Mozilla considers disabling Java in Firefox

Unless you consider that to run plugins (Java's plugin, for example), you need to allow JavaScript.

 

And you need C++ to run the browser to run the HTML to run the Javascript to run the Java.

Or you need Java to run the browser to run the html to run the javascript... to run the Java? =p

 

See, everything's connected. lol

 

Java 7 doesn't solve the issue, TLS 1.0 is still there, it merely opens the gate for the issue to be fixed by moving to TLS 1.1/1.2

 

Now they want to block the Java plugin from even installing, if I read that bug thread correctly? Lol, I'd get my gas mask out, because that particular storm would have an awful smell.

 

I must be misunderstanding something. For beast to work do you need Java installed? Because TLS 1.0 isn't going away even if you have Java uninstalled.

 

I thought it was a Java issue as well.

 

They DON'T need Java for Beast to work, but by using Java, they can bypass any attempts at protection the browser uses.

 

Yeah, I'm confused. It seems to be about Java but...
http://www.h-online.com/security/news/item/Tool-cracks-SSL-cookies-in-just-ten-minutes-1346387.html

Ctrl + F: Java ?

 

Ahh. In other words we're still looking at a Java-less Firefox possibly then. I understand why they would do it, but oh boy that's going to be fun to explain to the masses.

 

Oh. Well why are Java exploits suddenly a big deal?

I also don't understand how Java can be used on a site like PayPal, which doesn't use Java. Do they inject the Java? It's very unclear how this exploit is used.

Anyways, Java exploits have been an issue for a long long time and I don't see why suddenly this exploit, which is frankly... quite minor... is going to be the straw that breaks the camels back.

 

Most of it is flying past my head, lol. I'm making an attempt to figure it out though.

 

Yeah, without understanding the logistics of the attack it's hard to say. But
as I've said if you have control over someone's network there are easier ways than BEAST to steal their info.

Removing Java won't stop those long-used and easy-to-implement attacks but it WILL hurt usability.

 

All I can get out of it is that a bug in the plugin allows the attack regardless, and that the plugin only supports TLS 1.0 and not the other versions. I still can't seem to either grasp or find how, without Java being in use at the time of the attack, it gets the attack through. I find it really weird that a secure site would be requiring a plugin anyway. I know it happens, but that seems to be begging for trouble.

 

I agree. I can't think of how this attack is viable without Java first being used on that site.

 

OK.

By now, according to some stuff we read, BEAST can use Java. That much we know.

Mozilla wants to block the plugins in Firefox. OK.

Fact, and quoting h-online's article: The researchers have said only that BEAST is based on JavaScript which has to be injected into the victim's browser

Question: Why not BLOCK JavaScript in the browser as well? No JavaScript, no BEAST.

I suppose blocking JavaScript would cripple the web a lot... But, blocking Java plugins will also... Not on the same scale as blocking JavaScript, but it would still cripple many user's experience. And, 99% of my browsing is done without JavaScript, and no big problems if you get used to it. lol

 

I just weaned myself off of Noscript...I don't wanna go back to it! Lol. Let's see them disable Javascript by default. You think the Java complaints would be bad, you've not seen anything yet Still if Mozilla is contemplating a major move like this, there must be more to it than the old, well known Javascript dangers.

 

Blocking Javascript would break most websites at least in some way and users will just reenable it anyways.

Here's a better method of protection... don't do banking on an untrusted network. All of these attacks are MITM... the attacker can literally inject code into your browser. That's an issue. It doesn't matter if you have Java on or not if they can control your network.

As was mentioned in the article (I think it was by a chrome dev) this attack is the least of your worries if you have someone malicious on your network. There are thigns like SSLStripper, which take no time to implement and are much harder to mitigate.

 

Weaning off of noscript and javascript whitelisting was the easiest thing I ever did haha

 

I can't think of anyone in their right mind doing something like banking, on anything other than their home system.

 

And it probably made life a hell of a lot easier too, lol.

 

Exactly, and that's precisely my point - It will break websites. Blocking Java will also achieve the same result. Not to the same extent, but many people will see some services break.

If people could or not reenable JavaScript, that would depend on whether or not Firefox would have the option to enable it still there.

 

I can. And I've seen first hand people going on facebook on public wifi or checking their emails.

You know how many email passwords someone can collect from a starbucks in a few hours? I can tell you first hand it's quite a few. And you don't need fancy methods like BEAST.

 

They'd almost have to. To disable it and give no choice about it whatsoever, well, again, don your gas masks, because that storm would stink, lol.

 

It's that balance of ease-of-use and security. Most times ease-of-use wins... and really I think that's how it should be.