Hackers break SSL encryption used by millions of sites

"Firefox devs mull dumping Java to stop BEAST attacks" : http://www.theregister.co.uk/2011/09/29/firefox_killing_java/

 

I seriously doubt the validity of that proposition.

 

Care to explain why?

 

Even Firefox devs agree with me, heh. It's funny though how others seem to rush to the defence of Java, "here we go again", but now its the turn of the Firefox devs.

Now, although this isn't the best approach to solve this particular problem (TLS 1.1 and 1.2 need to be pushed into use), Java in general needs to be phased out from the web and kept as a system only application, not a web application.

 

I use the QuickJava extension to disable Java when not needed.

 

Read the second quote in the link below again before making further comment:
https://www.wilderssecurity.com/showpost.php?p=1946323&postcount=73

 

I did, thanks.

Yup, sounds about right for another reason to phase out Java, and why the devs want it gone.

Were you trying to make a point?

 

Java will never be phased out. It's been developed too long, it's an incredibly popular language, and it's 100% cross platform.

Firefox devs aren't going to remove it.

And really why should they? Instead of just pulling Java it should just be secured further.

 

Thanks fax!

FWIW

I have ie 9 and W7 64 bit.

and all ticked 1.0,1.1 and 1.2.

When I took 1.0 out (no tick) my OLB site won't work.

The MS link did warn that some sites needed 1.0 and I have that situation.

 

ALL sites need TLS 1.0 or SSL 3.0, BOTH are affected by Beast. Do NOT untick 1.0 or you're forcing websites to use SSL 3.0 which is older.

 

What are your Opinions/Comments? Would you use QuickJava with Firefox as a "fix" for this issue?

Thanks in Advance.

 

I'd consider using QuickJava if you use Java in the browser infrequently. You could instead disable the Java plugin manually in Firefox, but then you have to remember to disable it when no longer needed if you enabled it. Either way, it's a "fix" in the same sense as Mozilla's proposed fix, but you retain the flexibility to use the Java plugin if desired (assuming Mozilla doesn't implement this proposal).

 

Horrible "solution", like hell everyone is going to approve of that. Might as well block Flash, and those other plugins to make it more secure .

 

As before, I now have

TSL 1.0, 1.2 and 1.3

NONE of the SSL's are ticked.

Using IE9 W7 64 bit

 

Oracle patches Java flaw exploited in SSL BEAST attack

 

Cool, thanks.

 

Great, wonder what Mozilla is thinking now. I always thought they were in for free user choice until that proposal.