To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

← Back to Stories (view on slashdot.org)

To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

Posted by timothy on Thursday September 29, 2011 @01:28AM from the nuclear-option dept.

rastos1 writes with this news from The Register: "In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account. ... The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser. ... 'I recommend that we blocklist all versions of the Java Plugin,' Firefox developer Brian Smith wrote on Tuesday in a discussion on Mozilla's online bug forum. 'My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.'"

13 of 309 comments (clear)

Min score:

Reason:

Sort:

warning? by Anonymous Coward · 2011-09-29 01:33 · Score: 3, Insightful

How about a simple warning before loading a Java Applet? For example, one of those yellow bars at the top of the page? That would prevent all legitimate applets from being instantly unusable in Firefox, whilst providing some security.
Re:Java still there by Anonymous Coward · 2011-09-29 01:41 · Score: 5, Informative

I know no one rtfa but thearticle gives plenty of examples of webapps that rely on Java. Loads of corporate apps rely on it. I think that this is a bad move without a whitelist being released in tandem,which they are considering
Re:Java still there by LWATCDR · 2011-09-29 01:49 · Score: 5, Interesting

Why?
Java is a much nicer development system than say Flash.
Frankly Java applets got a bad rap because of Java abuse. I blame Microsoft for that. You see FrontPage had animated buttons as an option and they where freaking java applets.
No one should have to wait for java just for buttons.
It is a shame that applets have gotten such a bad rep. It is an even bigger shame that Apple and Google are not supporting Java on IOS, Android, and Chrome.

--
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Mozilla Craziness by Anonymous Coward · 2011-09-29 01:59 · Score: 5, Insightful

What is with all of the over-the-top craziness coming out of Mozilla recently? Oracle needs to address the bug, but maybe Firefox could handle it in a more graceful manner than disabling the plugin entirely.
Mozilla, you used to be one of the darlings of open source, now you're turning into a crazy cat lady.
- remove version numbers.
- rapid release schedule breaks add-ons.
- gave the middle finger to enterprise users.
- removed the URL bar.
Further decrease market share by Fujisawa+Sensei · 2011-09-29 02:01 · Score: 3

Way to further decrease market share. First start fuck with the versions numbering. Now blacklist java.
Keep taking the express elevator to the bottom, just like Netscape did.

--
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
Umm... Flash? by Tridus · 2011-09-29 02:02 · Score: 4, Insightful

So they want to block Java over what is a difficult to execute attack that has some serious requirements to even use... but they continue to allow Flash with it's critical flaw of the week that's being actively exploited?
Is this a joke? Flash is the single largest attack vector on the entire fucking Internet.

--
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Not blocked, but click to play by kangsterizer · 2011-09-29 02:14 · Score: 5, Insightful

Quoting decoder from the security team:
"It should be "click to play" by default, which means you have to click on the applet for it to be activated and loaded. "Disabled" might have been the wrong term here, but until you click the applet, nothing can happen."
That's what Chrome does also. Then again in theory, flash should also be click to play. Except flash is used everywhere and its going to piss people off, so its not click to play, either in Chrome. In fact, all plugins should be click to play with a white list of auto play sites that the user can configure. Yeah, Noscript.
Still, I'd prefer default click to play in java.
Re:Won't help by BattleApple · 2011-09-29 02:20 · Score: 3

Just like if you handcuff everyone to their beds, there will be no more crime.
There's still a chance some of them would rip off that label on their mattress.
The problem is not Java by nweaver · 2011-09-29 02:37 · Score: 4, Informative

The problem is NOT java, the problem is SSL/TLS. Java was just the vector which was used to exploit this, and disabling Java doesn't disable the real problem, especially since Mozilla refuses to support TLS 1.1.
Its also unclear in the press how the Java same origin bypass worked for this test: Was it click to install or a real flaw? As a tool author (Netalyzr [berkeley.edu]), being able to bypass same origin without a signature dialog would be a big deal in improving the quality of our tool.

--
Test your net with Netalyzr
Re:Java still there by Creepy · 2011-09-29 02:43 · Score: 5, Interesting

Java plugin based internet apps for enterprise are very common, especially in the CAD/CAM/CAE space because they can run on multiple platforms and some of those spaces are heavily entrenched in UNIX (with a trend toward Linux UNIX-like), and many of those depend on Firefox for cross platform support.
Re:Java still there by MightyMartian · 2011-09-29 03:32 · Score: 4, Insightful

1999 called and wants their anti-Java rant back.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
Protection is already available by geekprime · 2011-09-29 03:59 · Score: 3, Informative

I have been using noscript http://noscript.net/ for years. Paste from thier page,
----------------------
The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java and Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.
NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality...
You can enable JavaScript, Java and plugin execution for sites you trust with a simple left-click on the NoScript status bar icon (look at the picture), or using the contextual menu, for easier operation in popup statusbar-less windows.
----------------------
I have always thought that a white list approach was the best for anything as powerful as java & javascript, either one is essentially running someone else's unknown programs on your machine there may be a "sandbox" now but I really don't know how secure that is either
Re:Java still there by radish · 2011-09-29 05:20 · Score: 4, Insightful

I work professionally with a mixture of IntelliJ, Eclipse and Visual Studio on a decent spec machine. One of those three performs more slowly and chews up more resources than the other two. I'll give you a hint - it's the one which isn't written in Java.
Not only is Eclipse slightly more than a "text editor" it also performs significantly better than a less-featured IDE written in a supposedly faster language. The "Java is slow" BS has to stop, it hasn't been true for close to a decade now.

--
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"