Mozilla considers disabling Java in Firefox

They could claim they're doing it for your own safety.

 

You tell a few million Joe Schmoes that you broke their web for their own good, and get back to me how it went...if you live through it

 

It is how it should be. I'll take my chances over half the web breaking or answering pop-ups, every single time without fail.

 

This should be the user's choice, not a browser maker's forced dictation.

 

And then they get blamed for knowing about it and doing nothing. You know how the internet goes. Oracle is the one who should be doing something. Instead, they aren't saying a word (at least publicly, who knows what's going on internally).

 

Oracle should be blamed, but they didn't consider forcing us to choose browsers. What happened to freedom of choice?

 

I like freedom of choice just as much as you do. However, what about the several million who don't frequent the handful of websites that have bothered covering this issue? What do you do for them in the meantime? No matter how it's handled, whether the plugin is blocked or left alone to risk, users are going to get miffed. They either get attacked or they lose functionality, there's no win in this one. The best case scenario is that Oracle not only fixes the bug, but the plugin is made to support higher versions of TLS and TLS 1.0 is tossed out and all secure connections use higher TLS versions. How likely is that to happen very soon?

 

This is NOT Oracle's fault at all. So Java 6 doesn't support SSL 1.1 and 1.2, but guess what, neither does Firefox.

 

They should be blamed for being the most insecure software I've ever had on my computer lol

 

Java and Flash are like best buds in that regard.

 

Yes but at least Flash releases constant patches and cooperates with Google for a secure version in Chrome.

Java releases updates like... what... once a month? If even. It's pathetic. They do less for security than any other software and they're constantly the target of exploits.

 

Not much, because they can get infected and hacked by many more things than just this. Indeed, Oracle is slow.

Another having the same faults doesn't negate one's own.

 

Good step, Java is a huge security risk but strangely it's usually Adobe who get all the flack.

I think another issue is that Firefox should recognise when it's got loads of old Java plugins - I've seen it far too often when sorting out the cause of a slow PC. This leaves users at risk of exploits.

 

Exactly - and all the stats from various malware servers support this. More people are exploited from vulnerabilities in Java than they are with any other application, which is something that isn't widely acknowledged.

 

Anyway, removing Java won't do anything if you can still add it back. It just makes it harder fort he user.

If they load paypal.com up and it says "Java plugin missing" the user will probably go reenable or reinstal Java. That's my bet at least.

 

Is it possible to do what Java does with some other language?

"Programming in Java is like eating 100 lbs. of shoe leather. Wouldn't you rather have 1 lb. of steak?" - Larry Wall

 

I'm sure other languages based on the same ideas exist but Java has been around a long time and it's very popular.

You could not just rewrite all Java applications to be another language... that would be very difficult.

 

Strangely, why don't you support removing Flash and all those other insecure plugins as well? That right, loss of user functionality. If you don't want it, uninstall or don't install it, simple as that.

I think newer Java versions fixed these issues. Also, Check Your Plugins should already recognize that, although not automatically.

 

The main reason for Java being on a computer is because the OEM had it preloaded. Other times it's on there because they once visited a webpage with a Java applet, or tried a program that installed Java with it. Mostly it's not actually needed when I'm sorting someone's computer - and so removing it doesn't actually affect functionality in any significant way.

Most people don't actually think whether or not they need Java, and just leave it running in the background for years without any good reason. Even otherwise competent users seem to have a blind spot when it comes to Java, which is why I point it out.

As for what I support - it's just common sense to have plugins disabled until you need them, as it's faster and more secure. I only have Flash enabled since I use it all the time, but mitigate the risk.

 

Having them disabled until you need them doesn't do much, at least for Chrome.

Java always needs a prompt before running on Chrome. If I had Java disabled and a site said "Hey I need Java" and I thought that the site was legit I'd just reenable and reload it. Just like what every other user would do I assume.

 

What do you mean "doesn't do much" - do you mean for security, or for performance?

Since this thread is about Firefox, I can say from experience it certainly helps with both, and I'm not quite sure what point you're trying to make other than to be contrarian

If it didn't help security to disable an insecure plugin as you suggest, why would users have seen this popup:
http://krebsonsecurity.com/wp-content/uploads/2010/04/ffjava.jpg
http://krebsonsecurity.com/2010/04/mozilla-disables-insecure-java-plugin-in-firefox/

 

For either really. Java won't run on a page unless you give it the say-so.

It basically just asks the user "Do you want to run Java?" and the user will just say "Yes."

Not trying to find something to argue about, I just don't believe that giving users options leads to security.

 

Fairly certain that an exploit kit won't ask permission to start Java in order to exploit it under Firefox, but TBH I haven't seen it first hand and will have to test this.

I've only tested them on a machine with an identical setup to my own (which doesn't include Java).

As for performance, enabled plugins definitely do slow things down - particularly when there's a score of old ones clogging things up. I've seen this plenty of times on many computers It's not as much of an issue for a new, fast PC, but you have to consider that many people have 4-6 year old machines or netbooks and so it's more obvious when something is causing a slowdown.

 

I don't know how Firefox handles it at all. I'm just going by what Chrome does. Chrome always asks before playing Java unless you whitelist the site.

 

I don't mean to be rude, but then why did you comment at all?

This is a thread about Mozilla disabling an insecure plugin in Firefox. You posted in it saying that "disabling plugins doesn't do anything", when in reality you don't know?

Anyway, the main risks to someone using Firefox comes from the third party plugins IMO. Since most users will have more than one plugin, Mozilla need a more failsafe method to mitigate the threat other than just reactive solutions.