Slashdot Mirror

← Back to Stories (view on slashdot.org)

To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

Posted by timothy on from the nuclear-option dept.

rastos1 writes with this news from The Register: "In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account. ... The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser. ... 'I recommend that we blocklist all versions of the Java Plugin,' Firefox developer Brian Smith wrote on Tuesday in a discussion on Mozilla's online bug forum. 'My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.'"

5 of 309 comments (clear)

  1. Re:Java still there by Anonymous Coward · · Score: 5, Informative

    I know no one rtfa but thearticle gives plenty of examples of webapps that rely on Java. Loads of corporate apps rely on it. I think that this is a bad move without a whitelist being released in tandem,which they are considering

  2. Re:Java still there by LWATCDR · · Score: 5, Interesting

    Why?
    Java is a much nicer development system than say Flash.
    Frankly Java applets got a bad rap because of Java abuse. I blame Microsoft for that. You see FrontPage had animated buttons as an option and they where freaking java applets.
    No one should have to wait for java just for buttons.
    It is a shame that applets have gotten such a bad rep. It is an even bigger shame that Apple and Google are not supporting Java on IOS, Android, and Chrome.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  3. Mozilla Craziness by Anonymous Coward · · Score: 5, Insightful

    What is with all of the over-the-top craziness coming out of Mozilla recently? Oracle needs to address the bug, but maybe Firefox could handle it in a more graceful manner than disabling the plugin entirely.

    Mozilla, you used to be one of the darlings of open source, now you're turning into a crazy cat lady.

    - remove version numbers.
    - rapid release schedule breaks add-ons.
    - gave the middle finger to enterprise users.
    - removed the URL bar.

  4. Not blocked, but click to play by kangsterizer · · Score: 5, Insightful

    Quoting decoder from the security team:

    "It should be "click to play" by default, which means you have to click on the applet for it to be activated and loaded. "Disabled" might have been the wrong term here, but until you click the applet, nothing can happen."

    That's what Chrome does also. Then again in theory, flash should also be click to play. Except flash is used everywhere and its going to piss people off, so its not click to play, either in Chrome. In fact, all plugins should be click to play with a white list of auto play sites that the user can configure. Yeah, Noscript.

    Still, I'd prefer default click to play in java.

  5. Re:Java still there by Creepy · · Score: 5, Interesting

    Java plugin based internet apps for enterprise are very common, especially in the CAD/CAM/CAE space because they can run on multiple platforms and some of those spaces are heavily entrenched in UNIX (with a trend toward Linux UNIX-like), and many of those depend on Firefox for cross platform support.