Mozilla considers disabling Java in Firefox

Discussion in 'other security issues & news' started by ronjor, Sep 29, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,728
    Location:
    Texas
    http://www.h-online.com/security/news/item/Mozilla-considers-disabling-Java-in-Firefox-1351590.html
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Whilst I commend any effort to remove another web browser plugin dependence (bringing us closer to requiring no plugins in a web browser, one can only hope), the way to attack this problem is to implemented TLS 1.1 and 1.2. After that they should come together with Google and Microsoft and push the online news to get servers updated to support 1.1 and 1.2.

    Unfortunately with the snail like pace of OpenSSL development, this may not be possible soon enough. It feels like this entire issue is hinging on OpenSSL's delay with their 1.0.1 version, which supports SSL 1.1 and 1.2.

    Will this issue accelerate the release of 1.0.1? One can only hope. For example, the people behind Tor have already said they are waiting for the release of OpenSSL 1.0.1 with anticipation (although Tor isn't affected by the BEAST issue), and plan on updating immediately.
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I too think it's time to drop plugins, however, that is a long while off as long as web and software developers continue to rely on them and require them to use either certain functions or the site/software in general. Disabling the plugin though is just going to give them more grief from users who are already mad at other Mozilla issues.
     
  4. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
  5. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Well, yes, at the moment. However, I was under the impression this had already changed in the next major release (Java SE 7). o_O
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Hm... I guess I'd posted about this somewhere else.

    I really doubt this will happen. And by "really doubt" I mean absolutely no way. There have been java security issues for years. Hell there have been Flash security issues for years! No one just says "let's pull support" because that's insane.

    They should work on TLS 1.1 and 1.2 and they should work on fixing their implementation of 1.0 the way Chrome did.
     
  8. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Chrome didn't "fix" their implementation by any strength of imagination. They implemented what can only really be called a "hack" on the dev version only, and is still being worked on because it breaks some secure pages (see tickets).
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    And it's still more effective than moving to 1.1 and 1.2, which aren't even supported by other browsers/ servers.

    Hack or not, it works. Granted it's unstable (though I haven't run into that I guess) but it solves the issue in 1.0, which I think is more effective.

    I seriously doubt that this MITM attack, which presupposes that someone already has control over your network, is going to be what brings Java down. If someone's on my router or has control over my network in some other way BEAST is not the only tool they can use against me... hell it's not even the easiest tool.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Keep in mind that we're talking about Java being used here, so even with that hack, Chrome is vulnerable when Java is installed. TLS 1.1 and 1.2 really are the only way forward.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Steve Jobs would like to have a word with you.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Didn't he resign or something like that? :shifty:
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Indeed he did, good sir. But he'd still like to have a word with Hungry about Flash ;) :D
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, Mac OS Lion users can still install Flash on their own. So, Steve Jobs doesn't entirely hate it. :D
     
  16. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    -edit-

    Anyway, I disagree with pulling out Java support from Firefox. I don't know about other folks, obviously, and I don't use Firefox, but if I did run it, I'd be unable to access some of the IRS website, for example.

    I don't know, but imagine that a few IRS websites all over the world do still use Java. Firefox blocks Java, users can't use Firefox to access IRS website. Users will switch browsers. This is bad for Firefox, isn't it? I know I'd switch browsers and would never return to it.

    Secunia OSI requires Java, for example. Etc, etc... It won't be like throwing out a putrefied apple. :rolleyes:
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Lol, I was mostly referring to it being given the heave ho on Ipad. Generally what Steve Jobs wanted, he got, insane or not. And you didn't see anyone shunning the Ipad :D I get Hungry's point though. For a browser to just up and not support a widespread standard would be damn near suicide. Even if it might be one of the best ways to get web devs off their thumbs and move to better technology.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Oh... the Ipad thing... Got it..
     
  19. John Omniviz

    John Omniviz Registered Member

    Joined:
    Sep 29, 2011
    Posts:
    3
    Location:
    In a Mad World
    "I" anything really, sept for MAC ^__^
     
  20. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    I use FF to access online IRS forms (no problems downloading) - does that count?

    As for Java, most web pages use JavaScript which only requires web surfers to have JRE installed which is not the full JDK for Java.

    -- Tom
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Javascript does not require any JRE because it is a separate language from Java.

    Java : Javascript
    Car : Carpet

    completely different
     
  22. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Yep, different as night and day. For fun, I'll add Javascript is that thing many here obsess over in regards to speed, and Java is that near dead, but alive just enough to annoy you language :D
     
  23. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    In terms of web-programming... perhaps. Java's definitely not a dead language, it's incredibly portable and one of the most well known languages. I seriously doubt it's going anywhere even as a web-plugin.

    Yes, Javascript is the heaviest part of common web pages so people look to it for speed improvements.
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I thought they were mentioning the plugin? If Mozilla blocks Java in Firefox, how the heck are users going to use websites that need Java?

    What matters if the user installs Java if Firefox blocks the plugin?

    From the mentioned article in the first post...

    I don't know about Firefox, but if I disable Java's plugin in Chromium = no Java.

    This is from https://bugzilla.mozilla.org/show_bug.cgi?id=689661

    So, how exactly are Firefox users access (read use) websites requiring Java to be enabled in the browser?
     
  25. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Just use Java 7... it supports TLS 1.1 and 1.2.
     
Loading...
Thread Status:
Not open for further replies.