Slashdot Mirror
Will New Red-Text Warnings Kill Casual Use of Java?
New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"
red spot warnings have not killed off casual sex.
So-- probably not?
While I would hope for the day that Java dies the pathetic death it is due, I doubt that will happen. Much more likely is that "unauthorized" Java VMs will start to crop up that let the user whitelist applets rather than relying on Oracle's certificate system.
It sometimes feels that in order to use java applet you need to hide behind 3 VMs, because as soon as you hit an exploit pack... well you know... HTML5 + JavaScript offer great deal of flexibility and that is way we should chive on.
No one uses Java Applets anymore so it doesn't matter.
But don't get your hopes too high.
TFA says this is for "Rich Internet Applications," that is, Java applets embedded in Web pages. It doesn't seem this would affect Java programs that you execute locally, such as (for example) Eclipse.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
Businesses spend money to make money, and since profiting off others is the ultimate goal why should they be trusted?
Time is what keeps everything from happening all at once.
"Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.
The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.
I hope so.
I don't care much if this is done for an in-browser program. I've already got java disabled for browsers because of endless security flaws. But Oracle should provide free certificates if the software itself is demonstrably free. If they're doing this for all java uses, including standalone programs (i.e. not in a browser), then this is awful and will kill my interest in java completely. $100 to enable people to run a program I want to supply for free? No thanks. I'll pick a different language.
The noitice is good, and in the general case this is good. I see some serious problems for system admins who have to use systems with older ILOs. Just about every ILO or remote console I have used in the past few years has been java based and used self-signed certs.
It would be nice if you could whitelist trusted networks. I would like this when going to random google pages, this will be a serious pain when it comes to administering systems.
"I opened my eyes, and everything went dark again"
> The unfortunate cost of this is that any casual use of Java is going to be killed.
You may think you're just a casual user of Java. You may think you just use Java for recreational purposes. Everybody knows Java is just a gateway language for other languages like C#. And we all know what happens to C# programmers.
Java? Casual? That's like saying the US Tax code is good bed-time reading.
After realizing I was spending half my frickin' life compiling, reloading, and waiting... waiting... (I'm looking at _you_ Tomcat) I switched to Python and never looked back.
[FrLz]
Serious question. What 'casual' use of Java applets is there to kill?
I really don't think that there is a casual use of Java applets anymore. Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it. Personal projects you trust and can push continue on. You shouldn't be running java apps from random other sources if you value security.
Did I just step out of a time machine?
Java applets are an essential tool for science education -- as simulators, calculators etc. Are all these research groups supposed to get some authority to digitally sign their applets?
Fundametally, a major aspect of Java security is that, since it runs on a VM, an applet it is inherently encapsulated. Yes, VM bugs can cause problems, but the value of all the free educational applets online far exceeds any possibly security benefits of unptached VM bugs.
Roger Grimes over at InfoWorld has an excellent security column and Java security has been one of his biggest gripes for a long time (example). This will be great for anyone who doesn't stay on top of patching (and also good for those who do, to a lesser extent). The newest release of Java also allows for finer grain security control, something that's been missing for years. I think Oracle's finally starting to try and seriously tackle Java security. Besides, "casual Java" use (at least for in-browser applets, which this seems to be about) isn't really that common anymore anyway (most of it's Flash now) and it's a small sacrifice to make for greatly increased security.
Wasn't it the point of sandboxing to allow untrusted programs to run without risk of harm? Why do you need to know who published an applet that can do no harm?
Does it show the warning in any of the linked articles?
Most of the Java apps I use are unsigned.
Here's what I see happening: Lots of people hanging onto old Java versions, creating an even bigger security disaster.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Not that there are many JavaFX applications out there, but wouldn't this affect those since a JavaFX application is similar to an applet? After all, it is code that is downloaded.
Are there any non-casual applets still in use?
The only Java applets I ever see are Game of Life simulators and such on pages that haven't been updated since roughly 2001.
This should kill off Java on the Web. Finally.
I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted. Are they admitting failure here?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
So why the $100 cost if it isn't to profit off of those who depend on it?
Time is what keeps everything from happening all at once.
This will be unfortunate.
We've had problems with our university issuing certificates for domains and for code, which is not intended for public use.
Making it not run will mean we will have to dump Java and use one of our other OPEN SOURCE coding methods.
Buh bye!
Not that we're the fifth best world university or in the top ten list of US research universities or anything.
-- Tigger warning: This post may contain tiggers! --
The last reason left to have Java installed?
"Be nice, veer left, and never stop thinking" Iain Banks - Walking On Glass
As others have mentioned, there are a ton of embedded systems which use Java as the control interface and load unsigned or self-signed applets to do so. Block them, and we'll be forced to stick with an old version of Java.
Why can't these "casual" applets get a certificate, or ask users to click "OK"? If your app isn't worth $100 to you, and is not worth 30 seconds of education and one mouse click per run to your users, it is not really all that valuable to anyone.
A programming job in the US pays $20-$60 per hour. $100 is unlikely to be a significant barrier to anyone who has the skill set to create a program worth a user's time.
Given the security benefits of forcing scammers to prove who they are to a cert authority, I am disappointed that this was not done a decade ago.
"will give the powers that be the capability to shut off any (malware) java applet that is discovered by revoking its certificate"
This gives the powers that be the capability to shut off any java applet they do not like for any reason what so ever? Am I the only one who has a problem with this? Will this affect other Java programs too?
No, i didn't RTFA... Are they going to refuse to run self-signed at all, or can you opt out of the blockage as the end user?
I'm OK with a warning;"hey do you trust this?" and a choice to say yes, but complete blockage is uncool.
---- Booth was a patriot ----
You think people will care enough to switch to openjdk or just....no?
Nobody should be running Java in browser. It's a blinking, gaping 'zero day me here!' for any drive-by malware and Oracle can't keep up with the exploits (though they still keep trying to re-enable their plugin on install, along with trying to install junkware, the evil bastards).
I do use Java for standalone apps, this is not an anti-Java thing - it's the browser plugin that is the problem.
Big slow institutions that are stuck using Java can pay the $100 and still get the extra drive-by protection. Everyone wins. Of course the baddies could still get a cert... but then we're back to 'don't run it in browser.'
The embedded systems may not even HAVE java, just the compiled applet and an itty
bitty web server.
It's the version installed on the client machine.
Is it more difficult to give up on making the sandbox mechanism secure or to review all code for all applets to make sure they are "trustworthy"
I would think money making conspiracies aside the first approach is a solvable problem while the second is a hopeless fools errand... perhaps I'm wrong given there are just 3 remaining people in the world still using java applets on their websites.
Nobody should be running any fully functional, system aware, computer program in a browser...
A java applet is a java computer program written by "someone" coming from "somewhere" running in a browser on your computer.
Replace "java computer program" with "c++ computer program" (or any other "real" language) in the previous sentence, and it describes a situation no less dangerous, arguably more-so.
It has nothing whatsoever to do with the language, its the paradigm.
If sites like LinkedIn provided certificate management to their members many security issues including this one would be resolved.
It currently costs a minimum of $100/year
Wow, I'm a malicious java programmer and this is really going to stop me!
Scarlett: Rhett, Rhett... Rhett, if you go, where shall I go? What shall I do?
--
BMO
But people still use Java in the browser? That's like, so 1996.
except for the lack of other scripting languages' acceptance in the Windows world. My preference for most things is python, though I use some ruby (for Puppet) and perl here and there. Works great on the Linux boxes, but I hate to widely deploy Python or Perl just to run a couple scripts on the Windows boxes, and I end up settling on Ruby since it came with Puppet.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
You've brought your oracle licensing to java now!
You should be worrying about the cost of containing a massive deployment of malware across millions of vulnerable systems. I don't think this is unreasonable. Your freedom is not being attacked, well, except your freedom to be infected by drive-by malware.
Does this mean the new Java will start bitching about legacy Java applications I've been running for years?
What will this do to companies that run their own Java applications? They can no longer apply security patches for Java in the near future without the massive cost of repackaging their self-made Java code?
This has "money grab" written all over it.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
IPMI is a UDP protocol that has no direct relationship with a browser.
If you are instead implying that service processors frequently have web interfaces that employ java, at least with IBM the current state of affairs is java web start, which means no browser plugin even if it does use java. Even if they were, you don't have to worry about the vendors being too cheap to fork over the chump change.
XML is like violence. If it doesn't solve the problem, use more.
Honestly, while having users authenticate a self-signed cert in a browser did help with security, etc it also broke a lot of devices. I still cannot use my WRT54G with any modern browser aside from the default browser on Android 2.3.6; same with my newer model router with latest firmware.
And honestly the problem IS NOT the hardware I'm accessing - its the stupid browsers.
They're only going to cause the same kinds of headaches for everyone.
P.S. I'm not in favor of Java or Java Appletes, but it still seems like a bad thing given how it impacted browsers accessing valid websites with self-signed certs.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Applets are a dead technology. All three of the people impacted have been informed of this change. And they're quite angry. For the rest of us, disable Java (along with ActiveX etc...) in your browser and continue with life.
So that pretty much means that they are admitting that they never managed to get sandboxing to work properly for Java.
That will kill one feature that I have in an application, and that feature is for company-internal use only, so self-signed is sufficient.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I have an old dlink ip camera that I use to watch the front of my shop and it uses an unsigned java applet. I'm cheap, I don't want to replace it.
lose != loose
true, Java wasn't created for applets, it was supposed to be run in your washing machine. The web thing was just a demo.
Anyway can't we stop use java now finally?
(and here I thought everyone already at least stopped using it in a webbrowser years ago.... Mozilla, Google, Opera and others, can't you make sure your next version it is *impossible* to install a java plugin? please?)
So the subject line sounds either wierd and twisted, or it sounds like an old IRC forum, or its an idea presented by Oracle and other holders of the Java that want it killed. Now when Sun was Java's patron, they kept it, and allowed bits of it out into the community (although there is a murky history there too). But with Oracle, they are more determined to kill Open/Java. When they offer red warning labels, they may as well be flashing red warning labels (like an Amiga Guru Meditation Number), leaving java to wither on the vine. So JavaScript, yes, Java, no.
Most of the iLO's use java. Supermicro's would be blocked by this. (Maybe they will just pay the money which would be good).
This would be great if they can allow for control of how it behaves. I could block it for generic Internet sites, but allow it for trusted sites.
Most significant software is open-source.
This will therefore entirely kill Java, and not just for "casuals".
Its about time Oracle change the name of applets to be JAT (Java Applet Architecture) or something less catchy..
The point is that applets are messing up the Java brand.. so brand them with some other name and keep people from confusing Java with applets.
For example advice like: "remove Java from your machine" would change to "remove JAT from your machine"
Java is very successful server side.. I can't understand why they continue to contaminate the brand with the half baked plugin that only serves as a security hole.
I just RTFA and I don't see any of the quotes mentioned in the summary. Nor do I see any mention that unsigned or self-signed applets will be blocked in the future.
True also for Dell, Intel and HP. And the KVM switch vendors (e.g. Avocent). Problem is that while they'll pay for certs for the newer stuff, they're not going to release any new firmware for the older "not supported anymore" stuff. So all those console switches in your datacentre? Worthless, unless you stick with old Java. Same for managed PDUs hosting a little Java applet. Possibly even some rather large web-managed UPS. Same for thousands upon thousands of other supporting appliances of God-knows how many types. Heck, there are companies still rocking servers that are 4, 5 years old; those aren't getting updates to sign the Java applet either, let alone the 10 year old stuff that still hosts the NT4 app that no-one knows how to replace or migrate.
So basically this is going to force companies to replace perfectly good infrastructure or deal with losing remote access to things, as well as screw with hobbyists who have older stuff in their basement/garage/closet/bedroom.
it's only for applets.
besides, 100% of java programs done by anyone with any sensibilities bundle a jre with their installation package.
most common example of this would be the arduino ide. sure, it makes the install packages bloated but at least the fucking programs work and most of the users are totally oblivious to the fact that the program is written in java and running in a java vm.
If I had to guess most signed java programs are malware though.. only malware authors would bother to go through the hoops! You know what was a pile of stinking shit carcasses? sun signing for J2ME - that one aspect practically guaranteed that mobile companies ran far away from j2me and straight into android. that system and what benefits you could get it was stupid even on paper and even vastly more stupid on actual implementations(and of course it differed greatly depending on the j2me vm manufacturer and even from one operator variant to other.
"you mean I signed this shit for nothing? that the user will STILL get 3+ yes/no dialogs for every single file creation? and none for running a local executable from the filesystem?!?" yes, on series60 you could execute local native .exe from within j2me, provided the file was already there. but you couldn't save a ringtone from j2me without spamming the user with confirmation dialogs.. I'm not actually sure if one was supposed to be able to do that but if you just opened a local file through address opening then it ran it.
world was created 5 seconds before this post as it is.
That is why windows still says "untrusted certificate do you want to continue" or similar all over the place. Just because Verisign didn't get their $100 this year doesn't mean I no longer trust the source. Additionally, do you really thing hackers won't find a way around this? They are already trying to find a way into your system it will just be one more thing they have to get right before they can force their way in. Or they'll go after services, flash whatever.
Web developers can't count on users having Chrome available. When a web application detects that a required JavaScript object is unavailable, it displays an error message to the user. In such a case, whom does the user blame?
WebGL is fine.
From this page, Atom N450, Xubuntu 12.04, Xorg 1.11.3, Firefox 24: "Hmm. While your browser seems to support WebGL, it is disabled or unavailable. If possible, please ensure that you are running the latest drivers for your video card." This Mozilla page recommended looking in the "Additional Drivers" utility that came with the operating system, but all it showed me was the driver for a Broadcom NIC that I'm already using. The Mozilla page also referred me to Intel's driver update utility, but that's Windows-only.
Good luck with that if the feature you relies on shows up as (void)0 (that is, unimplemented) in the end user's browser. It's apparently easier to get end users to upgrade a Java plug-in than to switch to a different web browser.
It's not $100; it's $100 per platform per year. If you buy a Java certificate, it won't work on any platform that isn't Java, and it'll self-destruct after 365 days.
So Java applets will become less common on the internet? OMG, I can't belive this!
I wrote a embedded control system for a small company that has a webpage UI in which an invisible Java applet is embedded that controls both the webpage and the machine's devices. Will they now have to pony up $100/year for a cert, which would be a non-trivial drain on their resources, particularly if the certs need to be annually and manually re-installed at each location around the world where the machine is installed?
While it doesn't change the bad taste in the mouth that forcing this change, it is not exactly true the minimal cost for a code signing certificate is $100 per year. Startcom has for a long time now challenged common CA pricing including free server and s/mime certificates. While their code signing certificates aren't free, $60 per year is not bad. It still beats the $100 per year fee to be an Apple iOS application developer. For those on the majority market share browser [1], Chrome, there has already been a trend away from Java. It already will pop up a warning that Java can't be trusted. Firefox has also been producing warnings regarding use of Java. Also, future versions of Chrome will take things to the next level as they plan to remove all NPAPI support (which Java currently depends on for in-browser applets) by the end of 2014. Given how poor a job Oracle has done with serving the Java community so far, I find it unlikely there will be any port of Java to use Pepper API to NaCl to continue to provide Java applets for Chrome. It is more likely that Oracle will try to push the webstart out of browser launching of Java applications as a replacement for the in-browser plugin. As for in-browser applets like projects, the message seems clear that casual and professional programmers alike should be considering HTML5 and javascript instead of Java. [1] http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
This update might be the death knell for the Java4K contest. That would be a real shame - lots of great developers have submitted games over the years, such as Markus Persson of Minecraft fame. But after the recent changes and now this red text warning, I'd bet most casual users will turn off Java in their browser (and who can blame them?) A contest with only developers can still be fun, but not as fun as having several hundred or thousand people play your game.
A recursive sig
Can impart wisdom and truth
Call proc signature()
Nobody with any brains uses applets. They/ve never been and never will be secure.
Javascript and client side development are for stupid hacks who don't get the fact that you can't depend on the client's browser to support the features they want to use.
Come over to the server side!
Consider getUserMedia/Stream API, necessary for use of a camera or microphone from JavaScript. That's still prefixed everywhere and unavailable in IE, Safari, Android Browser, and Firefox for Android.