Firefox's Blocked-By-Default Java Isn't Going Down Well 362
JG0LD writes "The Firefox web browser will, henceforth, require users to manually activate Java objects on sites that they visit, Mozilla has confirmed. This even affects up-to-date versions of Java, which you can see on the block list. The change is aimed at improving security and moving away from a dependence on proprietary plug-ins, but critics say it will cause untold headaches for developers, admins and less-technical end-users. "
Didn't they learn from Microsoft? (Score:5, Insightful)
Users hate authorizing things, and become trained drones blindly okaying everything anyway.
As security models go, it's a poor one.
Re:Didn't they learn from Microsoft? (Score:5, Insightful)
Indeed, never trust basic security to users. Better to keep a your workstations up-to-date & deal with the IT nightmare that is updating rogue workstations than to deal with the IT apocalypse of click monkeys.
Re:Didn't they learn from Microsoft? (Score:5, Insightful)
Yes, while I tend to agree with that notion, I also have to remind that this is web Java applets we're talking about. Who does that any more? There are four places where I see that:
1. Business/Office web based apps (Documentum in my case)
2. Cisco "web interfaces"
3. An older HP print server "web interface."
4. Webmin (optional) controls for telnet/ssh and file management.
In each of those cases, I am very comfortable making those explicit exceptions. There may be more. Not wanting to speak for the whole world, but at this point, I can't imagine this being a huge problem. So anyone, please correct me if I'm wrong by providing other examples.
Re:Didn't they learn from Microsoft? (Score:4, Interesting)
Yes, while I tend to agree with that notion, I also have to remind that this is web Java applets we're talking about. Who does that any more? There are four places where I see that:
1. Business/Office web based apps (Documentum in my case) 2. Cisco "web interfaces" 3. An older HP print server "web interface." 4. Webmin (optional) controls for telnet/ssh and file management.
In each of those cases, I am very comfortable making those explicit exceptions. There may be more. Not wanting to speak for the whole world, but at this point, I can't imagine this being a huge problem. So anyone, please correct me if I'm wrong by providing other examples.
Most online banking systems in Scandinavia use Java applet. Same Java-based id/login system can be used for many public services and for web shop payments. They are working on moving away from it, but for now being able to do online banking is a pretty key requirement for most users. I have Chrome set up with my bank as only trusted site where the Java applet is activated, for all other sites it is deactivated. As long as my bank is not compromised and serving malware through Java vulns that should be ok.
As for Flash, many people seem to think that HTML5 video support can replace Flash, but then you are not aware of the huge amount of popular Flash games out there. As a tower defense game addict Flash is just a necessity for a long while still.
Re:Didn't they learn from Microsoft? (Score:5, Interesting)
As I run adblock and noscript, I'm already extremely comfortable with the white-list approach to securing browsers... so grains of salt in all of that -- users are not usually accustomed to the concept. I hadn't considered it when I first posted at 3-something AM this morning in my sleep. That said, it's useful to know that there are indeed still public/internet facing sites out there using Java. Shame on them.
Re:you don't need flash (Score:4, Informative)
just like PDF.js can replace PDF plugins in browser
pdf.js is garbage. I never thought that anyone could write a PDF reader worse than Adobe Reader, but they did. It butchers at least half of the documents I view – other open source alternatives such as Sumatra handle them just fine. And even when it does work, it's incredibly slow, and the rendering is crap quality.
The Mozilla team really needs to give up on the experiment of PDF via JavaScript, and add a working viewer that uses native code.
Re:Didn't they learn from Microsoft? (Score:5, Informative)
Actually it's not an authorization dialog, but a "click-to-play" on the embed objects. You can get the same functionality already by setting plugins.click_to_play to true in about:config. That is just going to be a default setting on new installs, but you can set it to false. I set it to true myself, because it is useful to not have arbitrary Flash code to just start running (and playing).
The gamble Mozilla makes is that because of the extra step, companies will move to putting content into HTML5 rather than external plugins, because it makes their website more clunky. They also do replace external PDF viewer plugins with a HTML5/JS based one [mozilla.org], so it is a coherent strategy towards open technologies. There are plenty of benefits if it works out, security is one of them. And it's a phased, non-invasive method, which can be disabled.
Re: (Score:3)
Why don't they "just" write a secure Java virtual machine? I guess they can even run javascript inside the same VM, so a unified approach.
And Google recently developed an efficient sandbox called NaCl, so why not follow them? They could even run Java inside NaCl to add another layer of security. Hell, they could even run the complete browser inside NaCl, so Firefox would run on Chrome too :)
Re: (Score:2)
Why don't they "just" write a secure Java virtual machine?
I'm pretty sure Oracle would sue them into the ground...
Re:Didn't they learn from Microsoft? (Score:4, Informative)
If there was a better cross platform alternative I'd switch to it.
They do have a VM (Score:5, Informative)
I guess they can even run javascript inside the same VM, so a unified approach.
In fact they already have a VM they use for javascript (the whole -Monkey family), and their VM is even able to compile to native. Not only JIT, but even more so for specially crafted javascript called ASM.js (it standard Javascript, that only use those features which translate nicely into machine code: doesn't use dynamic typing, only uses safe typing, etc.) enabling near-native speed for some code.
In theory, it should be possible to create a process which recompiles java byte-code into ASM.js and feeds it into the VM for nearly-native speeds.
In practice, Java is a huge pile of complicated mess, and thus lots of applications end-up being highly dependent on Sun/Oracle/IcedTea Java and not run well on any other implementation (like GCJ), mostly because of missing classes or whatever. So you'll end with something as good at running Java as currently Gnash is at running Flash - more or less works broadly on theory, but breaks on lots of specific cases. Given the current market for java (bazillions of inhouse applet in businesses) it is going to be hard to test every case. Whereas Gnash only breaks on some stupid casual games and video player for cute kittens (and pr0n), a Java-reimplemented-in-the-browser would probably break business intranets and core business applications.
The only possible solution, is implementing only the bytecode execution itself (transcode Java bytecode into ASM.js - like pluging GCJ to LLVM to emscripten to odinmonkey, for example). Ant then re-use the opensourced classes from IcedTea and co. But then you're again running the original java with all the original bugs, only on a different platform. If a bug in the official libraries enable an attacker to steal encryption keys from other apps, this is still going to put your bank's e-banking applet at risk, no matter if said applet runs on an uncrashable Mozilla OdinMonkey VM or the official Oracle JVM.
And Google recently developed an efficient sandbox called NaCl, so why not follow them? They could even run Java inside NaCl to add another layer of security.
NaCl isn't really a sandbox. It's only a special way to package executable native code, with limitation of what said code can do. It's some security restrictions (NaCl applications can only run a subset of the whole API available to normal applications and aren't allowed to run some instructions), stacked on top of the pre-existing Google Sandboxes (each into its own process)
Even if you use a JVM running as a NaCl application, you've only partially solved the stability problems (JVM crashes less, and when it crashes, it doesn't take the whole browser with it). You haven't solved security (obscure stupid java classes leaks encryption keys or password due to bad design).
Also note that NaCl is completely against Mozilla's approach and will never get implemented. Mozilla simply doesn't want binary code, because it's limiting (NaCl only runs on x86 and ARM), and still a security problem (even if it's much better then ActiveX, you're still sending executable code from the internet into a browser).
Still PNaCl is probably where everything will be heading: this time it's not the actual binary which is shipped, but the previous step in the compilation process - the LLVM bytecode. Google can still compile it into NaC (and run better security checks at compile time). And mozilla can use it to compile it with emcripten into ASM.js. It's now much more portable (you could run it on MIPS for exemple), and much more secure (when compiling ASM.js, memory access are translated into read/writes to/from an array instead of random memory writes).
Hell, they could even run the complete browser inside NaCl, so Firefox would run on Chrome too :)
If you want, you can even use Firefox to run one of the virtual machines written in Javascript, boot a virtual Linux distribution and run Chrome on it.
ASM.js (Score:3)
Mentioning JavaScript and "ASM" (presumably not standing for assembly)
Indeed, ASM.js in not assembly.
It's a subset of javascript, more precisely, its that specific part of Javascript which maps nicely to concept which are easy to compile into machine code.
For example it doesn't relly on dynamic typing (Instead it uses type-tagging to clearly mark which variables contain which data type).
It doesn't use Javascript managed memory handling and garbage collector, it simply use a huge array as a stand-in for virtual RAM,
Also only use a specific subset of Javascript API which can be
Re: (Score:3)
They also do replace external PDF viewer plugins with a HTML5/JS based one [mozilla.org], so it is a coherent strategy towards open technologies. There are plenty of benefits if it works out, security is one of them. And it's a phased, non-invasive method, which can be disabled.
Yeah the inbuilt PDF viewer is great: it has worse unicode support than slashdot, often fails to correctly render diagrams and is slower than the adobe plugin.
Thankfully I occidentally found a way to make it default back to the Adobe plugin. If they want to keep users they need to stop removing functionality and adding half backed security systems that are very hard to disable.
Sadly there isn't a better alternative at the moment, but already there are a few sites I switch to IE to view...
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
It is not a security model. It is a responsibility model.
Now the responsibility lies even less with Mozilla and more with the user who installed Java in the first place.
If that user can not take hint, and becomes a trained drone, that is his problem. The only more secure thing to do would be to simply refuse running java at all. Obviously that is even less realistic.
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
So... they should disable all plugins like Java and Flash and not let the user authorize anything? That would never work [apple.com].
Re: (Score:3, Insightful)
Re: (Score:3)
A locked down control freak company cuts out anything that would compete with their appstore crapstore and you APPLAUD that shit?
Applaud? All I see is someone being sarcastic, saying that something will never work, while pointing to a company that made that thing work. I see nothing in Doh!'s short post that indicates approval of it. Would you mind pointing it out?
Re: (Score:3)
And yet in the journal entry you say:
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
Fortunately it still works, it just won't give a security hole riddled platform automatic access to your PC.
Re: (Score:3)
But when the context of "work" is market share, it's TOTAL FAIL. General consumers really don't give a shit if it's the most secure platform on the planet if it's nigh useless in practice. Or are you one of the dozens of people using NetBSD?
Re: (Score:3)
More like:
Farewell James,
https://en.wikipedia.org/wiki/James_Gosling [wikipedia.org]
I think you've done the right thing leaving when Larry bought your former employer out.
Re:Didn't they learn from Microsoft? (Score:4, Insightful)
Fortunately it still works ...
But it doesn't just work.
The browsers installed by default on the OS do. In fact switching back to them is even easier than installing the plugin. And yes some users will install the plugin, but some will change browsers instead.
This seems a blunt way to audit the security of plugins and one guaranteed to reduce user numbers.
Re:Didn't they learn from Microsoft? (Score:5, Informative)
Chrome ? I wouldn't count on that:
"By the end of 2014 Google intends to completely remove the Netscape Plug-in API."
http://www.infoq.com/news/2013/09/NPAPI-Depricated [infoq.com]
Re: (Score:3)
end of 2014 is still ways off...
and anyhow, I guess the policy is due to them having their own competitor for the api....
Re: (Score:3)
Sure and who is gonna port Java to the new plug-in API ?
Re: (Score:3)
They could do it, but I doubt they would care.
Headaches for developers? (Score:4, Insightful)
They should probably get their heads checked, why are they making Java apps for webpages still?
Re:Headaches for developers? (Score:5, Informative)
In my case, applets for doing signatures with USB signature tablets. Can't do that in JavaScript.
Re: (Score:2, Insightful)
Sounds like a security hole to me.
Re: (Score:2)
Erh... I don't really know the exact specs of your application now, but so far I can't think of any constellation in which this isn't a security risk waiting to explode.
Re:Headaches for developers? (Score:5, Informative)
Because Java allows native access to USB hardware. Haven't seen that in Javascript.
And no offense, but do you know what a digital signature is? Having the source code to the algorithm doesn't affect security. That would be like saying "I know how AES works, therefore I can decrypt all AES-encrypted data!" Doesn't work that way.
Re: (Score:2, Interesting)
Javascript not having USB access sounds like a good thing to me.....
I'm actually surprised you can do that with Java.
Actually a good work around would be to expose your USB token as a image device.
Use HTML5 (or god forbid Flash) to extract the encoded data from the image presented.
Little bit clunky but it would work everywhere without any setup.
Re:Headaches for developers? (Score:4, Insightful)
Why is it surprising you can access to hardware features with Java *if you approve it*? I can access hardware with Python after I approve it, and that proves very useful. It's all about granting lower level access from interpreted languages - they already ask when they need these permissions, what else do you want, a human sacrifice?
I mean, really - you can install a native plugin or you can run a Java applet - both require user intervention for this level of access. Maybe I am underestimating the human population, but when both explicitly tell you exactly what enabling them allows it really doesn't matter - you either allow it or you don't.
Re:Headaches for developers? (Score:5, Interesting)
Because Java allows native access to USB hardware.
Maybe that's a darn good reason for requiring people to authorize Java applets manually!
Re: (Score:3)
And another useful thing about Java is that is has a very mature set of security domains. If anything, it was basically the proving grounds for all of the current iOS and Android apps in that regard. OBVIOUSLY it will of course ask you before running an applet that tries to access devices like that. When the applet wants to access hardware, ask. When it doesn't, don't. Seriously, your /. ID isn't that high, have you really never seen this before or are you just trolling?
Re: (Score:3)
It's on the list/planned to add eventually:
https://wiki.mozilla.org/WebAPI [mozilla.org]
http://www.w3.org/2011/07/DeviceAPICharter.html [w3.org]
Re: (Score:3)
Indeed! And to hackers, machine language or byte code is equivalent to source anyway...
Re: (Score:3)
Say that to all these MOD developers who decompile Minecraft to be able to create and update their mods. They have still not understood that they can't do that ! :)
Re: (Score:2)
Bytecode, sourcecode, a rose by a different name...
Re:Headaches for developers? (Score:4, Informative)
I don't know... they built a substantial client-side Java app some years ago, it still works, and they don't feel the urge to reinvent a perfectly good wheel. E*Trade Australia still uses client-side Java.
Uses of Java applets (Score:5, Informative)
Must we have this troll comment every time someone mentions Java applets?
Java applets are commonly used, as they have been for many years. According to this Chromium blog post from September 2013 [chromium.org], 8.9% of Chrome users had launched something using the Java plugin in the past month.
Among the common uses that get mentioned every time this discussion comes up are: public access to banking and government systems in various countries, games, user interfaces for devices (scientific equipment, network infrastructure, all kinds of examples), access to local hardware devices that aren't yet available via newer technologies, some popular teleconferencing and VPN software, and little demo graphics written by academics to go on their web sites a decade ago that are still just as relevant today.
In other words, just because you don't use Java applets yourself or know when they're still useful, don't assume everyone else is in the same situation.
Re: (Score:3)
Exactly.
In some cases you can see that the use of a Java Applet is a shortcut (VPN for instance) but in others, there's no other way around because browsers aren't allowed to do some stuff (like USB, which I'm perfectly fine with). Saying it isn't so is because you don't have enough data to take an informed decision... or simply because you're trolling.
I've developed Java Applets before, and believe me, when confronted with a problem, a Java Applet is surely the last resource any serious JEE developer will
As two simple examples (Score:3)
Both our KVM and NAS at work use Java as their interface. In both cases the reason is the same: to support management from arbitrary clients running any OS. They don't want to require you to install a program just to manage them and they want to easily support Windows, Linux, Mac, and so on. However the interface needs to be highly interactive to be useful. In the case of the KVM it actually has to stream video that it compresses from various sources. So Java it is.
These are some outdated devices from yeste
Re:Uses of Java applets (Score:5, Insightful)
Depending on who you ask, there are about 2.5B people using the Internet now. If we assume most of them use the Web and we assume that the pattern for Chrome is representative of the general population, that means more than 200,000,000 people used a Java applet at some point in the previous month.
Even I am surprised by that, but in any case, it seems you and I have very different ideas of what "almost extinction-level rare" means.
Ironic (Score:2)
Having problems for the past hour with cursed Java on my Mac. Really pisses me off that my Insteon controller absolutely requires it to update the system!!!
Already considering uninstalling firefox (Score:4, Insightful)
Re: (Score:2, Insightful)
What in the world are you using that requires a Java applet?
Re:Already considering uninstalling firefox (Score:5, Informative)
Well, if you're in Norway then 800-900,000 people use it daily and 2.9 million occasionally to access their bank and various other public services through BankID [bankid.no]. They are moving away from Java now after all the security issues, it was announced in April but hasn't happened yet so with this I expect Firefox usage here will drop like a rock.
Re: (Score:3)
Yeah, share your pain (from Denmark, NemID is the name of the game here, same vendor though).
Fun fact, the alternative they are working on is javascript clocking in at $20m for the Danish version alone, Nets claims they are not reusing the code between BankID and NemID, but one does wonder (By the way, did you guys also suffer a 3 day downtime this weekend because the tards forgot to read the release notes?)
Re: (Score:3)
In Sweden ours is called BankID but I don't think it's the same vendor (the actual program I believe is called Nexus Personal), it's not in Java but is a native plugin, or a mobile app as that's how I'm using it, so much more convenient.
You would think they could cooperate and build a common system for stuff like this, especially with nations as small as ours.
Re:Already considering uninstalling firefox (Score:4, Insightful)
Anyway, generally warning people before loading any java applet: "This plugin is insecure" is great.
No, warning people before loading an insecure plugin that it is insecure is great. Warning people that a newly updated plugin with no known vulnerabilities is insecure confuses them and teaches them that your security messages are worthless and they should just click yes.
I don't think anyone is claiming that Java is some paragon of Internet virtue that should be trusted without question, or that blocking plugins from unknown sites until the user OKs them is necessarily a bad idea. However, crying wolf and creating obscure UIs and turning everyday software into nuisanceware isn't a good response.
Firefox has criticals every release, too (Score:3)
Firefox 24 fixed 7 critical security vulnerabilities [mozilla.org], on top of the 4 fixed 6 weeks earlier in Firefox 23, and 4 more fixed 6 weeks before that in Firefox 22, and 3 more 6 weeks earlier still in Firefox 21, and so on. Within the past year there have been Firefox releases that fixed as many as 12 critical vulnerabilities.
By your argument, since I have no reason to believe the latest Firefox will have no known vulnerabilities for the entire time that release is current, we should probably just declare Firefo
Re:Already considering uninstalling firefox (Score:5, Informative)
It just drives people to chrome
Good luck, Chrome has the same behavior. Even with a signed applet and updated Java, Chrome users had to click twice to run.
For the /.ers astounding by the persistence of Java applets, I was working with JMol [sourceforge.net]. I bypassed the issue by switching to the HTML5-and-JavaScript version and using the applet as a fall-back.
Like? (Score:4, Insightful)
moving away from a dependence on proprietary plug-ins
Like the browsers themselves?
Hey maybe we can get all the people at Adobe and Oracle laid off the same week. Wouldn't that be fun?
Isn't it great how the web is moving away from "proprietary plug-ins" and straight into proprietary mobile devices?
And look at the web users cheer. The people who built the web would recoil in horror at what you have allowed to happen to the Internet.
I give it five years, maybe six, and the Internet will be completely walled off by a McDonalds logo.
Re: (Score:2)
And yet we object to standard DRM as if it won't encourage exactly the same fragmentation?
Re: (Score:2)
I give it five years, maybe six, and the Internet will be completely walled off by a McDonalds logo.
My bets are going to a McBook logo...
Re: (Score:2, Interesting)
No, that's exactly his point. There's isn't a standardized way of doing things cross-platform. Before there were companies pushing their own products and providing run-times so assuming you installed their blob you'll get the desired behavior. It worked, but you need to install the blob. You normally had to do something undocumented or very odd to lose cross-platform support.
Now you have Google/Apple/Microsoft/Mozilla phones. Each does things their own way and they have no interest in cross-platform de
At this rate... (Score:5, Funny)
Firefox will be exactly what Scott Adams predicted...
http://dilbert.com/strips/comic/1995-03-25/ [dilbert.com]
Applets may be "The Debil", but they also fill a need that can't be filled by Flash or HTML5.
Mozilla needs to get over themselves.
What need? (Score:3, Interesting)
I use firefox and haven't encountered a singled issue with java not working... that is because I can't even remember the last time I saw a site with an applet.
Really this is a non-issue that will go the same way as active-x support. Only people in Korea will care.
If you are still developing/depending on applets, 1995 called they want their stupid ideas back. What next, your mail link is an animated gif?
Re:What need? (Score:4, Informative)
Java is needed to do banking in many places, the FF change gave me 30 minutes of "wtf?"; trying to work out why it kept complaining about insecure applet, when running newest Java had me perplexed.
If I had an alternative to FF on Mac and Java, I'd ditch FF for this stunt in a heartbeat.
Re:What need? (Score:5, Insightful)
If you are still developing/depending on applets, 1995 called they want their stupid ideas back.
Hi 2013, this is 1995 calling. When your new shiny toys have the portability and performance and flexibility that we had nearly two decades ago, and developers can write software using them with a reasonable expectation that it will still be working in 5 or 10 years (or even 1 or 2 years) without needing constant maintenance, then you get a vote. Until then, we'll keep our "stupid" ideas, because they've been helping us get useful work done since before you were born. Kthxbye.
Re: (Score:3)
I have never had any problems getting applets to run across all the major browsers, until the recent rounds of deliberate breakage from various browser vendors and Oracle.
Similarly, I have had applets deployed in the field that kept running quite happily for years. I have current ones from the Java 5 days that worked fine well into the Java 7 era, and nothing was breaking during the updates, again until the past few months when APIs that were stable for nearly 20 years got changed and other similar sillines
Re: (Score:2)
"I can't even remember the last time I saw a site with an applet."
Do you have a better idea for, say, a software-based KVM or something that needs to deal with local hardware, like an authentication token?
Re: (Score:2)
I don't know why you want to cry over Firefox, it's Chrome that started with saying they'll remove the Netscape Plugin API (NPAPI) first.
At least in Firefox the API will remain longer and if you need it you'll be able to enable it on a per-site basis.
Who cares? (Score:4, Funny)
Java is huge in the business back end, but front end Java just leaves a bad taste in the mouth of users. Slow, bloated, painful to use and kinda salty.
Untold headaches? (Score:5, Insightful)
Re: (Score:3)
Re:Untold headaches? (Score:5, Insightful)
You just succinctly explained why tools like NoScript are so desperately needed, not why they aren't. The real problem is Web design that serves an agenda contrary to the desires and rights of those who use the Web. Fix that problem and annoying tools like NoScript won't be necessary.
What that means, BTW, is that Web developers need to grow both a conscience and a spine and say NO when they're asked to code Bad Things. It also means that the pushovers and corporate plants over at the W3C need to stop adding crap to the standard that aids and abets these Bad Things.
Bad Things require Better Alternatives (Score:4, Insightful)
You do understand that without those Bad Things you so hate, there probably wouldn't be a Web worth saving, right? Someone has to pay the bills, and if you're not going to pay for content, you're not going to accept advertising, you want full privacy and security when using services you're not paying anything for... Who is going to write the cheque?
I hate DRM and spammy ads and privacy invasions as much as anyone -- more that most, probably, given that I really do give up on some things most people accept because I refuse to support the intrusions. But still, we live in the real world, and you can't just wish Bad Things away without proposing Better Alternatives. BTW, "everything I want should be free and unencumbered" is not a viable Better Alternative.
Re: (Score:2)
A web worth saving is a web without ads or DRM, just like it used to be. In the meantime the excellent addons to block trackers, scripts, cookies, referrer and ads will do.
Re: (Score:3)
Re: (Score:2)
Oddly I have had the exact opposite reaction. I started using adblock plus to adblock plus + noscript, to where now I use; adblock plus (with multiply filter lists), no script, ghostery, https everywhere, and request policy. Yeah it takes longer to view a page for the first time but it is also much safer and much better content to crap ratio.
On a related note anyone else see slashdot has been adding more tracking scripts ever since DICE bought them out.
Re: (Score:3)
Embedded videos, Google Maps' Street View, etc. don't work with FlashBlock. I had to whitelist them. However, I don't use FlashBlock anymore since the latest Mozilla's web browsers come with an plugin ask prompt feature. :)
Re: (Score:2)
Click to play is fine and dandy, however, the warning FF has put in place is just wrong. Even someone working in tech for many a years had to go over everything to work out why the hell it was showing danger alerts when trying to run the banks applet...
Re: (Score:2)
Are you really this retarded? When the bank is requiring a Java Applet to run, how do you propose to keep those two things seperate?
There are a lot of countries in the EU where Java Applets are required to authenticate, either through digital signatures or through government single-sign-on solutions; the sole reason I have Java Applet allowed is to do banking and communication with the government.
Improve security?? (Score:4, Insightful)
There are two ways to improve security - lock out the user, or educate them.
Locking out the user is great - but it only works on NEW products, and if you don't have competitors. The reason it works well on NEW products is that the user isn't conditioned on what to expect. Remember, trying to change how people use their computer is an uphill battle. It works well when the do not believe they have alternatives.
Educating the user is harder, but that is the real fix. You aren't improving security by saying 'As responsible devs, our software won't do what you want'. Instead, make a two minute video showing them how $technology is flawed, and make them watch it ONCE. Then, let the choose whether to block $technology or live with it. Because right now they get fed up with Firefox (NOT Java), and click the little blue e.
And yes, it isn't a great hassle to keep using FF when you allow users to "click to allow $applet". But the pain is that I need to look at the little red icon in the address bar to permanently enable something [mozilla.org]. You might say that if I can't handle this additional step, I shouldn't be making a choice on whether to run an applet or not (but that is a bad road to head down). You could have just made a popup when I run an applet that says "Do you want to remember this setting?" - it doesn't fix the security problem, but the current solution doesn't either. At least this way, I don't feel frustrated at my browser for someone else's (Oracle, in this case) screw ups.
This made me use Internet Explorer (Score:2)
My laptop went bad about a week or so ago, and I wiped it and have been reinstalling. One item is a VPN connection client that allows me into my University network from home, so I can access software licenses and work on my labs. This is for an MS degree in Electrical/Computer Engineering. Firefox forbade that from installing on my recovering laptop (Win 7 Ultimate 64) and so I was forced to use MSIE just to get my link installed and configured. Sorry Mozilla, but you did prevent me from doing something tre
Nice SNAFU by Mozilla (Score:5, Informative)
How to enable Java if its been blocked [mozilla.org]
So, now, the lastest version of Java (7.45) is considered outdated.
Absolutely brain-dead decision.
Re: (Score:2)
One does wonder, are they going to pop up a warning when opening firefox? Since it most likely also contains various security issues users should be warned when opening every web page (by their logic at least...)
What's the big deal? (Score:5, Insightful)
Oracle Java has ALSO decided, due to the persistent security problems due at least in part to having concurrent (i.e., old) versions installed (and the fact that the largest exploit kits have used Java as one of their main vectors for some time now, alongside Adobe Reader of course) to disable Java plugins in the browser by default in recent updates.
So, what's the big deal? This is the correct decision from a security perspective. I can't remember the last time I saw someone on the World Wide Web actually USE a Java applet for good, rather than for evil. And I'd have noticed, because even after all these years, it still runs like an absolute dog. It's the kind of thing you might use on a local application (such as Minecraft, which is what I think probably most people who still have it installed use it for now, albeit they'd likely have the 64-bit version which wouldn't have a working browser plugin in a 32-bit browser anyway!) or an intranet site (which is your administrator's problem, to re-enable it for that site only, or to use a different browser for the web and the intranet, which you can totally do and is good practice).
I've got many other criticisms about Firefox recently from a security and performance perspective - let's face it, it's just not the zippy, efficient browser it used to be, even relatively-speaking, it's lost its mojo and the security team have a reputation for having a slow, and fairly arsey, response - but this seems to be the right decision and they should be lauded for it. IE has also done it, as has Chrome.
Re: (Score:2)
The effect this will have is that the security issues will concentrate again in IE, giving it another good dose of bad reputation. Perhaps MS has the clout to convince Oracle to fix its steaming mess. Or perhaps they will do the same and block Java.
Oracle is now involved (Score:4, Informative)
From Link [mozilla.org]:
First I've heard that Java 5 and 6 are not considered dead yet.
Re: (Score:2)
My Mother (75) got it. So why not other user ? (Score:2, Interesting)
Comment 70 says it all (Score:3)
Finally (Score:2)
Sometimes users don't know that they don't know (Score:3)
If the people objecting to the new default knew the circumstances around the decision, they wouldn't be objecting to it.
Re: (Score:2)
Developers need to get used to the idea that they can't count on either flash or java being present on the client end. That's just the way it is.
That is correct.
Except for the fact that there are eleventy bazillion websites already in existence which rely on one or more of these programs and they aren't going to change and they aren't going to go away.
Re: (Score:2, Flamebait)
Yeah, they are. Guess why.
Sent from my iPhone
Re: (Score:2)
Yeah! How dare they act in defense of users against a technology notable for its repeated exploits! They should learn humility and how to act intelligently, like Oracle!
Re:Is it time to fork Firefox yet? (Score:5, Insightful)
The number of support e-mails in my inbox this week from those users suggests that they aren't too happy about being "defended" in this way.
Re: (Score:2)
Wrong. You fail.
The byte code thing is the "write once, run anywhere"
The sand-boxing was tacked on the side.
Re: (Score:3)
Re:I don't understant the hate (Score:5, Informative)
> I don't get it why people hate Java applets so much they want them to go altogether.
Because Java applets are a honking big security hole, and currently the most-often-used attack-vector to take over unsuspecting users' machines. See http://www.cvedetails.com/vulnerability-list.php?vendor_id=5&product_id=1526&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=6.99&year=0&month=0&cweid=0&order=1&trc=35&sha=d158a5520a2bc52f7443268daaab5851ced00564 [cvedetails.com] for a list of recent problems.
Re: (Score:2)
Well, Windows was the biggest security hole for the longest time but you didn't see FF refusing to run on it.
Re: (Score:2)
No, but it was more secure than IE at that time.
Re: (Score:2)
Chrome will remove the whole plug-in API:
http://www.infoq.com/news/2013/09/NPAPI-Depricated [infoq.com]
So it won't be able to run Java at all.
You could probably download, decompress and process that in Javascript. You might find that if you optimize certain parts with asm.js that it would be about 2x as slow as in native or Java. That might, or might not be acceptable.
Anyway, you can even turn on Java on a per-site basis in Firefox.
Re: (Score:2)
I run SeaMonkey (which is using most of the Firefox core and will probably inherit this Java block feature if its not already there) and I dont have Java installed at all. I have yet to find a single web site I use that needs Java (on the rare occasion I have found one there is usually an alternative for what I want to do anyway :)
Re: (Score:2)
So where do you intend to go ? It won't be Chrome, because they've already said they'll remove the complete plugin API.
Re: (Score:2)
Supposedly only ones per site.