Mozilla considers disabling Java in Firefox

Whilst I commend any effort to remove another web browser plugin dependence (bringing us closer to requiring no plugins in a web browser, one can only hope), the way to attack this problem is to implemented TLS 1.1 and 1.2. After that they should come together with Google and Microsoft and push the online news to get servers updated to support 1.1 and 1.2.

Unfortunately with the snail like pace of OpenSSL development, this may not be possible soon enough. It feels like this entire issue is hinging on OpenSSL's delay with their 1.0.1 version, which supports SSL 1.1 and 1.2.

Will this issue accelerate the release of 1.0.1? One can only hope. For example, the people behind Tor have already said they are waiting for the release of OpenSSL 1.0.1 with anticipation (although Tor isn't affected by the BEAST issue), and plan on updating immediately.

 

I too think it's time to drop plugins, however, that is a long while off as long as web and software developers continue to rely on them and require them to use either certain functions or the site/software in general. Disabling the plugin though is just going to give them more grief from users who are already mad at other Mozilla issues.

 

http://www.freesmileys.org/smileys/smiley-angelic001.gif We can pray.

 

Well, yes, at the moment. However, I was under the impression this had already changed in the next major release (Java SE 7).

 

Yes, they should focus on support for TLS 1.1 and 1.2.
Please vote here for support of TLS 1.2:
https://bugzilla.mozilla.org/show_bug.cgi?id=480514

 

Hm... I guess I'd posted about this somewhere else.

I really doubt this will happen. And by "really doubt" I mean absolutely no way. There have been java security issues for years. Hell there have been Flash security issues for years! No one just says "let's pull support" because that's insane.

They should work on TLS 1.1 and 1.2 and they should work on fixing their implementation of 1.0 the way Chrome did.

 

Chrome didn't "fix" their implementation by any strength of imagination. They implemented what can only really be called a "hack" on the dev version only, and is still being worked on because it breaks some secure pages (see tickets).

 

And it's still more effective than moving to 1.1 and 1.2, which aren't even supported by other browsers/ servers.

Hack or not, it works. Granted it's unstable (though I haven't run into that I guess) but it solves the issue in 1.0, which I think is more effective.

I seriously doubt that this MITM attack, which presupposes that someone already has control over your network, is going to be what brings Java down. If someone's on my router or has control over my network in some other way BEAST is not the only tool they can use against me... hell it's not even the easiest tool.

 

Keep in mind that we're talking about Java being used here, so even with that hack, Chrome is vulnerable when Java is installed. TLS 1.1 and 1.2 really are the only way forward.

 

Steve Jobs would like to have a word with you.

 

Hey, you're right, Java 7 implements TLS 1.1 and 1.2: http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00019.html

If you uninstall Java, Java 7 is available from here.

 

Didn't he resign or something like that?

 

Indeed he did, good sir. But he'd still like to have a word with Hungry about Flash

 

Well, Mac OS Lion users can still install Flash on their own. So, Steve Jobs doesn't entirely hate it.

 

-edit-

Anyway, I disagree with pulling out Java support from Firefox. I don't know about other folks, obviously, and I don't use Firefox, but if I did run it, I'd be unable to access some of the IRS website, for example.

I don't know, but imagine that a few IRS websites all over the world do still use Java. Firefox blocks Java, users can't use Firefox to access IRS website. Users will switch browsers. This is bad for Firefox, isn't it? I know I'd switch browsers and would never return to it.

Secunia OSI requires Java, for example. Etc, etc... It won't be like throwing out a putrefied apple.

 

Lol, I was mostly referring to it being given the heave ho on Ipad. Generally what Steve Jobs wanted, he got, insane or not. And you didn't see anyone shunning the Ipad I get Hungry's point though. For a browser to just up and not support a widespread standard would be damn near suicide. Even if it might be one of the best ways to get web devs off their thumbs and move to better technology.

 

Oh... the Ipad thing... Got it..

 

"I" anything really, sept for MAC ^__^

 

I use FF to access online IRS forms (no problems downloading) - does that count?

As for Java, most web pages use JavaScript which only requires web surfers to have JRE installed which is not the full JDK for Java.

-- Tom

 

Javascript does not require any JRE because it is a separate language from Java.

Java : Javascript
Car : Carpet

completely different

 

Yep, different as night and day. For fun, I'll add Javascript is that thing many here obsess over in regards to speed, and Java is that near dead, but alive just enough to annoy you language

 

In terms of web-programming... perhaps. Java's definitely not a dead language, it's incredibly portable and one of the most well known languages. I seriously doubt it's going anywhere even as a web-plugin.

Yes, Javascript is the heaviest part of common web pages so people look to it for speed improvements.

 

I thought they were mentioning the plugin? If Mozilla blocks Java in Firefox, how the heck are users going to use websites that need Java?

What matters if the user installs Java if Firefox blocks the plugin?

From the mentioned article in the first post...

I don't know about Firefox, but if I disable Java's plugin in Chromium = no Java.

This is from https://bugzilla.mozilla.org/show_bug.cgi?id=689661

So, how exactly are Firefox users access (read use) websites requiring Java to be enabled in the browser?

 

Just use Java 7... it supports TLS 1.1 and 1.2.