Clever research leading to the inevitable conclusion that Java is horribly broken:
This figure shows that JSSE clients allow the peer to skip all messages related to key exchange and authentication. In particular, a network attacker can send the certificate of any arbitrary website, and skip the rest of the protocol messages. A vulnerable JSSE client is then willing to accept the certificate and start exchanging unencrypted application data. In other words, the JSSE implementation of TLS has been providing virtually no security guarantee (no authentication, no integrity, no confidentiality) for the past several years.