Will New Red-Text Warnings Kill Casual Use of Java?

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

red spots

red spot warnings have not killed off casual sex.

So-- probably not?

Re:red spots

[TWX]

Yeah, but generally that kind of screwing has a strongly anticipated immediate short-term benefit, even with the long-term ramifications. I don't see such euphoria in the original case...

Re:red spots

[minstrelmike]

warnings haven't killed off sex because you have to have sex, even if only by yourself, but you don't have to use java.

Probably not, but if it does, good

While I would hope for the day that Java dies the pathetic death it is due, I doubt that will happen. Much more likely is that "unauthorized" Java VMs will start to crop up that let the user whitelist applets rather than relying on Oracle's certificate system.

Re:Probably not, but if it does, good

[Gerzel]

Or people will just move to the OSS version.

Re:Probably not, but if it does, good

[InvalidError]

I doubt Java as a programming language is going to die any time soon since Android, which has been the fastest-growing platform for a while now, is pretty much a JRE running on top of a Linux-based kernel.

Oracle's own walled-garden Java on the other hand might not fare so well.

Re:Probably not, but if it does, good

[pwizard2]

Much more likely is that "unauthorized" Java VMs will start to crop up that let the user whitelist applets rather than relying on Oracle's certificate system.

Doesn't OpenJDK already do this? I haven't done Java in years so I'm a bit behind the times.

Re:Probably not, but if it does, good

Without binutils, libc, etc linux is useless. So, to claim the OS is just the kernel is a little short sighted.

But Stallman of course fails to notice Xorg/etc which are also important to the concept of a modern OS. Which is why no one really calls it GNU/Linux because if GNU gets their name there it probably should be KDE/XORG/GNU/Linux or Dalvik/SurfaceFlinger/Linux, etc..

Re:Probably not, but if it does, good

[harlows_monkeys]

Technically a Linux based OS should be called GNU/Linux implying that it is a GNU OS running on top of a Linux kernel.

That's historically not accurate. Here's a cut/paste of a comment of mine from another forum on the matter of naming the system that is commonly called Linux:

Historically, naming rights for an OS go to whoever actually puts together and distributes the complete system. For instance, if a workstation company licensed Unix from AT&T and ported it to their workstation, they got to name that OS whatever they wanted. A couple examples of this were Uniplus+, which was UniSoft's Unix, and 386/ix, which was Interactive System Corporations Unix. Both were Unix systems--they used a Unix kernel and Unix utilities--but that wasn't their names. Half the fun working at a Unix workstation company in the early '80s was thinking of a neat name for your Unix port. :-)

For the complete systems distributed by Canonical, Red Hat, and the like, they are the ones who get to name the operating systems that they distribute. Ubuntu calls their OS the "Ubuntu operating system". Red Hat calls their OS "Red Hat Enterprise Linux".

Yes, they are also GNU systems, but if we want to be historically accurate, the most correct way to view this would be to view "GNU system" and "GNU/Linux" as specifications for a specific Unix-like userspace and for an OS that runs the GNU system on a Linux kernel, respectively. The Ubuntu operating system complies with the GNU system specification and is a GNU/Linux system, but it is named Ubuntu operating system.

Re:Probably not, but if it does, good

[exomondo]

Linux-based kernel

Er, not to split hairs but I think you meant to say "Linux kernel".

Isn't the Android kernel the Linux kernel with some modifications, hence making it 'based on Linux' or 'Linux-based'?

Re:Probably not, but if it does, good

[jonwil]

I dont think Java will die. But if this new measure makes Java applets embedded in web pages die, great (I dont even have Java installed on my Windows PC after all the crap the updater does with trying to force unwanted programs down your throat)

Re:Probably not, but if it does, good

No, no one calls it GNU/Linux (or even worse, GNU+Linux), is because that's a stupid waste of time and just petty attention whoring on Stallman's part.

Re:Probably not, but if it does, good

[AbominousSalad]

Somebody +1 dat shiz.

Re: Probably not, but if it does, good

[ffox80]

All of the Android stuff is now in mainline, l believe. So modifications to kernel source is no longer necessary.

Re:Probably not, but if it does, good

[InvalidError]

Er, no. I really meant Linux-kernel-based as in kernel-only.

Android uses the Linux kernel but ditches most of the GNU stuff since it only needs what is required to support the JRE in a graphical environment and is not intended to run native applications. With most of GNU stripped from it, Android can only be called a Linux-kernel based OS since it is nowhere near GNU-compliant.

If you want full GNU support on Android, you need to use a custom ROM that adds all the stuff Google stripped out back.

The main thing preventing Google from integrating more stuff directly in the kernel, JRE or elsewhere to eliminate more middleware is license clashes between GPL and more permissive licenses like Apache and BSD.

We can only hope...

[DavidHumus]

But don't get your hopes too high.

Re:We can only hope...

[delt0r]

Yea, the other day i was using MS word. Used like massive amounts of ram, was slow, sluggish response times and just all round awful. If they didn't write it in java it would be awesome. Oh wait.

For some reason everyone thinks java programmers are perfect. Because the only reason java code is slow and bloaty is because of the language and not the programmer. While everyone seems to agree that slow C or C++ or whatever is because of the programmer.

Fact is most crap programs are written like crap in whatever language they are in. C/C++/Java/D/Fortran/Cobal whatever. However i would perhaps suggest that writing fast efficient pure C++ is harder than most langs. And that 99.9% of java code out there is really poorly written.

And thank god perl is finally dying.

Apparently, applets only

[SirGarlon]

TFA says this is for "Rich Internet Applications," that is, Java applets embedded in Web pages. It doesn't seem this would affect Java programs that you execute locally, such as (for example) Eclipse.

Re:Apparently, applets only

[snookerdoodle]

Exactly.

OP doesn't seem to know anything about Java.

This will not affect standalone Java programs, only applets.

It could be argued that they should have done this a long time ago.

Mark

Re:Apparently, applets only

[i+kan+reed]

It could also be argued that java has no place in browsers given the modern flexibility of javascript. The UI features are worse, the performance differences are negligible, legit code is sandboxed either way. All you're left with as an advantage for true java is threading.

Re:Apparently, applets only

[jonabbey]

This would not affect Eclipse, no, but it does affect locally produced applications that are distributed from an intranet web server with Java Web Start / Java Network Launch Protocol.

Previously, we could just self-sign our app and users could choose to accept the app once and for all and not be bothered so long as the signing cert didn't change. Now, all of our users running Java 1.7.0_40 are given the threatening dialog each and every time they run our internal app, and they can't get rid of it.

We're going to pony up for a code signing cert from a (Java-recognized) certificate authority to make the dialog go away. It's a hassle, but probably still the right thing for Oracle to do at this point.

Re:Apparently, applets only

[Blaskowicz]

Performance differences negligible?
The most advanced thing I've run in javascript was Wolf3D. I remember javascript doom was not playable (it's not available anymore, because of unauthorized use of the game assets). Java has smooth Minecraft and whatever stuff, for example Text Express from Zylom which is a little game that runs very smooth ; you can barely run a Tetris in javascript and it will look like a Windows 3.1 freeware, use shit ton of CPU, make the whole web browser slow.

Re:Apparently, applets only

Can't you make your own CA cert, shove that into the JRE/JVM keystore, and chug along "for free"? Or did you decide that it was worth $100/year to not deal with having to automate running keytool on all your desktops?

Re:Apparently, applets only

[ddyer]

The current warning promises that in the future, self-signed certs won't be accepted at all.

Re:Apparently, applets only

>the performance differences are negligible
In javascript you can run multi-threaded computation, you have access to native network buffers (for no copy transfers of large amount of data), ... I was told no.

>given the modern flexibility of javascript
So, you are saying: if there is a Java library to do it, there is _always_ a javascript library to do it. Access to any file format, implementation of any network communication protocol, ...

I am _really_ skeptical. Javascript may be great for accessing web servers and dishing out html, but that's not all that people would like to do in a web page...

Re:Apparently, applets only

[i+kan+reed]

The most advanced you've played has no bearing on the most advanced you can play. WebGL is fine.

Re:Apparently, applets only

But if the cert is signed by a cert in the jvm's cacerts file it will be signed by a certificate authority. That's what that file, and only that file, does; it defines what certificates the jvm recognizes as belonging to a certificate authority..

Re:Apparently, applets only

JavaScript is an awful mess of a language. It has more gotchas than most other mainstream languages combined, its inheritance model is a failed experiment, and features for large scale software development (for example packages/modules/interfaces) are non-existent. Its UI features are limited to a relatively primitive interface (DOM) to the much more well-designed HTML.

The only thing that makes JavaScript look good is Java Applets. Fans of JavaScript should fight for Java Applets with all they've got.

Re:Apparently, applets only

It could also be argued that java has no place in browsers given the modern flexibility of javascript.

The modern flexibility of Javascript is still quite limited compared to Java Applets when you need features provided to signed applets (free local file access, starting applications).

Also javascript lacks a lot of features, smaller standard library, very slow user interface libraries (compared to swing that says something), limited 3d API ( jogl/lwjgl give you access to the full OpenGL stack), limited sound API, static typing, mostly sane ==/equals behavior (yes I know you should use ===).

Re:Apparently, applets only

[GodfatherofSoul]

Spoken like someone with very little knowledge of one or the other. Yeah, you'll get modded up on Slashdot, but any "java is slow" post is.

Re:Apparently, applets only

[bws111]

I doubt many businesses (well run ones anyway) are using self-signed certs. Most likely they are using certs signed by themselves as a CA, which is not the same thing. If they are signing as their own CA then all they need to do is add their signing info to the truststore.

I would think businesses would welcome this change. They can ensure that their own apps run while making sure some app on a webpage somewhere does not run.

Re:Apparently, applets only

[bws111]

An certificate signed by an internal CA is not the same thing as a self-signed certificate.

Re:Apparently, applets only

[Darinbob]

However applets could be what it means for "casual use of Java".

Re:Apparently, applets only

[jimshatt]

+1 informative

Re:Apparently, applets only

[jonabbey]

Yes, you could do that, but then you'd have to distribute the updated cacerts to all desktops that need to run your app, and keep it updated whenever a new JVM comes out.

Oracle did implement a runtime configuration file that could be used to whitelist certain hosts, but the distribution problem remains.

Re:Apparently, applets only

[bigpat]

Also of note that it appears that the applet will accept any certificate that the browser recognizes from any trusted authority. So there are a variety of SSL certificate options at various yearly prices. Right now I see one offering certificates for $60 per year.

So, yes it will increase the cost of publishing a java applet on a website, but no this doesn't create a central authority out of Oracle for revoking certificates like the OP says. It just ensures that people can verify the identity of web sites publishing the applets.

Not sure I think it is a good change. Especially, once they block unsigned browser based applets altogether. That could be a bit too far.

Re:Apparently, applets only

[Anonymous+Brave+Guy]

It could be argued that they should have done this a long time ago.

But it wouldn't be argued by anyone who actually knew what they were talking about.

For one thing, signing a Java applet proves exactly nothing about how trustworthy it is. You can easily get a signing certificate by spending a small amount of money and waiting a small amount of time. The whole concept of granting increased permissions to untrusted software just because it's been signed is absurd.

Secondly, blocking unsigned applets will break numerous existing web-enabled devices, which has been one of the significant remaining use cases for applets in recent years. These are effectively running embedded web servers and serving up the applets from there, so you can't just go in and upgrade them later when your certificate expires (and the longest cert periods you can get from major CAs are only about 2-3 years, a fraction of the normal lifetime of some of these devices).

The craziest thing is that the kinds of device I'm thinking of are typically used by the IT guys in large organisations. Some of them are going to go through months of approval process before they get installed, and when they do it will be in server rooms or data centres, accessed electronically via a separate management network with no connection to the outside world, and accessed physically via biometric security that would make James Bond cry. But in order to keep those applets safe, now they need to be signed too, just in case? Seriously?

Not everyone using applets accesses them from a public web site. They can't necessarily upgrade or replace them on a whim. The kinds of environments still using them are more likely to be exactly the kind of long-running projects where whipping up a quick replacement in JavaScript isn't a sensible option and where backward compatibility really matters.

Also, to anyone who thinks alternative technologies like JavaScript and HTML5 canvas/SVG offer the same flexibility and speed as Java applets, I know a prince in Nigeria who'd like to sell you a classic car from his collection for a great price.

Re:Apparently, applets only

[Anonymous+Brave+Guy]

Part of the problem here is that Oracle keep moving the goalposts. Even if what you describe is true today, it seems unwise to trust that it will remain true tomorrow and they won't do something crazy like lock it down to a predetermined list of "approved partner" CAs. What they've been doing in the name of improved security over the past year is already crazy on several counts anyway.

Re:Apparently, applets only

[dkf]

Yes, you could do that, but then you'd have to distribute the updated cacerts to all desktops that need to run your app, and keep it updated whenever a new JVM comes out.

That's relatively practical for an intranet, especially one where all the clients are under at least some central control.

Re:Apparently, applets only

[locopuyo]

http://www.unrealengine.com/html5/

Re:Apparently, applets only

[thegarbz]

The most advanced thing I've run in javascript was Wolf3D.

Did you sleep through the Chrome Experiments? Most of those examples are way more computationally intensive than Wolf3D and Doom. Many use 3D acceleration, some even raytrace. Most run at higher framerates then Wolf3D was even capable of.

Re:Apparently, applets only

[luis_a_espinal]

TFA says this is for "Rich Internet Applications," that is, Java applets embedded in Web pages. It doesn't seem this would affect Java programs that you execute locally, such as (for example) Eclipse.

It begs the question, who the f* still writes java applets in this time and age, specially for web RIA? So many options exist for RIA in Java or JavaScript (or both), applets are, in general a devil's spawn from a distant past (and a clumsy tool for the clueless software shop.)

Re:Apparently, applets only

[hibiki_r]

It's not that difficult a job: Big enough places go as far as only distribute java updates through their own channels, which include the cacerts file.

I had to do this same hack years ago to make a Swing client be able to talk to our own servers through HTTPs, when the server was using self signed cert. We created a CA, issued a bunch of certs to the servers using that CA, and then added the CA's identity to cacerts.

More pain than we'd like, but it sure beats having to deal with verisign for every intranet server we had, or could ever build.

Re:Apparently, applets only

[devent]

Are you kidding me? Dare to show me just one Javascript GUI that does not suck?
Browser/HTML GUI is still at least 20 years behind Desktop GUI. No surprise, because the Web was not designed for rich GUI, but to present hyperlinked information. I'm still sad that Sun/Oracle does not have the courage to push Java applets, and make them more integrated with Web sites. If I would think how much user friendly Facebook as a Java applet would be, or Twitter. But instead we have this clumsy Javascript GUI that breaks with every odd browser version, have no accessibility, common accessibility features, like hot keys, mnemonics, are inconsistent from page to page.

Re:Apparently, applets only

[Lehk228]

instead they would have clumsy java GUI that breaks with every JVM update and every site would still use inconsistent hot keys and shortcuts.

Re:Apparently, applets only

[dissy]

The craziest thing is that the kinds of device I'm thinking of are typically used by the IT guys in large organisations.

Most medium to large IT shops run their own Certificate Authority that is only trusted within the organization.
One can sign unlimited keys this way, as well as avoid the age limits the public CAs cap you at.
Windows networks have a GUI for this, so the process only takes a couple minutes.
Unix networks use openssl, which I admit takes a bit of learning to use if it isn't something you do regularly.
Personally I use TinyCA as a GUI front end instead.

For one thing, signing a Java applet proves exactly nothing about how trustworthy it is. You can easily get a signing certificate by spending a small amount of money and waiting a small amount of time. The whole concept of granting increased permissions to untrusted software just because it's been signed is absurd.

Two things in reply to this part.

1)
GlobalSign.com has a free code signing tool.
(Likewise, OpenSSL offers free class-1 certificates for your web server)
Both are major public CAs trusted by default. Even a small amount of money is not much of a problem.

2)
Your comment about proving trust is part right, but part wrong.

What cert and code signing actually does is prove the apps/servers in question is linked to a particular private key.
Only saying "that key is that person/organization" is not proven or a given.

So it is still useful to know if future apps/servers are from the same source, and on a much lower level showing what org claims to be that source.

In other words, if you make and put up an app signed by your private key, then later you make and put out some other app signed with the same key, then PKI has just proved both apps came from the same source.
If I downloaded those apps from your website, and your name is in the readme, then it is safe to assume any apps signed with that key are yours.
I can then choose to trust those apps based off my level of trust for you.

If you make awesome apps, that trust will go up.
If you put out some infected app, or otherwise damaging software, that trust will go down.

But you are perfectly correct about PKI not proving anything regarding if you actually want to run that code or not. And this is a poor metric to be modifying Java to make such a choice on.
In the above example, you can just make a new private key to use, and it might take a bit before anyone notices the two keys are the same person and thus apply their trust rules accordingly.

That is the main reason a black list method will never work, only a white list method.

If I white-list the key your first app used because I trust it and you, then that trust will apply to your other apps too.
But if I black-list your key because I don't trust you, that is useless since you can generate unlimited private keys (and even one key per app, if you are trying to avoid black lists ;)

That's why Java blacklisting things (aka things not signed by a CA) is pretty pointless.

Re:Apparently, applets only

[Gavagai80]

Spending a small amount of money means there's a buyer on record as legally responsible if the applet turns out to be malware. That does warrant a lot more trust -- the threat of jail time makes it much safer.

Re:Apparently, applets only

[Blaskowicz]

Thanks, that sounds interesting, I think I've seen it mentioned it somewhere. It might do great things for FirefoxOS, and the web in general. You can see it the other way around : compiling fast code to asm.js :-)

Re:Apparently, applets only

[Xest]

"WebGL is fine."

Fine != Better performing.

Stop confusing the two and just admit you were wrong to pretend Javascript performs as well as Java. Java is still far better performing than Javascript and whilst Javascript may be "fine" for your needs it doesn't change the fact it's still too slow for others needs relative to Java.

Re:Apparently, applets only

[Anonymous+Brave+Guy]

That's only worth anything if the buyer's identity has been reliably confirmed and you can expect to find them later. The odds of that happening with someone writing serious malware seem... less than favourable.

Re:Apparently, applets only

[Anonymous+Brave+Guy]

All fair points, but I think possibly you're overestimating your chances of getting IT management to sign off on authorising an outside organisation's custom CA in, say, a government department or healthcare provider or financial services company. They probably don't even allow the standard ones in that environment, preferring to use only their own, which won't have been used to sign the certificate used with a third party's applet unless major hoop-jumping has been involved. Even if they did allow standard ones, if you've got no connection to the outside world to verify the chain of trust, it's not worth much from a security point of view.

In any case, we're talking about an applet embedded in a device that was probably physically supplied, in person, by a background-checked contact from the supplier, and then handed over for installation by senior IT people in the receiving organisation. It's not as if the identity of the supplier or anyone else who ever touches the box is going to be in doubt in this kind of environment.

(Obviously at this point I'm talking about an extreme example and most applets aren't going to be running in that kind of highly secured environment. I'm just illustrating the folly of assuming that absolutely requiring a signed applet regardless of what the local security experts want is necessarily good for security.)

Re:Apparently, applets only

[Gavagai80]

All it has to do is make the malware author worry that they're not 100% sure they'll cover all tracks without making a mistake. Anything that makes evil trickier helps a lot. And of course, if they have to use a stolen credit card I'm sure there are a lot of malware authors or young aspiring malware authors who don't have one because that's not their field of crime. And if they do use a stolen card, the certificate can be revoked later when there's a chargeback.

Re:Apparently, applets only

[Tablizer]

Graphics need a more robust language with compile-time checking etc. JavaScript is fine as a glue language, but not a reliable graphics engine.

Re:Apparently, applets only

[Lehk228]

technically the entire applicaiton not the GUI not my code, code my friend has to manage

Re:Applets only

[logjon]

I wish this were true.

Why should it cost to be trusted?

[EzInKy]

Businesses spend money to make money, and since profiting off others is the ultimate goal why should they be trusted?

Re:Why should it cost to be trusted?

[Altrag]

Reputation and accountability. This kind of "feature" isn't about preventing Walmart from exploiting children in some foreign country, its about preventing malware and ONLY about preventing malware.

If a piece of malware gets written under this scheme, there are two possibilities:
1) Its not signed and the user clicked OK anyway. Its on the user's head if things go bad.
2) It is signed and Oracle can track down the original signer.

No (reputable) company would want to fall under #2 ever and they'd be loathe to fall under #1 -- $100 and a few hours of paperwork could be burdensome for an individual developer but a mere annoyance at best to even a small firm (unless they're literally on the edge of bankruptcy.)

At the end of the day though, my guess is that this is mostly about passing the buck. Oracle can 100% disclaim responsibility in #1 (well, we warned you!) They've got a bit more responsibility in #2 (in particular, they might have to show that they made a best-effort attempt at preventing malign companies from obtaining or worse, forging, a valid signature and also potentially take some steps to identify said company after the fact if required.)

#1 is particularly obnoxious for end users though. You get a bit of a cry wolf scenario (if Windows' equivalent is anything to go by) in the sense that you see just so many of those popups, probably more than 99% of which are harmless, that your average person would likely fail to recognize the one that isn't harmless. Whether that's a court-worthy argument or not is beyond my ken.

Probably Not

[Ksevio]

"Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.

The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.

Re:Probably Not

Now if you only knew the difference between Java and JavaScript.

Re:Probably Not

[Impy+the+Impiuos+Imp]

> The typical user will just click "Run" no matter what it says anyways

I don't know what kind of web sites you visit, pal, but mine are much more perverted and I'll be glad to have a dynamic choice to not run stuff.

Re:Probably Not

[Urza9814]

"Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.

The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.

That's exactly what this is, but worse. They're saying that in some future release there will be no 'just run it anyway' button. Google's malware page *does* give an option to continue, it just takes a couple extra clicks to get there. This will have no such option. Also, appealing Google's block is quick, easy, and free. There's no appeal here, just extortion.

Essentially what Oracle is doing here is saying to all the applet developers: "It'd be a real shame if something were to happen to that app of yours...how about we provide some protection, for a small fee of course..."

Re:Probably Not

[Ksevio]

Google's malware page *does* give an option to continue

Last I saw, the only way was to copy the URL and paste it in the address bar, but it may have changed.

Re:Probably Not

[Ksevio]

To be more clear - unsigned applets such as a utility for a game made by a player I know or other cases where the point of visiting the page was to use the applet (where I'd also risk downloading a program). Not cases where I'm browsing the web and there just happens to be a mysterious java applet

Re:Probably Not

[Ksevio]

You still have the option, it just requires you to check a box first according to TFA.

Re:Probably Not

[Urza9814]

Last time I encountered it (earlier this week) there was a 'take me back' button, and beside that was a small 'advanced options' link. Click the advanced options link and it'll give you a 'continue anyway' button. Been that way for quite a while.

ACK!

[TheCarp]

The noitice is good, and in the general case this is good. I see some serious problems for system admins who have to use systems with older ILOs. Just about every ILO or remote console I have used in the past few years has been java based and used self-signed certs.

It would be nice if you could whitelist trusted networks. I would like this when going to random google pages, this will be a serious pain when it comes to administering systems.

Re:ACK!

[jbmartin6]

Time to start archiving versions of portable Java so they will be available for use with a standalone Firefox Portable to run all those legacy apps. Or something similar.

Re:ACK!

[ADRA]

You used to be able to install self-signed certs into a keychain, and I'd be surprised if they took away the ability to do so in the future.

Re:ACK!

[TheCarp]

I don't actually deal with ILOs in my current position (often anyway). However the last environment I was in was utterly pathological. the ILO would generate its own self-signed cert, meaning you would litterally need to install a new cert for every single ILO.

Maybe that is fine in a small environment, I have been working in ones where we are talking about something on the order of 2000 systems.

Re:ACK!

[ddyer]

That's exactly what's promised by the red warning seen today.

Re:ACK!

[TheCarp]

Well promises are worth what? :)

I worked at my first year for 5 years. 5 years before I started they first announced they were going to kill off the old VMS based email system. I was gone for 2 years before they finally actually killed it....because every time they tried, someone raised a stink.

Re:ACK!

[CrimsonAvenger]

I worked at my first year for 5 years

And here I was thinking this last year was long...

Re:ACK!

[Junta]

Does it do plugin or java web start? In the latter case, this doesn't factor in. Most things that I deal with that once were java plugin centric are now java webstart if they can't manage to pull it off in http/javascript/html

Casual use of Java

> The unfortunate cost of this is that any casual use of Java is going to be killed.

You may think you're just a casual user of Java. You may think you just use Java for recreational purposes. Everybody knows Java is just a gateway language for other languages like C#. And we all know what happens to C# programmers.

Re:Casual use of Java

[slack_justyb]

Pffft As if. They're developers still, not freaking management or goodness forbid sales department. Besides, being a Microsoft centered guy must be tough. It sucks having everything you learned tossed out the window by the time you've gotten a good grasp of what the hell you're doing. "Hey Dan, looks like we won't need that XAML based program, can you go grab a book on Modern UI?"

Re:Casual use of Java

My job requires me to use both C# (for most projects) and Java (for Linux and big data applications.)

Visual Studio is hardly the be all and end all of IDEs. I have not found Eclipse, NetBeans or IntelliJ to be inferior. Indeed, Visual Studio without ReSharper (which is very similar to IntelliJ, imagine that!) is quite a pain in my humble opinion.

So can I take it from your post that you use both Java and Microsoft IDEs, and have an informed comparison? Or perhaps was the last time you used Eclipse a decade ago? Or have you never actually used Java and are just here shilling for MS?

Don't get me wrong, C# is a pretty nice language. The tools that go with it are also quite good (with wrinkles, like everything). If you need to do something that doesn't run with Windows, or need to actually program Hadoop (without using "Streams") than C# isn't an option. I wish it was.

If C# was actually available in a supported and production capacity on a wide number of platforms, INCLUDING the standard library, and maybe even Open Source, that would be quite nice indeed. But reality is far from this.

(Some might argue Mono helps with Linux. It's used here for some things, but the VM is well behind both Java and the official MS VM. I'm not comfortable using it for production. The Lagging compatibility with C# doesn't help either.)

Re:Casual use of Java

No, as a C# developer myself, I can truthfully state the the GP is not a troll and that your "go learn something new" scenario is as rare is hens' teeth.

Nobody actually uses that stuff in production because of Microsoft's poor track record for supporting those types of new features. Instead, I'm writing:
1) Console applications for data manipulation
2) WinMo applications for handheld stuff
3) Webforms stuff (and a few new MVC4 bits and pieces) for web portals
4) Web services (yes, "legacy" WSDL/UDDI stuff) and a little bit of WCF for web data feeds
5) Winforms applications for whatever desktop apps are left over

No WPF, no WinPhone, and certainly nothing for the "metro" or "modern" or "xbox-pissed-in-my-corn-flakes" UI, whatever it's called this week.

I have yet to find a dire need for WPF or anything related to it, and I have yet to even see a WinPhone in the wild or a metro app that wasn't bundled with Windows 8. And other stuff like LINQ and Entity Data Model stuff have their own problems, mostly in their attempts to be smarter than the developer. Spoiler: it's not, and when it tries, it stops being useful.

Re:Casual use of Java

[Dracolytch]

I was being a bit tongue-in-cheek (apparently that's viewed as more trolling than humorous here, but whatev).

I've been a developer, and I've been management... Most developers get paid as well as their immediate management, and very often better than the sales department. I actually left being a developer/manager to go back to being a developer. Pay raise, better work. Right now my day-to-day is PHP, Java, and C#, depending on the project.

ANY technology is prone to being obsolete before it reaches its full potential. If you jump on the bandwagon just because it's being released by company/group XYZ, you're crazy. Microsoft releases frameworks that don't last. Google kills apps. Blackberry does stupid stuff... It's all variations on a theme.

For every two or three poorly concieved things MS publishes, there is one that is actually really quite good and deserves attention. While C# and Java were once very similar, C# continued to grow as Java stagnated. Now Java's back in the game, but it's owned by Oracle, which scares the #$#( out of me. All that said, Visual Studio is still the best IDE out there.

Re: Casual use of Java

[slack_justyb]

No I got the humor. Sorry if you took mine to being serious. Honest mistake and lack of the ability to crack a joke. However in all seriousness, I think visual studio is great and all, but I don't know about best IDE full stop. But I guess to each their own.

Re: Casual use of Java

[Xest]

Most people who I see claim Visual Studio is not that great, or not as good as Eclipse seem to have done little more than load it up, make a default project and close it down.

Those who don't like it seem blissfully unaware of the things that make it great like it's refactoring tools, extremely smart and efficient intellisense, excellent debugging tools and decent testing functionality etc.

If you're one of those who just wants something where they can edit code, hit compile and have an executable then absolutely Visual Studio wont offer you an awful lot more (other than the best intellisense there is) than other IDEs but if you're doing fairly complex development and need all the tools an IDE makes available then Visual Studio definitely comes out way above things like Eclipse and even NetBeans as much as I like it for non-MS development.

Re:Casual use of Java

[Xest]

"And other stuff like LINQ and Entity Data Model stuff have their own problems, mostly in their attempts to be smarter than the developer. Spoiler: it's not, and when it tries, it stops being useful."

Can you expand on this? I'm not sure you really understand LINQ. There are different flavours of it (LINQ to objects, LINQ to SQL, LINQ to XML and so forth) so it seems odd to paint LINQ in general like that. LINQ isn't particularly magical anyway, LINQ to objects for example is just a bunch of extension methods applied to IEnumerable for the most part. The fancy syntax is little more than a shortcut for calling those methods and those methods don't do anything particularly exciting or overly complex.

The entity framework suffers the same pitfalls all ORM frameworks do so that shouldn't be surprising. Using ORM is like using anything, every once in a while it'll fit, but it's not a magical solution to all database access like some pretend.

Re: Casual use of Java

[slack_justyb]

The things I tend not to like about Visual Studio is, as you pointed out, the unit testing tools. Also, the ORM tools in VS are heavily tied to Microsoft tech. While you can do UML in VS, I tend not to like how the options are laid out or how the UML editor in general works overall. I also do a lot of BIRT and the MS tools are sorely lacking in that department. I'd also like to see the ability to manage server publishing from the IDE, VS seems to only get along in that department for MS stuff. While we do use quite a bit of Microsoft's stuff, it isn't the only thing. We have AS/400 systems, Linux boxes with Tomcat and Apache, and Mac OS X systems all using a lot of Java or native services. Again, Visual Studio just seems to be really focused in on Microsoft products. Which that's totally justifiable since it is a Microsoft product. I don't blame Microsoft for not including that kind of stuff, but it does make the tool a harder fit for what I need to do on a day to day basis.

I think VS is great as a code monkey that doesn't need their fingers in a dozen different things, but at my work I'm in a ton of different things and having Eclipse with the ability to jump into each task with a set perspective seems to be a better fit. That's not to diminish VS, but that it just doesn't do every I need it to do, and I get that I'm mostly an exception to the rule here. So I'm not trying to say that VS is just horrible, it just doesn't fit with what I need to do and apparently that is a lot. If I was working for a shop where dotNET was the main foundation, IIS was the main web server, ASP was the main driver for pages, and Microsoft's BI solution was the one that we picked, then yeah, VS would be my best buddy and friend. While I know that VS can get a bit outside of its intended domain (Python editor and Django support in VS is great), it just seems that sometimes it is a chore to get it to do that.

However, I do want to footnote that all the above is simply my opinion on the matter. I'm not one of those evangelist, I think that everyone should use the tools best suited for the job. I know that VS does fit into a lot of use cases nicely, it just seems like mine isn't one of them.

Re: Casual use of Java

[Xest]

Sure it sounds like most your problems are because you want to use VS in ways it was never intended to be used but I think there's a tradeoff in what you're asking.

Visual Studio is good because it specifically does focus on working well with specific technology stacks and sure if you want to step outside of that and use unsupported stacks then something like Eclipse may well be better, but I'd argue that's also why Eclipse's Intellisense is frankly fucking appalling, and the IDE is slow - because it's designed to do everything that has a cost.

So yes, Eclipse is absolutely the best option for your use case because you get maximum benefit from the things it offers relative to the sacrifices it makes whilst Visual Studio is less helpful because the sacrifices it makes (i.e. support for arbitrary frameworks and stacks) are what makes it great for the stacks it does support.

I don't know if you've used 2012 but the unit testing tools do now support 3rd party offerings such as NUnit. The ORM tools are only tied to MS tech in so far as you tend to use an MS framework as the ORM framework but the underlying database can be anything that has a .NET connector which is just about every database worth mentioning.

But I think most people who use VS like it above other IDEs because they are using it with the Microsoft stack. I've built large (18month+ projects) MVC applications using Java/Spring/Spring Tool Suite version of Eclipse, PHP/Zend/NetBeans and PHP/Zend/Zend's version of Eclipse, and also Microsoft/ASP.NET MVC/Visual Studio. If you use an IDE designed for the stack in question I still think Visual Studio by far comes out on top and that's the sort of metric I'm referring to for judging my preference - the normal use case for each specific IDE.

If we can host on Windows and I have the choice I'll normally default to VS + ASP.NET MVC w/C# for this reason. I just know I can lead a team to get the job done much faster, my second choice would normally be Java with Spring MVC. I'll tend to use as much of the same stack as possible throughout the project, i.e. for a .NET project I'll normally use WCF for web services for example and SQL server for persistence.

Re: Casual use of Java

[david_thornley]

Those who don't like it seem blissfully unaware of the things that make it great like it's refactoring tools, extremely smart and efficient intellisense, excellent debugging tools and decent testing functionality etc.

Speaking as a guy who's done professional Visual C++ development for nearly six years now, I'm still unaware of those things. Some of them would be nice. (To give the debugger some credit, it's a touch easier to use than gdb.)

With the current Microsoft "going native" push, you'd think we'd get something significantly better than xterms with vi/emacs, g++, and gdb.

Re: Casual use of Java

[Xest]

I agree the Visual C++ portion of Visual Studio is lagging a little compared to the likes of it's C# support for what it's worth, but even there I think it's still better than the alternatives.

It does need a bit of love though but I think part of the difficulty is that C# and .NET have been built in parallel with Visual Studio so they've been able to make the two work together rather seamlessly (an obvious example being code regions), whereas C++ isn't their bitch so they have a harder time making it all play nice.

Casual use of Java..?

[FryingLizard]

Java? Casual? That's like saying the US Tax code is good bed-time reading.
After realizing I was spending half my frickin' life compiling, reloading, and waiting... waiting... (I'm looking at _you_ Tomcat) I switched to Python and never looked back.

Re:Casual use of Java..?

[dkf]

That's like saying the US Tax code is good bed-time reading.

Nobody who reads the US Tax Code in bed has problems sleeping...

WHAT casual use of Java?

Serious question. What 'casual' use of Java applets is there to kill?

Re:WHAT casual use of Java?

[ddyer]

There are lots of java applets that implement games, graphs, and other useful things that require a real program. Making sandboxed java applets harder to use will displace legitimate programs to more dangerous forms (such as downloaded java applications, or other directly executable programs), and in the process train users to ignore the danger.

Re:WHAT casual use of Java?

[lgw]

How many of those actually need to run in a web browser, rather than download-and-run?

Casual use of Java was dead 10 years ago.

[stewsters]

I really don't think that there is a casual use of Java applets anymore. Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it. Personal projects you trust and can push continue on. You shouldn't be running java apps from random other sources if you value security.

Re:Casual use of Java was dead 10 years ago.

[Urza9814]

Personal projects you trust and can push continue on.

RTFS:

Running applications by UNKNOWN publishers will be blocked in a future release...

There is a 'continue on' button right now, but this is stage one of phasing that out entirely.

Re:Casual use of Java was dead 10 years ago.

[joe_frisch]

NOAA aviation weather tools are done in java - used extensively by pilots.

Re:Casual use of Java was dead 10 years ago.

[ultrasawblade]

There's a really cool open source SSL VPN called Adito that allows you to do port forwarding over SSL via a browser-launched Java applet.

Re:Casual use of Java was dead 10 years ago.

Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it.

NOAA aviation weather tools are done in java - used extensively by pilots.

You might not realize this, but NOAA is part of the United States federal government, which is larger than most corporations. It can certainly afford $100 a year to sign apps so that pilots can be sure they're running the real application.

Re:Casual use of Java was dead 10 years ago.

[imess]

Do you consider MultiBit from a random source?

Re:Casual use of Java was dead 10 years ago.

[rahvin112]

If you are spending $25k over a $100 item there is something seriously wrong with your company.

We aren't a big company and our office managers and VP's can sign for $250 and justify it later. There should be no reason to have 4 people in a meeting to discuss spending $100 on an IT asset. At the most you should have a 5 minute conference call between CTO and CEO.

Re:Casual use of Java was dead 10 years ago.

[suutar]

last week. GUI client for one of my favorite chat programs uses Java Web Start and is written/maintained by one guy in Denver.

Re:Casual use of Java was dead 10 years ago.

[stewsters]

No, I work on a corporate website for a living. Last December i put the $100 on my credit card and filled out an expense report. Told the head of IT, no questions asked. Don't know where you work, but it sounds like a hell hole of bureaucracy.

Re:Casual use of Java was dead 10 years ago.

[vlueboy]

I really don't think that there is a casual use of Java applets anymore.

Minecraft is hugely popular and the only reason for many of us to temporarily enable browser applets.

You can choose to buy Minecraft without testing its browser demo... but if you want to preview whether your old machine can handle the 3D decently *before* plunking the ~20+ to license the full applet-less version, there's no alternative.

Re:Casual use of Java was dead 10 years ago.

[bws111]

Unknown means unknown by the system running the app, not unknown by the world in general. Make your own cert, put it in the truststore, and now you are known.

Re:Casual use of Java was dead 10 years ago.

[bws111]

I think (hope) that you made that up. I can think of two explanations. Your company is hopelessly screwed up, or the real concerns were about the SSL process, and not financial. If it really took $25K (including travel) just to approve a $100 expenditure, get out, quickly. On the other hand, it is entirely possible that management has real concerns about security, etc that they want addressed before letting someone obtain an SSL certificate in their name. That is reasonable. However, if your company has a web presence they should already have processes and policies for this sort of thing, so I am hoping the situation described happened at least a decade ago.

Re:Casual use of Java was dead 10 years ago.

[stewsters]

This is true. But can Notch afford $100 for a cert? The https part of https://mojang.com/ hints yes.

Re:Casual use of Java was dead 10 years ago.

[fellip_nectar]

Actually, you can download the launcher and run the demo version locally. You just need to create a Mojang account.

Re:Casual use of Java was dead 10 years ago.

[Hognoxious]

... until they block that too.

Re:Applets only

[jasper160]

It would be a welcome gift. I admin for a bunch engineers and a lot of the corporate and gov sites they access still use Java. And even worse some are so crappy they are version specific which makes no sense other than they are lazy.

Java applets?

[bigtech]

Did I just step out of a time machine?

Re:Java applets?

[nylrym]

Yes. Epecially in IT where lots of consoles for machines without conventional 'heads' run as a java applet in a webpage hosted on the controller.

Re:Java applets?

[H0p313ss]

Did I just step out of a time machine?

I just looked out the window... there's a freaky old guy out there with a funky looking Delorean looking very confused.

Bad for science education

[l2718]

Java applets are an essential tool for science education -- as simulators, calculators etc. Are all these research groups supposed to get some authority to digitally sign their applets?

Fundametally, a major aspect of Java security is that, since it runs on a VM, an applet it is inherently encapsulated. Yes, VM bugs can cause problems, but the value of all the free educational applets online far exceeds any possibly security benefits of unptached VM bugs.

Re:Bad for science education

[ADRA]

I agree in general, but I'd say any apps that want system access (legitimately breaks out of sandbox protections) should be disabled for self-signed apps that haven't been manually white-listed. The number of Java apps needing system access should be low in general.

Re:Bad for science education

[twocows]

I imagine there will be an option in the deployment settings (which were also added with this release, I believe) to allow unsigned applets to run. As for Java running in a VM providing sufficient security, I'm going to have to disagree. Java security exploits have been responsible for a whole lot of malware over the years; in fact, it's one of the most common ways for malware to propagate. I think it's pretty clear by now that whatever security benefits the JVM might have once held are no longer a factor.

Re:Bad for science education

Except, you know, the whole being able to produce one package that reliably runs across any platform the VM does. PIP is not a replacement for a .JAR file, nor is it even a convenient alternative.

I mean I know what you're trying to do, "I'll shout out an OSS language and make some sweeping generalization about it taking over in some field...education maybe, yeah, that's a good one... Then the karma will just start rolling in." That's about as much thought as you've given the problem, which is probably why in any serious workplace you're still going to find Java being used, for better or worse. People like yourself haven't come up with a valid alternative -- worse still you mindlessly promote whatever platform you prefer, without any thought as to the logistics of entirely replacing every program you had written in one language with another entirely.

OSS proponents need to climb down off their soapboxes and do some actual coding for a change. We get it, the open alternative is the better one. If you want us to use an open alternative to Java, make one better than Java, make one that does what Java already does, then improves on it in some way. Matz did it with Perl and Ruby, now Ruby is practically a household name in the OSS community...what's stopping you? Lack of talent, perhaps?

It's much easier to blather out lines like "stop using Java and switch to Python programs that do the same thing," but as you already are obviously unaware, it isn't possible to wave one's hand and turn a Java program into a Python one overnight, not even a small one. Let alone something that's been running for a decade and has MILLIONS of lines of code to be replaced. The fact that you were modded as high as you were for this nonsense only serves to illustrate just how much of a ridiculous circlejerk this site has become.

Re:Bad for science education

[omnichad]

I'm sure that's great software - but does it really need to run inside a browser? The first link you gave involves downloadable apps and/or Java Web Start - not an embedded JVM. The latter link I'm not sure about.

It's worse than Flash - the sandbox has access to your printer and a whole lot more. It can still be a nuisance even if it's not escalating access.

Re:Bad for science education

[ddyer]

I believe java web start is treated the same as java applets in this respect. Training users to download applications and run them (unsandboxed) is a much worse alternative. Things need to run "in the browser" so they retain the context of the other content, and remain up to date.

Re:Bad for science education

[omnichad]

Running automatically inside the browser is better than manually downloading and choosing to run it? Unsandboxed is not such a big threat when you're deliberately choosing to run the file and unsandboxed is still restricted to the local user account.

I'm not sure i know of a java applet where context comes into it at all. And as for updates, plenty of native software has to deal with updates.

Re:Bad for science education

[fa2k]

Yeah I came to say the same. There's a large body of simulations and illustrations out there; code that's just as good as the day it was made. Just last night I read about phasors, and two of the pages linked from Wikipedia had applets.

Scientists have better thing to do than to re-write their teaching aids every five years. And I don't even think HTML5 is on par with Java for that kind of code.

So, as long as they stick with the warnings, it's fine. The old code will work, and people will click past the red warnings. Maybe it will scare off scientists from making new Java applets, and we'll lose out. Maybe they will use proprietary products like MATLAB and Mathematica. A fraction of the applets could be replaced by plain videos without any loss.

Step in the right direction

[twocows]

Roger Grimes over at InfoWorld has an excellent security column and Java security has been one of his biggest gripes for a long time (example). This will be great for anyone who doesn't stay on top of patching (and also good for those who do, to a lesser extent). The newest release of Java also allows for finer grain security control, something that's been missing for years. I think Oracle's finally starting to try and seriously tackle Java security. Besides, "casual Java" use (at least for in-browser applets, which this seems to be about) isn't really that common anymore anyway (most of it's Flash now) and it's a small sacrifice to make for greatly increased security.

Sandboxing

Wasn't it the point of sandboxing to allow untrusted programs to run without risk of harm? Why do you need to know who published an applet that can do no harm?

I RTFA but I don't see it

[Khashishi]

Does it show the warning in any of the linked articles?

WAAAAT

[GameboyRMH]

Most of the Java apps I use are unsigned.

Here's what I see happening: Lots of people hanging onto old Java versions, creating an even bigger security disaster.

Re:WAAAAT

[omnichad]

If it's internal, why can't you add your signing CA to the java trust store across your organization?

Re:WAAAAT

[omnichad]

Wait - you're talking about a different security change. One that essentially prevents XSS - a legitimate concern.

I thought the whole point of Java...

[BitterOak]

I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted. Are they admitting failure here?

Re:I thought the whole point of Java...

[dbc]

Yes. Exactly. They just plead guilt to selling snake oil, as we knew they were doing all along.

And my mod points ran out yesterday :-/

Re:I thought the whole point of Java...

[DickBreath]

> I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted.

Yes, and then later Applets are allowed to interact with JavaScript code in the surrounding browser, and vice versa JavaScript can interact with methods of the Applet. That would never open up such complex interactions that nobody could foresee the security problems. Nope, nosiree. (sarcasm)

Re:I thought the whole point of Java...

[rahvin112]

They didn't need to "plead guilty", the department of homeland security issued a public press release a year ago telling everyone to uninstall Java. A year later Oracle has basically agreed.

Re:I thought the whole point of Java...

[GodfatherofSoul]

How is this post insightful? It posits an incorrect assumption. Java wasn't created for applets. Maybe that's what you've mostly seen. Second, there are unsigned applets that are sandboxed and signed applets that can have expanded access to your system. The whole point of the Java exploit scare was websites hosting an unsigned applet that behave like a signed applet.

Re:I thought the whole point of Java...

[StormReaver]

I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted.

You're mixing two different issues.

1) Java applets don't need to be signed if they aren't going to use certain features (I'm not going to enumerate them here). These applets are as safe as the VM's sandbox implementation.

2) Java applets that make use of those features I didn't enumerate need to be signed. The sandbox becomes greatly expanded at this point, making it far less secure than applets the comply with (1) above.

Re:I thought the whole point of Java...

[fa2k]

It's not even incompetence. Flash, Adobe Reader and MS Office have had bugs just as serious as the Java ones. Unfortunately, this is to be expected in any software. I think the reason people go crazy about Java is the complete apathy Oracle has shown when it comes to fixing bugs. The patches have been scandalously late and some haven't actually fixed the problems.

(maybe an additional factor is that people feel they wouldn't lose a lot if all applets were removed)

Paper is cheap

[EzInKy]

So why the $100 cost if it isn't to profit off of those who depend on it?

A lot of our code and even our certificates are

[WillAffleckUW]

This will be unfortunate.

We've had problems with our university issuing certificates for domains and for code, which is not intended for public use.

Making it not run will mean we will have to dump Java and use one of our other OPEN SOURCE coding methods.

Buh bye!

Not that we're the fifth best world university or in the top ten list of US research universities or anything.

Minecraft

[Rational]

The last reason left to have Java installed?

Re:Minecraft

[twocows]

Perhaps, but not an excuse to let Java applets run freely in your browser. TFS says that this only applies to applets; programs run out-of-browser will probably function normally. Even if that's not the case, I'm sure they'll have an option to allow unsigned code to run.

Re:Screw java, HTML5 + JavaScript

please don't ever type "chive" again

Retards

[0123456]

As others have mentioned, there are a ton of embedded systems which use Java as the control interface and load unsigned or self-signed applets to do so. Block them, and we'll be forced to stick with an old version of Java.

Re:Retards

[0123456]

Do those embedded systems run the latest 1.7.0.40 Oracle Java? Because if they don't, it shouldn't matter.

The browser will be running the latest version of Java, and that's where the decision will be made about whether it's allowed to run.

Re:Applets only

[dtfinch]

The ones I get stuck with always seem to require Java 1.4.2, so any new breaking changes are irrelevant.

Who uses java applets casually?

Why can't these "casual" applets get a certificate, or ask users to click "OK"? If your app isn't worth $100 to you, and is not worth 30 seconds of education and one mouse click per run to your users, it is not really all that valuable to anyone.

A programming job in the US pays $20-$60 per hour. $100 is unlikely to be a significant barrier to anyone who has the skill set to create a program worth a user's time.

Given the security benefits of forcing scammers to prove who they are to a cert authority, I am disappointed that this was not done a decade ago.

Re:Who uses java applets casually?

[ddyer]

"Prove who you are" consists of cashing your check. The "trust" part of certificates is a bad joke. As I see it, it's the ability for the certificate authority to revoke a certificate (and browsers willingness to enforce the revocation) that provides some damage control.

Totally Blocked?

[nurb432]

No, i didn't RTFA... Are they going to refuse to run self-signed at all, or can you opt out of the blockage as the end user?

I'm OK with a warning;"hey do you trust this?" and a choice to say yes, but complete blockage is uncool.

There goes the *real* API

[atari2600a]

You think people will care enough to switch to openjdk or just....no?

That would be great - drive by malware protection

[Sarusa]

Nobody should be running Java in browser. It's a blinking, gaping 'zero day me here!' for any drive-by malware and Oracle can't keep up with the exploits (though they still keep trying to re-enable their plugin on install, along with trying to install junkware, the evil bastards).

I do use Java for standalone apps, this is not an anti-Java thing - it's the browser plugin that is the problem.

Big slow institutions that are stuck using Java can pay the $100 and still get the extra drive-by protection. Everyone wins. Of course the baddies could still get a cert... but then we're back to 'don't run it in browser.'

Re:So if they Just Don't like That One?

[0123456]

This gives the powers that be the capability to shut off any java applet they do not like for any reason what so ever?

What? Letting users decide what programs should run on their computers, rather than 'the powers that be'? That's such 20th century thinking.

Fighting the impossible fight

[WaffleMonster]

Is it more difficult to give up on making the sandbox mechanism secure or to review all code for all applets to make sure they are "trustworthy"

I would think money making conspiracies aside the first approach is a solvable problem while the second is a hopeless fools errand... perhaps I'm wrong given there are just 3 remaining people in the world still using java applets on their websites.

Re:Fighting the impossible fight

[the+eric+conspiracy]

Why isn't sandboxing applets the responsibility of the browser?

Re:Fighting the impossible fight

[WaffleMonster]

Why isn't sandboxing applets the responsibility of the browser?

I have not made or even hinted at the above claim. OS jailing of browser and browser jailing of extensions are important yet insufficient.

Java runtime is closer to the application space and therefore best positioned to make contextual access decisions regarding resources it controls or arbitrates in applet mode.

Consider the case where java is running in a sandbox and an application is able to escape the java applet runtime into the execution environment of java runtime. While this does not pose a threat to the underlying browser or system if properly jailed java mediated policy is still compromised nonetheless.

Re:Fighting the impossible fight

[ddyer]

I think you are missing the point about what Oracle has done already and is promising to do in the future. All of this about applets running inside the sandbox. After the demonstration of bugs that allowed applets to break out of the sandbox, Oracle panicked and has gone through mutiple generations of scary pop-ups warning you are about to run a sandboxed applet. Now they are promising to not run sandboxed applets at all, unless they are also signed by a trusted certificate.

Signing has nothing to do with trust, but establishes that the code hasn't been modified since the signer signed it. That's potentially useful.

Trust has nothing to do with signing or inspecting the actual applet or the intentions of the software. It only means the signer paid a certificate authority who is trusted. The CAs have no responsibility to certify anything except some fig leaf level of identity check. There's no way to walk the signer identity back to somebody you want to arrest unless they were honest and not evasive when they purchased their certificate. There's no way to prove that a certificate that was used to sign malware was actually used by the person who purchased it. It's a nearly vacuous concept of trustworthiness.

I don't believe that Oracle is planning to make money from the certificate process. It's all about covering their asses, which I can understand without liking it. It's long been my contention that some morning, every windows machine connected to the internet will be bulk-erased, and every one of the victims will sue Microsoft. If I were Oracle, I'd be worried about that prospect too.

Re:That would be great - drive by malware protecti

[s122604]

Nobody should be running any fully functional, system aware, computer program in a browser...
A java applet is a java computer program written by "someone" coming from "somewhere" running in a browser on your computer.

Replace "java computer program" with "c++ computer program" (or any other "real" language) in the previous sentence, and it describes a situation no less dangerous, arguably more-so.

It has nothing whatsoever to do with the language, its the paradigm.

Why doesn't LinkedIn offer certs?

If sites like LinkedIn provided certificate management to their members many security issues including this one would be resolved.

Oh hay what?

[bmo]

It currently costs a minimum of $100/year

Wow, I'm a malicious java programmer and this is really going to stop me!

Scarlett: Rhett, Rhett... Rhett, if you go, where shall I go? What shall I do?

--
BMO

This would be good...

[intermodal]

except for the lack of other scripting languages' acceptance in the Windows world. My preference for most things is python, though I use some ruby (for Puppet) and perl here and there. Works great on the Linux boxes, but I hate to widely deploy Python or Perl just to run a couple scripts on the Windows boxes, and I end up settling on Ruby since it came with Puppet.

Re:Applets only

[omnichad]

"Write once, run anywhere" just doesn't hold much appeal if a security update breaks functionality.

Re:Applets only

[ddyer]

The recent security problems have rightly killed off using older versions of java from the browser, but Oracle seems to be abandoning the sandbox rather than committing to keep it fixed. Ultimately, all manner of browser extensions have to have the same inherent hazards. I've had my browser and search engines hijacked several times by "trusted" toolbars installed by sneaky installers.

Re:I making my living writing Java

[GodfatherofSoul]

Obviously not a good living if you're not aware of that.

Legacy

[mwvdlee]

Does this mean the new Java will start bitching about legacy Java applications I've been running for years?
What will this do to companies that run their own Java applications? They can no longer apply security patches for Java in the near future without the massive cost of repackaging their self-made Java code?
This has "money grab" written all over it.

Re:Applets only

[shipofgold]

Java as an idea was great....write a program that compiles once and the binary can run on anything.

<rant>
Java as an implementation has failed miserably for just the reason mentioned by the parent. I have encountered too many apps that won't run unless a specific version of the VM is available.

Then there is Tomcat, evil software container...I have lost too many hours of my life trying to keep that beast happy....just today I got an email from a colleague who wants to restart tomcat weekly because something is causing it to leak file descriptors. More than 1024 files open at the same time...I could probably figure it out, but that would again be more hours lost to java.
</rant>

That makes no sense...

[Junta]

IPMI is a UDP protocol that has no direct relationship with a browser.

If you are instead implying that service processors frequently have web interfaces that employ java, at least with IBM the current state of affairs is java web start, which means no browser plugin even if it does use java. Even if they were, you don't have to worry about the vendors being too cheap to fork over the chump change.

Same mistake the browser smade...

[TemporalBeing]

Honestly, while having users authenticate a self-signed cert in a browser did help with security, etc it also broke a lot of devices. I still cannot use my WRT54G with any modern browser aside from the default browser on Android 2.3.6; same with my newer model router with latest firmware.

And honestly the problem IS NOT the hardware I'm accessing - its the stupid browsers.

They're only going to cause the same kinds of headaches for everyone.

P.S. I'm not in favor of Java or Java Appletes, but it still seems like a bad thing given how it impacted browsers accessing valid websites with self-signed certs.

APPLETS ARE NOT JAVA!

[krups+gusto]

Applets are a dead technology. All three of the people impacted have been informed of this change. And they're quite angry. For the rest of us, disable Java (along with ActiveX etc...) in your browser and continue with life.

sandboxing = failure

[stenvar]

So that pretty much means that they are admitting that they never managed to get sandboxing to work properly for Java.

Re:Applets only

[steveg]

Every week!?

I have a cron job that checks every 2 minutes to see if tomcat is still up. It starts it if it's not.

With Tomcat 5.5 there were days when it would restart 15 or 20 times a day. Tomcat 7 hasn't gone down yet, but it hasn't been used yet either. We'll see what happens the next time the Java class is scheduled.

Re:I making my living writing Java

[viperidaenz]

Pretty good one actually, but there is no practical use for a Java applet to run in a browser. It's a security nightmare.
Especially when that JVM runs at the privilege level of the user and the sandbox is based on a blacklist that has been broken in the past. (untrusted code is only blocked from accessing specific packages).

The only way to be safe is to not install the java plugin.

Oh dear...

[Z00L00K]

That will kill one feature that I have in an application, and that feature is for company-internal use only, so self-signed is sufficient.

it will kill old ip cameras

[steak]

I have an old dlink ip camera that I use to watch the front of my shop and it uses an unsigned java applet. I'm cheap, I don't want to replace it.

Re:it will kill old ip cameras

[hobarrera]

Doesn't is just stream video to the applet? Can't you capture that video with something else?
Also, you can just use OpenJDK.

Can they set a disallow by IP range or IE zone?

[Growlor]

This would be great if they can allow for control of how it behaves. I could block it for generic Internet sites, but allow it for trusted sites.

Will kill Java, not just casuals

[loufoque]

Most significant software is open-source.
This will therefore entirely kill Java, and not just for "casuals".

Re:Will kill Java, not just casuals

[cowdung]

Java != applets

Re:Will kill Java, not just casuals

[loufoque]

I never said it was. Java is supposed to be a programming language for general-purpose programming, with the goal of being more accessible than C.
I personally don't practice it much, since I'm only interested in high-performance parallel low-level system stuff, but my understanding is that Java is heavily used for most applications that don't require actual programming skill.

Applets

[cowdung]

Its about time Oracle change the name of applets to be JAT (Java Applet Architecture) or something less catchy..

The point is that applets are messing up the Java brand.. so brand them with some other name and keep people from confusing Java with applets.

For example advice like: "remove Java from your machine" would change to "remove JAT from your machine"

Java is very successful server side.. I can't understand why they continue to contaminate the brand with the half baked plugin that only serves as a security hole.

Re:That would be great - drive by malware protecti

[DavidRawling]

True also for Dell, Intel and HP. And the KVM switch vendors (e.g. Avocent). Problem is that while they'll pay for certs for the newer stuff, they're not going to release any new firmware for the older "not supported anymore" stuff. So all those console switches in your datacentre? Worthless, unless you stick with old Java. Same for managed PDUs hosting a little Java applet. Possibly even some rather large web-managed UPS. Same for thousands upon thousands of other supporting appliances of God-knows how many types. Heck, there are companies still rocking servers that are 4, 5 years old; those aren't getting updates to sign the Java applet either, let alone the 10 year old stuff that still hosts the NT4 app that no-one knows how to replace or migrate.

So basically this is going to force companies to replace perfectly good infrastructure or deal with losing remote access to things, as well as screw with hobbyists who have older stuff in their basement/garage/closet/bedroom.

Re:As long as it doesn't affect non-in-browser cod

[gl4ss]

it's only for applets.

besides, 100% of java programs done by anyone with any sensibilities bundle a jre with their installation package.

most common example of this would be the arduino ide. sure, it makes the install packages bloated but at least the fucking programs work and most of the users are totally oblivious to the fact that the program is written in java and running in a java vm.

If I had to guess most signed java programs are malware though.. only malware authors would bother to go through the hoops! You know what was a pile of stinking shit carcasses? sun signing for J2ME - that one aspect practically guaranteed that mobile companies ran far away from j2me and straight into android. that system and what benefits you could get it was stupid even on paper and even vastly more stupid on actual implementations(and of course it differed greatly depending on the j2me vm manufacturer and even from one operator variant to other.

"you mean I signed this shit for nothing? that the user will STILL get 3+ yes/no dialogs for every single file creation? and none for running a local executable from the filesystem?!?" yes, on series60 you could execute local native .exe from within j2me, provided the file was already there. but you couldn't save a ringtone from j2me without spamming the user with confirmation dialogs.. I'm not actually sure if one was supposed to be able to do that but if you just opened a local file through address opening then it ran it.

users have a right to be stupid

[ILongForDarkness]

That is why windows still says "untrusted certificate do you want to continue" or similar all over the place. Just because Verisign didn't get their $100 this year doesn't mean I no longer trust the source. Additionally, do you really thing hackers won't find a way around this? They are already trying to find a way into your system it will just be one more thing they have to get right before they can force their way in. Or they'll go after services, flash whatever.

Re:Applets only

[drkstr1]

Java as an idea was great....write a program that compiles once and the binary can run on anything.

<rant> Java as an implementation has failed miserably for just the reason mentioned by the parent. I have encountered too many apps that won't run unless a specific version of the VM is available.

Then there is Tomcat, evil software container...I have lost too many hours of my life trying to keep that beast happy....just today I got an email from a colleague who wants to restart tomcat weekly because something is causing it to leak file descriptors. More than 1024 files open at the same time...I could probably figure it out, but that would again be more hours lost to java. </rant>

You just have crappy Java developers, it has nothing to do with Tomcat. The same thing would happen to any "always on" Java program that loads leaky external code. Don't feel bad, most of the Java code I've seen is total crap. You usually just don't notice it because of the short life-cycle of the process, unlike Tomcat.

Back to the days of "Best viewed in Chrome"

[tepples]

Web developers can't count on users having Chrome available. When a web application detects that a required JavaScript object is unavailable, it displays an error message to the user. In such a case, whom does the user blame?

Re:Back to the days of "Best viewed in Chrome"

[thegarbz]

Not quite. The "best view in" days described sites which failed to work or render correctly in any browser but the one in question. Any standards compliant browser is capable of running those experiments. In the early days Chrome was the fastest and every other browser was painful. These days the gap between Chrome, Safari, Firefox, etc has closed considerably with Chrome being some 10% faster than Firefox and only 40% faster than IE9. Chrome experiments have run acceptably on all browsers in the past few years.

Oh the most commonly used version of IE lacks WebGL, but apparently the latest Windows 8.1 shipped browser has WebGL support too, I can't test this, but certainly every other WebGL based experiment on that site works fine in Safari and Firefox too.

So really nothing at all like the bad all days, and certainly no worse than not being able to assume that every user of yours has a computer capable of full 3D graphics at HD resolutions with *insert resource intensive rendering elements here*

Apparently, Windows only

[tepples]

WebGL is fine.

From this page, Atom N450, Xubuntu 12.04, Xorg 1.11.3, Firefox 24: "Hmm. While your browser seems to support WebGL, it is disabled or unavailable. If possible, please ensure that you are running the latest drivers for your video card." This Mozilla page recommended looking in the "Additional Drivers" utility that came with the operating system, but all it showed me was the driver for a Broadcom NIC that I'm already using. The Mozilla page also referred me to Intel's driver update utility, but that's Windows-only.

Re:Apparently, Windows only

[Gavagai80]

WebGL is disabled for slower video cards, but can be enabled with a browser launch parameter. For chrome, launching google-chrome --enable-webgl --ignore-gpu-blacklist works. Not sure what the firefox equivalent is.

Re:Apparently, Windows only

[Blaskowicz]

I have similar software, but a much better computer with an old 7600GT, it says "you should see a spinning cube" but I see a flashing garbled thing. Maybe that's because I'm now running the free driver (nouveau) instead of the nvidia one. I remember running the WebGL demo with fishes in a bowl and a couple others.

I didn't know WebGL would be picky with drivers. It does work btw, that must be because javascript is offloading work to the WebGL API, which then uses the drivers and graphics card so relatively smooth stuff can be shown when it works.
If for some reason you critically need WebGL, you'll have to use llvmpipe as the OpenGL implementation, it's slow as fuck but might work (the good thing is it's reliably slow)

Object detection detected a lack of support

[tepples]

Good luck with that if the feature you relies on shows up as (void)0 (that is, unimplemented) in the end user's browser. It's apparently easier to get end users to upgrade a Java plug-in than to switch to a different web browser.

When $100 is more than $100

[tepples]

It's not $100; it's $100 per platform per year. If you buy a Java certificate, it won't work on any platform that isn't Java, and it'll self-destruct after 365 days.

Re:Bad links

[ddyer]

the links are from slashdot admins, not me; and the are bad, as you observed.

Applets dying?

[hobarrera]

So Java applets will become less common on the internet? OMG, I can't belive this!

Re:Applets dying?

[H0p313ss]

So Java applets will become less common on the internet? OMG, I can't belive this!

Everyone down to the pub. I'm buying.

Embedded control systems based on Java applets

[Mandrel]

I wrote a embedded control system for a small company that has a webpage UI in which an invisible Java applet is embedded that controls both the webpage and the machine's devices. Will they now have to pony up $100/year for a cert, which would be a non-trivial drain on their resources, particularly if the certs need to be annually and manually re-installed at each location around the world where the machine is installed?

startssl.com coding signing certs are $60 per year

[fluke11]

While it doesn't change the bad taste in the mouth that forcing this change, it is not exactly true the minimal cost for a code signing certificate is $100 per year. Startcom has for a long time now challenged common CA pricing including free server and s/mime certificates. While their code signing certificates aren't free, $60 per year is not bad. It still beats the $100 per year fee to be an Apple iOS application developer. For those on the majority market share browser [1], Chrome, there has already been a trend away from Java. It already will pop up a warning that Java can't be trusted. Firefox has also been producing warnings regarding use of Java. Also, future versions of Chrome will take things to the next level as they plan to remove all NPAPI support (which Java currently depends on for in-browser applets) by the end of 2014. Given how poor a job Oracle has done with serving the Java community so far, I find it unlikely there will be any port of Java to use Pepper API to NaCl to continue to provide Java applets for Chrome. It is more likely that Oracle will try to push the webstart out of browser launching of Java applications as a replacement for the in-browser plugin. As for in-browser applets like projects, the message seems clear that casual and professional programmers alike should be considering HTML5 and javascript instead of Java. [1] http://en.wikipedia.org/wiki/Usage_share_of_web_browsers

Re:Applets only

[Archfeld]

Launch the same product with a new colored case and the Fanboi's will buy it up....

Re:Applets only

[0ld_d0g]

You're underestimating the legacy java crap that bank/intranet websites run on (Though I have yet to find one that uses ActiveX). My bank's (OCBC) website requires java.. and requires some shitty hardware token for generating and validating one time use numbers. I basically have to maintain a separate browser install with the java plugin enabled for it.

Might kill the Java4K contest

[Walking+The+Walk]

This update might be the death knell for the Java4K contest. That would be a real shame - lots of great developers have submitted games over the years, such as Markus Persson of Minecraft fame. But after the recent changes and now this red text warning, I'd bet most casual users will turn off Java in their browser (and who can blame them?) A contest with only developers can still be fun, but not as fun as having several hundred or thousand people play your game.

getUserMedia

[tepples]

Consider getUserMedia/Stream API, necessary for use of a camera or microphone from JavaScript. That's still prefixed everywhere and unavailable in IE, Safari, Android Browser, and Firefox for Android.

Re:getUserMedia

[thegarbz]

I didn't say every browser was feature complete. I said we're not in the bad old days.

The bad old days were the days of browsers all doing their own thing and pissing standards against the wall, (remember embrace extend extinguish?) The modern world is that browsers offer extensions for specific purposes while still moving towards being fully standards compliant. Each new version of each browser has for a long time has boasted better ACID compliance and more use of standard features even while generating controversy (see Mozilla's backflip on never supporting h.264 in the HTML5 video tag).

Mind you I can't really get worked up about your example either. Firefox and Chrome collectively have about 82% of the global market share, historically IE has always been quite shit so any example you use which specifically excludes IE may as well be an attempt to say we're still in bad old days given IE's glacial pace of adopting modern standards. WebGL has a similar market reach as getUserMedia/Stream API according to the site, maybe slightly higher for the few percent who use Safari and Opera, but still within the 80-90% coverage range.

But as I also said you'll never ever be able to assume all features of your users due to hardware differences too. These days your user may not even have an active mouse pointer on the screen to use for capturing input and that has nothing to do with standards, compatibility or the browsers themselves.

Re:Applets only

[steveg]

Or those of our students using Tomcat.