27 PM
Hey,

Just noticed end-of-September came and went, - and no fix nor update notice. Just saying !

Cheers,

…..
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on October 09, 2018, 07:14:30 AM
I know....  ::)   I will send another email to check the status.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on October 31, 2018, 10:06:20 AM
So, they are ignoring you too, - on this last day of Free Support.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: nullit on November 15, 2018, 02:15:12 PM
Noticed D-Link have now simply removed "By end of September" for release of "Fixed Firmware" (https://tinyurl.com/y8mw9ook), i.e. have evidently given up on restoring versatility to 75% of the devices killed nearly 5 months ago.
Note to self: Must shop elsewhere for networking and communications gear !!!

..... Cheers.
Title: Re: Java (or D-Link) Strikes Again ?
Post by: GreenBay42 on November 15, 2018, 02:24:05 PM
D-Link removed the estimated time frame as the updates are delayed. The US office have been trying to get more information from the engineers and vendor on these fixes. I completely understand your frustration.