Slashdot Mirror

← Back to Stories (view on slashdot.org)

Will New Red-Text Warnings Kill Casual Use of Java?

Posted by timothy on from the brew-more dept.

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

44 of 282 comments (clear)

  1. red spots by Anonymous Coward · · Score: 3, Funny

    red spot warnings have not killed off casual sex.

    So-- probably not?

  2. Probably not, but if it does, good by Anonymous Coward · · Score: 2, Insightful

    While I would hope for the day that Java dies the pathetic death it is due, I doubt that will happen. Much more likely is that "unauthorized" Java VMs will start to crop up that let the user whitelist applets rather than relying on Oracle's certificate system.

    1. Re:Probably not, but if it does, good by Gerzel · · Score: 2

      Or people will just move to the OSS version.

    2. Re:Probably not, but if it does, good by InvalidError · · Score: 2

      I doubt Java as a programming language is going to die any time soon since Android, which has been the fastest-growing platform for a while now, is pretty much a JRE running on top of a Linux-based kernel.

      Oracle's own walled-garden Java on the other hand might not fare so well.

    3. Re:Probably not, but if it does, good by harlows_monkeys · · Score: 2

      Technically a Linux based OS should be called GNU/Linux implying that it is a GNU OS running on top of a Linux kernel.

      That's historically not accurate. Here's a cut/paste of a comment of mine from another forum on the matter of naming the system that is commonly called Linux:

      Historically, naming rights for an OS go to whoever actually puts together and distributes the complete system. For instance, if a workstation company licensed Unix from AT&T and ported it to their workstation, they got to name that OS whatever they wanted. A couple examples of this were Uniplus+, which was UniSoft's Unix, and 386/ix, which was Interactive System Corporations Unix. Both were Unix systems--they used a Unix kernel and Unix utilities--but that wasn't their names. Half the fun working at a Unix workstation company in the early '80s was thinking of a neat name for your Unix port. :-)

      For the complete systems distributed by Canonical, Red Hat, and the like, they are the ones who get to name the operating systems that they distribute. Ubuntu calls their OS the "Ubuntu operating system". Red Hat calls their OS "Red Hat Enterprise Linux".

      Yes, they are also GNU systems, but if we want to be historically accurate, the most correct way to view this would be to view "GNU system" and "GNU/Linux" as specifications for a specific Unix-like userspace and for an OS that runs the GNU system on a Linux kernel, respectively. The Ubuntu operating system complies with the GNU system specification and is a GNU/Linux system, but it is named Ubuntu operating system.

  3. We can only hope... by DavidHumus · · Score: 3, Insightful

    But don't get your hopes too high.

  4. Apparently, applets only by SirGarlon · · Score: 5, Informative

    TFA says this is for "Rich Internet Applications," that is, Java applets embedded in Web pages. It doesn't seem this would affect Java programs that you execute locally, such as (for example) Eclipse.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    1. Re:Apparently, applets only by snookerdoodle · · Score: 5, Informative

      Exactly.

      OP doesn't seem to know anything about Java.

      This will not affect standalone Java programs, only applets.

      It could be argued that they should have done this a long time ago.

      Mark

    2. Re:Apparently, applets only by i+kan+reed · · Score: 4, Informative

      It could also be argued that java has no place in browsers given the modern flexibility of javascript. The UI features are worse, the performance differences are negligible, legit code is sandboxed either way. All you're left with as an advantage for true java is threading.

    3. Re:Apparently, applets only by jonabbey · · Score: 4, Informative

      This would not affect Eclipse, no, but it does affect locally produced applications that are distributed from an intranet web server with Java Web Start / Java Network Launch Protocol.

      Previously, we could just self-sign our app and users could choose to accept the app once and for all and not be bothered so long as the signing cert didn't change. Now, all of our users running Java 1.7.0_40 are given the threatening dialog each and every time they run our internal app, and they can't get rid of it.

      We're going to pony up for a code signing cert from a (Java-recognized) certificate authority to make the dialog go away. It's a hassle, but probably still the right thing for Oracle to do at this point.

      --
      - jon

      Ganymede, a GPL'ed metadirectory for UNIX
    4. Re:Apparently, applets only by Blaskowicz · · Score: 2

      Performance differences negligible?
      The most advanced thing I've run in javascript was Wolf3D. I remember javascript doom was not playable (it's not available anymore, because of unauthorized use of the game assets). Java has smooth Minecraft and whatever stuff, for example Text Express from Zylom which is a little game that runs very smooth ; you can barely run a Tetris in javascript and it will look like a Windows 3.1 freeware, use shit ton of CPU, make the whole web browser slow.

    5. Re:Apparently, applets only by Anonymous Coward · · Score: 2, Interesting

      Can't you make your own CA cert, shove that into the JRE/JVM keystore, and chug along "for free"? Or did you decide that it was worth $100/year to not deal with having to automate running keytool on all your desktops?

    6. Re:Apparently, applets only by Anonymous Coward · · Score: 2, Insightful

      >the performance differences are negligible
      In javascript you can run multi-threaded computation, you have access to native network buffers (for no copy transfers of large amount of data), ... I was told no.

      >given the modern flexibility of javascript
      So, you are saying: if there is a Java library to do it, there is _always_ a javascript library to do it. Access to any file format, implementation of any network communication protocol, ...

      I am _really_ skeptical. Javascript may be great for accessing web servers and dishing out html, but that's not all that people would like to do in a web page...

    7. Re:Apparently, applets only by i+kan+reed · · Score: 4, Informative

      The most advanced you've played has no bearing on the most advanced you can play. WebGL is fine.

    8. Re:Apparently, applets only by Anonymous Coward · · Score: 2, Informative

      But if the cert is signed by a cert in the jvm's cacerts file it will be signed by a certificate authority. That's what that file, and only that file, does; it defines what certificates the jvm recognizes as belonging to a certificate authority..

    9. Re:Apparently, applets only by Anonymous+Brave+Guy · · Score: 4, Interesting

      It could be argued that they should have done this a long time ago.

      But it wouldn't be argued by anyone who actually knew what they were talking about.

      For one thing, signing a Java applet proves exactly nothing about how trustworthy it is. You can easily get a signing certificate by spending a small amount of money and waiting a small amount of time. The whole concept of granting increased permissions to untrusted software just because it's been signed is absurd.

      Secondly, blocking unsigned applets will break numerous existing web-enabled devices, which has been one of the significant remaining use cases for applets in recent years. These are effectively running embedded web servers and serving up the applets from there, so you can't just go in and upgrade them later when your certificate expires (and the longest cert periods you can get from major CAs are only about 2-3 years, a fraction of the normal lifetime of some of these devices).

      The craziest thing is that the kinds of device I'm thinking of are typically used by the IT guys in large organisations. Some of them are going to go through months of approval process before they get installed, and when they do it will be in server rooms or data centres, accessed electronically via a separate management network with no connection to the outside world, and accessed physically via biometric security that would make James Bond cry. But in order to keep those applets safe, now they need to be signed too, just in case? Seriously?

      Not everyone using applets accesses them from a public web site. They can't necessarily upgrade or replace them on a whim. The kinds of environments still using them are more likely to be exactly the kind of long-running projects where whipping up a quick replacement in JavaScript isn't a sensible option and where backward compatibility really matters.

      Also, to anyone who thinks alternative technologies like JavaScript and HTML5 canvas/SVG offer the same flexibility and speed as Java applets, I know a prince in Nigeria who'd like to sell you a classic car from his collection for a great price.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
    10. Re:Apparently, applets only by locopuyo · · Score: 2

      http://www.unrealengine.com/html5/

      --
      The Official Site of 1337 Pwnage
  5. Re:Applets only by logjon · · Score: 2, Insightful

    I wish this were true.

    --
    The stories and info posted here are artistic works of fiction and falsehood.
    Only fools would take it as fact.
  6. Probably Not by Ksevio · · Score: 2

    "Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.

    The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.

  7. Casual use of Java by Anonymous Coward · · Score: 5, Funny

    > The unfortunate cost of this is that any casual use of Java is going to be killed.

    You may think you're just a casual user of Java. You may think you just use Java for recreational purposes. Everybody knows Java is just a gateway language for other languages like C#. And we all know what happens to C# programmers.

    1. Re:Casual use of Java by Anonymous Coward · · Score: 2, Interesting

      No, as a C# developer myself, I can truthfully state the the GP is not a troll and that your "go learn something new" scenario is as rare is hens' teeth.

      Nobody actually uses that stuff in production because of Microsoft's poor track record for supporting those types of new features. Instead, I'm writing:
      1) Console applications for data manipulation
      2) WinMo applications for handheld stuff
      3) Webforms stuff (and a few new MVC4 bits and pieces) for web portals
      4) Web services (yes, "legacy" WSDL/UDDI stuff) and a little bit of WCF for web data feeds
      5) Winforms applications for whatever desktop apps are left over

      No WPF, no WinPhone, and certainly nothing for the "metro" or "modern" or "xbox-pissed-in-my-corn-flakes" UI, whatever it's called this week.

      I have yet to find a dire need for WPF or anything related to it, and I have yet to even see a WinPhone in the wild or a metro app that wasn't bundled with Windows 8. And other stuff like LINQ and Entity Data Model stuff have their own problems, mostly in their attempts to be smarter than the developer. Spoiler: it's not, and when it tries, it stops being useful.

    2. Re:Casual use of Java by Dracolytch · · Score: 3, Interesting

      I was being a bit tongue-in-cheek (apparently that's viewed as more trolling than humorous here, but whatev).

      I've been a developer, and I've been management... Most developers get paid as well as their immediate management, and very often better than the sales department. I actually left being a developer/manager to go back to being a developer. Pay raise, better work. Right now my day-to-day is PHP, Java, and C#, depending on the project.

      ANY technology is prone to being obsolete before it reaches its full potential. If you jump on the bandwagon just because it's being released by company/group XYZ, you're crazy. Microsoft releases frameworks that don't last. Google kills apps. Blackberry does stupid stuff... It's all variations on a theme.

      For every two or three poorly concieved things MS publishes, there is one that is actually really quite good and deserves attention. While C# and Java were once very similar, C# continued to grow as Java stagnated. Now Java's back in the game, but it's owned by Oracle, which scares the #$#( out of me. All that said, Visual Studio is still the best IDE out there.

      --
      This sig has been enciphered with a one-time pad. It could say almost anything.
  8. Casual use of Java..? by FryingLizard · · Score: 3, Interesting

    Java? Casual? That's like saying the US Tax code is good bed-time reading.
    After realizing I was spending half my frickin' life compiling, reloading, and waiting... waiting... (I'm looking at _you_ Tomcat) I switched to Python and never looked back.

    --
    [FrLz]
  9. Casual use of Java was dead 10 years ago. by stewsters · · Score: 4, Interesting

    I really don't think that there is a casual use of Java applets anymore. Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it. Personal projects you trust and can push continue on. You shouldn't be running java apps from random other sources if you value security.

  10. Re:Applets only by jasper160 · · Score: 4, Insightful

    It would be a welcome gift. I admin for a bunch engineers and a lot of the corporate and gov sites they access still use Java. And even worse some are so crappy they are version specific which makes no sense other than they are lazy.

    --
    No good deed goes unpunished.
  11. Java applets? by bigtech · · Score: 3, Insightful

    Did I just step out of a time machine?

  12. Bad for science education by l2718 · · Score: 4, Interesting

    Java applets are an essential tool for science education -- as simulators, calculators etc. Are all these research groups supposed to get some authority to digitally sign their applets?

    Fundametally, a major aspect of Java security is that, since it runs on a VM, an applet it is inherently encapsulated. Yes, VM bugs can cause problems, but the value of all the free educational applets online far exceeds any possibly security benefits of unptached VM bugs.

    1. Re:Bad for science education by twocows · · Score: 2

      I imagine there will be an option in the deployment settings (which were also added with this release, I believe) to allow unsigned applets to run. As for Java running in a VM providing sufficient security, I'm going to have to disagree. Java security exploits have been responsible for a whole lot of malware over the years; in fact, it's one of the most common ways for malware to propagate. I think it's pretty clear by now that whatever security benefits the JVM might have once held are no longer a factor.

    2. Re:Bad for science education by Anonymous Coward · · Score: 2, Interesting

      Except, you know, the whole being able to produce one package that reliably runs across any platform the VM does. PIP is not a replacement for a .JAR file, nor is it even a convenient alternative.

      I mean I know what you're trying to do, "I'll shout out an OSS language and make some sweeping generalization about it taking over in some field...education maybe, yeah, that's a good one... Then the karma will just start rolling in." That's about as much thought as you've given the problem, which is probably why in any serious workplace you're still going to find Java being used, for better or worse. People like yourself haven't come up with a valid alternative -- worse still you mindlessly promote whatever platform you prefer, without any thought as to the logistics of entirely replacing every program you had written in one language with another entirely.

      OSS proponents need to climb down off their soapboxes and do some actual coding for a change. We get it, the open alternative is the better one. If you want us to use an open alternative to Java, make one better than Java, make one that does what Java already does, then improves on it in some way. Matz did it with Perl and Ruby, now Ruby is practically a household name in the OSS community...what's stopping you? Lack of talent, perhaps?

      It's much easier to blather out lines like "stop using Java and switch to Python programs that do the same thing," but as you already are obviously unaware, it isn't possible to wave one's hand and turn a Java program into a Python one overnight, not even a small one. Let alone something that's been running for a decade and has MILLIONS of lines of code to be replaced. The fact that you were modded as high as you were for this nonsense only serves to illustrate just how much of a ridiculous circlejerk this site has become.

  13. WAAAAT by GameboyRMH · · Score: 3, Insightful

    Most of the Java apps I use are unsigned.

    Here's what I see happening: Lots of people hanging onto old Java versions, creating an even bigger security disaster.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  14. I thought the whole point of Java... by BitterOak · · Score: 5, Insightful

    I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted. Are they admitting failure here?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:I thought the whole point of Java... by dbc · · Score: 3, Insightful

      Yes. Exactly. They just plead guilt to selling snake oil, as we knew they were doing all along.

      And my mod points ran out yesterday :-/

  15. A lot of our code and even our certificates are by WillAffleckUW · · Score: 2

    This will be unfortunate.

    We've had problems with our university issuing certificates for domains and for code, which is not intended for public use.

    Making it not run will mean we will have to dump Java and use one of our other OPEN SOURCE coding methods.

    Buh bye!

    Not that we're the fifth best world university or in the top ten list of US research universities or anything.

    --
    -- Tigger warning: This post may contain tiggers! --
  16. Re:Screw java, HTML5 + JavaScript by Anonymous Coward · · Score: 5, Insightful

    please don't ever type "chive" again

  17. Retards by 0123456 · · Score: 3, Insightful

    As others have mentioned, there are a ton of embedded systems which use Java as the control interface and load unsigned or self-signed applets to do so. Block them, and we'll be forced to stick with an old version of Java.

  18. Totally Blocked? by nurb432 · · Score: 2

    No, i didn't RTFA... Are they going to refuse to run self-signed at all, or can you opt out of the blockage as the end user?

    I'm OK with a warning;"hey do you trust this?" and a choice to say yes, but complete blockage is uncool.

    --
    ---- Booth was a patriot ----
  19. Re:Minecraft by twocows · · Score: 2

    Perhaps, but not an excuse to let Java applets run freely in your browser. TFS says that this only applies to applets; programs run out-of-browser will probably function normally. Even if that's not the case, I'm sure they'll have an option to allow unsigned code to run.

  20. That would be great - drive by malware protection by Sarusa · · Score: 2

    Nobody should be running Java in browser. It's a blinking, gaping 'zero day me here!' for any drive-by malware and Oracle can't keep up with the exploits (though they still keep trying to re-enable their plugin on install, along with trying to install junkware, the evil bastards).

    I do use Java for standalone apps, this is not an anti-Java thing - it's the browser plugin that is the problem.

    Big slow institutions that are stuck using Java can pay the $100 and still get the extra drive-by protection. Everyone wins. Of course the baddies could still get a cert... but then we're back to 'don't run it in browser.'

  21. Fighting the impossible fight by WaffleMonster · · Score: 2

    Is it more difficult to give up on making the sandbox mechanism secure or to review all code for all applets to make sure they are "trustworthy"

    I would think money making conspiracies aside the first approach is a solvable problem while the second is a hopeless fools errand... perhaps I'm wrong given there are just 3 remaining people in the world still using java applets on their websites.

  22. Legacy by mwvdlee · · Score: 3, Insightful

    Does this mean the new Java will start bitching about legacy Java applications I've been running for years?
    What will this do to companies that run their own Java applications? They can no longer apply security patches for Java in the near future without the massive cost of repackaging their self-made Java code?
    This has "money grab" written all over it.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  23. Re:Applets only by shipofgold · · Score: 4, Interesting

    Java as an idea was great....write a program that compiles once and the binary can run on anything.

    <rant>
    Java as an implementation has failed miserably for just the reason mentioned by the parent. I have encountered too many apps that won't run unless a specific version of the VM is available.

    Then there is Tomcat, evil software container...I have lost too many hours of my life trying to keep that beast happy....just today I got an email from a colleague who wants to restart tomcat weekly because something is causing it to leak file descriptors. More than 1024 files open at the same time...I could probably figure it out, but that would again be more hours lost to java.
    </rant>

  24. Re:Applets only by steveg · · Score: 3, Funny

    Every week!?

    I have a cron job that checks every 2 minutes to see if tomcat is still up. It starts it if it's not.

    With Tomcat 5.5 there were days when it would restart 15 or 20 times a day. Tomcat 7 hasn't gone down yet, but it hasn't been used yet either. We'll see what happens the next time the Java class is scheduled.

    --
    Ignorance killed the cat. Curiosity was framed.
  25. Applets dying? by hobarrera · · Score: 2

    So Java applets will become less common on the internet? OMG, I can't belive this!

  26. Re:Applets only by Archfeld · · Score: 2

    Launch the same product with a new colored case and the Fanboi's will buy it up....

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?