Firefox's Blocked-By-Default Java Isn't Going Down Well 362
JG0LD writes "The Firefox web browser will, henceforth, require users to manually activate Java objects on sites that they visit, Mozilla has confirmed. This even affects up-to-date versions of Java, which you can see on the block list. The change is aimed at improving security and moving away from a dependence on proprietary plug-ins, but critics say it will cause untold headaches for developers, admins and less-technical end-users. "
Didn't they learn from Microsoft? (Score:5, Insightful)
Users hate authorizing things, and become trained drones blindly okaying everything anyway.
As security models go, it's a poor one.
Headaches for developers? (Score:4, Insightful)
They should probably get their heads checked, why are they making Java apps for webpages still?
Already considering uninstalling firefox (Score:4, Insightful)
Most wont work in Firefox anyway (Score:1, Insightful)
They are coded for IE 6 and maybe up to IE 8 if it is very cutting edge with new css 2.1 glory.
In other words banks and corporate apps. The rest have moved on to flash and ajax last decade.
Webapps in java were a way to makup the shortcumings in Netscaoe 3 to imitate html 5 and ajax today. Obsolete and done
Like? (Score:4, Insightful)
moving away from a dependence on proprietary plug-ins
Like the browsers themselves?
Hey maybe we can get all the people at Adobe and Oracle laid off the same week. Wouldn't that be fun?
Isn't it great how the web is moving away from "proprietary plug-ins" and straight into proprietary mobile devices?
And look at the web users cheer. The people who built the web would recoil in horror at what you have allowed to happen to the Internet.
I give it five years, maybe six, and the Internet will be completely walled off by a McDonalds logo.
Re:Already considering uninstalling firefox (Score:2, Insightful)
What in the world are you using that requires a Java applet?
Re:Headaches for developers? (Score:2, Insightful)
Sounds like a security hole to me.
Untold headaches? (Score:5, Insightful)
Improve security?? (Score:4, Insightful)
There are two ways to improve security - lock out the user, or educate them.
Locking out the user is great - but it only works on NEW products, and if you don't have competitors. The reason it works well on NEW products is that the user isn't conditioned on what to expect. Remember, trying to change how people use their computer is an uphill battle. It works well when the do not believe they have alternatives.
Educating the user is harder, but that is the real fix. You aren't improving security by saying 'As responsible devs, our software won't do what you want'. Instead, make a two minute video showing them how $technology is flawed, and make them watch it ONCE. Then, let the choose whether to block $technology or live with it. Because right now they get fed up with Firefox (NOT Java), and click the little blue e.
And yes, it isn't a great hassle to keep using FF when you allow users to "click to allow $applet". But the pain is that I need to look at the little red icon in the address bar to permanently enable something [mozilla.org]. You might say that if I can't handle this additional step, I shouldn't be making a choice on whether to run an applet or not (but that is a bad road to head down). You could have just made a popup when I run an applet that says "Do you want to remember this setting?" - it doesn't fix the security problem, but the current solution doesn't either. At least this way, I don't feel frustrated at my browser for someone else's (Oracle, in this case) screw ups.
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
So... they should disable all plugins like Java and Flash and not let the user authorize anything? That would never work [apple.com].
And Java still isn't secure. (Score:1, Insightful)
The whole point of all that byte-code stuff and just-in-time compilation was to keep Java programs in a sandbox where they couldn't affect the rest of the system.
FAIL.
What's the big deal? (Score:5, Insightful)
Oracle Java has ALSO decided, due to the persistent security problems due at least in part to having concurrent (i.e., old) versions installed (and the fact that the largest exploit kits have used Java as one of their main vectors for some time now, alongside Adobe Reader of course) to disable Java plugins in the browser by default in recent updates.
So, what's the big deal? This is the correct decision from a security perspective. I can't remember the last time I saw someone on the World Wide Web actually USE a Java applet for good, rather than for evil. And I'd have noticed, because even after all these years, it still runs like an absolute dog. It's the kind of thing you might use on a local application (such as Minecraft, which is what I think probably most people who still have it installed use it for now, albeit they'd likely have the 64-bit version which wouldn't have a working browser plugin in a 32-bit browser anyway!) or an intranet site (which is your administrator's problem, to re-enable it for that site only, or to use a different browser for the web and the intranet, which you can totally do and is good practice).
I've got many other criticisms about Firefox recently from a security and performance perspective - let's face it, it's just not the zippy, efficient browser it used to be, even relatively-speaking, it's lost its mojo and the security team have a reputation for having a slow, and fairly arsey, response - but this seems to be the right decision and they should be lauded for it. IE has also done it, as has Chrome.
Re:Untold headaches? (Score:5, Insightful)
You just succinctly explained why tools like NoScript are so desperately needed, not why they aren't. The real problem is Web design that serves an agenda contrary to the desires and rights of those who use the Web. Fix that problem and annoying tools like NoScript won't be necessary.
What that means, BTW, is that Web developers need to grow both a conscience and a spine and say NO when they're asked to code Bad Things. It also means that the pushovers and corporate plants over at the W3C need to stop adding crap to the standard that aids and abets these Bad Things.
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
Fortunately it still works, it just won't give a security hole riddled platform automatic access to your PC.
Re:Already considering uninstalling firefox (Score:4, Insightful)
Anyway, generally warning people before loading any java applet: "This plugin is insecure" is great.
No, warning people before loading an insecure plugin that it is insecure is great. Warning people that a newly updated plugin with no known vulnerabilities is insecure confuses them and teaches them that your security messages are worthless and they should just click yes.
I don't think anyone is claiming that Java is some paragon of Internet virtue that should be trusted without question, or that blocking plugins from unknown sites until the user OKs them is necessarily a bad idea. However, crying wolf and creating obscure UIs and turning everyday software into nuisanceware isn't a good response.
Re:What need? (Score:5, Insightful)
If you are still developing/depending on applets, 1995 called they want their stupid ideas back.
Hi 2013, this is 1995 calling. When your new shiny toys have the portability and performance and flexibility that we had nearly two decades ago, and developers can write software using them with a reasonable expectation that it will still be working in 5 or 10 years (or even 1 or 2 years) without needing constant maintenance, then you get a vote. Until then, we'll keep our "stupid" ideas, because they've been helping us get useful work done since before you were born. Kthxbye.
Bad Things require Better Alternatives (Score:4, Insightful)
You do understand that without those Bad Things you so hate, there probably wouldn't be a Web worth saving, right? Someone has to pay the bills, and if you're not going to pay for content, you're not going to accept advertising, you want full privacy and security when using services you're not paying anything for... Who is going to write the cheque?
I hate DRM and spammy ads and privacy invasions as much as anyone -- more that most, probably, given that I really do give up on some things most people accept because I refuse to support the intrusions. But still, we live in the real world, and you can't just wish Bad Things away without proposing Better Alternatives. BTW, "everything I want should be free and unencumbered" is not a viable Better Alternative.
Re:Didn't they learn from Microsoft? (Score:5, Insightful)
Indeed, never trust basic security to users. Better to keep a your workstations up-to-date & deal with the IT nightmare that is updating rogue workstations than to deal with the IT apocalypse of click monkeys.
Re:Is it time to fork Firefox yet? (Score:5, Insightful)
The number of support e-mails in my inbox this week from those users suggests that they aren't too happy about being "defended" in this way.
Re:Headaches for developers? (Score:4, Insightful)
Why is it surprising you can access to hardware features with Java *if you approve it*? I can access hardware with Python after I approve it, and that proves very useful. It's all about granting lower level access from interpreted languages - they already ask when they need these permissions, what else do you want, a human sacrifice?
I mean, really - you can install a native plugin or you can run a Java applet - both require user intervention for this level of access. Maybe I am underestimating the human population, but when both explicitly tell you exactly what enabling them allows it really doesn't matter - you either allow it or you don't.
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
Fortunately it still works ...
But it doesn't just work.
The browsers installed by default on the OS do. In fact switching back to them is even easier than installing the plugin. And yes some users will install the plugin, but some will change browsers instead.
This seems a blunt way to audit the security of plugins and one guaranteed to reduce user numbers.
Re:Didn't they learn from Microsoft? (Score:5, Insightful)
Yes, while I tend to agree with that notion, I also have to remind that this is web Java applets we're talking about. Who does that any more? There are four places where I see that:
1. Business/Office web based apps (Documentum in my case)
2. Cisco "web interfaces"
3. An older HP print server "web interface."
4. Webmin (optional) controls for telnet/ssh and file management.
In each of those cases, I am very comfortable making those explicit exceptions. There may be more. Not wanting to speak for the whole world, but at this point, I can't imagine this being a huge problem. So anyone, please correct me if I'm wrong by providing other examples.
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
It is not a security model. It is a responsibility model.
Now the responsibility lies even less with Mozilla and more with the user who installed Java in the first place.
If that user can not take hint, and becomes a trained drone, that is his problem. The only more secure thing to do would be to simply refuse running java at all. Obviously that is even less realistic.
Re:Uses of Java applets (Score:2, Insightful)
Are you posting in Bizarro land?
Your own link tells us that over 91% of the users of chrome didn't even encounter a SINGLE java applet in a whole MONTH.
Thats an absolutely overwhelming sign that java is almost extinction-level rare in the web. Hell, I would bet that the rate of people encountering embedded MIDI files was much higher.
Re:Uses of Java applets (Score:5, Insightful)
Depending on who you ask, there are about 2.5B people using the Internet now. If we assume most of them use the Web and we assume that the pattern for Chrome is representative of the general population, that means more than 200,000,000 people used a Java applet at some point in the previous month.
Even I am surprised by that, but in any case, it seems you and I have very different ideas of what "almost extinction-level rare" means.
Comment removed (Score:3, Insightful)
Speaking as a professional Java developer... (Score:2, Insightful)
Who the fuck uses applets anymore?