Slashdot Mirror

← Back to Stories (view on slashdot.org)

Will New Red-Text Warnings Kill Casual Use of Java?

Posted by timothy on from the brew-more dept.

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

23 of 282 comments (clear)

  1. red spots by Anonymous Coward · · Score: 3, Funny

    red spot warnings have not killed off casual sex.

    So-- probably not?

  2. We can only hope... by DavidHumus · · Score: 3, Insightful

    But don't get your hopes too high.

  3. Apparently, applets only by SirGarlon · · Score: 5, Informative

    TFA says this is for "Rich Internet Applications," that is, Java applets embedded in Web pages. It doesn't seem this would affect Java programs that you execute locally, such as (for example) Eclipse.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    1. Re:Apparently, applets only by snookerdoodle · · Score: 5, Informative

      Exactly.

      OP doesn't seem to know anything about Java.

      This will not affect standalone Java programs, only applets.

      It could be argued that they should have done this a long time ago.

      Mark

    2. Re:Apparently, applets only by i+kan+reed · · Score: 4, Informative

      It could also be argued that java has no place in browsers given the modern flexibility of javascript. The UI features are worse, the performance differences are negligible, legit code is sandboxed either way. All you're left with as an advantage for true java is threading.

    3. Re:Apparently, applets only by jonabbey · · Score: 4, Informative

      This would not affect Eclipse, no, but it does affect locally produced applications that are distributed from an intranet web server with Java Web Start / Java Network Launch Protocol.

      Previously, we could just self-sign our app and users could choose to accept the app once and for all and not be bothered so long as the signing cert didn't change. Now, all of our users running Java 1.7.0_40 are given the threatening dialog each and every time they run our internal app, and they can't get rid of it.

      We're going to pony up for a code signing cert from a (Java-recognized) certificate authority to make the dialog go away. It's a hassle, but probably still the right thing for Oracle to do at this point.

      --
      - jon

      Ganymede, a GPL'ed metadirectory for UNIX
    4. Re:Apparently, applets only by i+kan+reed · · Score: 4, Informative

      The most advanced you've played has no bearing on the most advanced you can play. WebGL is fine.

    5. Re:Apparently, applets only by Anonymous+Brave+Guy · · Score: 4, Interesting

      It could be argued that they should have done this a long time ago.

      But it wouldn't be argued by anyone who actually knew what they were talking about.

      For one thing, signing a Java applet proves exactly nothing about how trustworthy it is. You can easily get a signing certificate by spending a small amount of money and waiting a small amount of time. The whole concept of granting increased permissions to untrusted software just because it's been signed is absurd.

      Secondly, blocking unsigned applets will break numerous existing web-enabled devices, which has been one of the significant remaining use cases for applets in recent years. These are effectively running embedded web servers and serving up the applets from there, so you can't just go in and upgrade them later when your certificate expires (and the longest cert periods you can get from major CAs are only about 2-3 years, a fraction of the normal lifetime of some of these devices).

      The craziest thing is that the kinds of device I'm thinking of are typically used by the IT guys in large organisations. Some of them are going to go through months of approval process before they get installed, and when they do it will be in server rooms or data centres, accessed electronically via a separate management network with no connection to the outside world, and accessed physically via biometric security that would make James Bond cry. But in order to keep those applets safe, now they need to be signed too, just in case? Seriously?

      Not everyone using applets accesses them from a public web site. They can't necessarily upgrade or replace them on a whim. The kinds of environments still using them are more likely to be exactly the kind of long-running projects where whipping up a quick replacement in JavaScript isn't a sensible option and where backward compatibility really matters.

      Also, to anyone who thinks alternative technologies like JavaScript and HTML5 canvas/SVG offer the same flexibility and speed as Java applets, I know a prince in Nigeria who'd like to sell you a classic car from his collection for a great price.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  4. Casual use of Java by Anonymous Coward · · Score: 5, Funny

    > The unfortunate cost of this is that any casual use of Java is going to be killed.

    You may think you're just a casual user of Java. You may think you just use Java for recreational purposes. Everybody knows Java is just a gateway language for other languages like C#. And we all know what happens to C# programmers.

    1. Re:Casual use of Java by Dracolytch · · Score: 3, Interesting

      I was being a bit tongue-in-cheek (apparently that's viewed as more trolling than humorous here, but whatev).

      I've been a developer, and I've been management... Most developers get paid as well as their immediate management, and very often better than the sales department. I actually left being a developer/manager to go back to being a developer. Pay raise, better work. Right now my day-to-day is PHP, Java, and C#, depending on the project.

      ANY technology is prone to being obsolete before it reaches its full potential. If you jump on the bandwagon just because it's being released by company/group XYZ, you're crazy. Microsoft releases frameworks that don't last. Google kills apps. Blackberry does stupid stuff... It's all variations on a theme.

      For every two or three poorly concieved things MS publishes, there is one that is actually really quite good and deserves attention. While C# and Java were once very similar, C# continued to grow as Java stagnated. Now Java's back in the game, but it's owned by Oracle, which scares the #$#( out of me. All that said, Visual Studio is still the best IDE out there.

      --
      This sig has been enciphered with a one-time pad. It could say almost anything.
  5. Casual use of Java..? by FryingLizard · · Score: 3, Interesting

    Java? Casual? That's like saying the US Tax code is good bed-time reading.
    After realizing I was spending half my frickin' life compiling, reloading, and waiting... waiting... (I'm looking at _you_ Tomcat) I switched to Python and never looked back.

    --
    [FrLz]
  6. Casual use of Java was dead 10 years ago. by stewsters · · Score: 4, Interesting

    I really don't think that there is a casual use of Java applets anymore. Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it. Personal projects you trust and can push continue on. You shouldn't be running java apps from random other sources if you value security.

  7. Re:Applets only by jasper160 · · Score: 4, Insightful

    It would be a welcome gift. I admin for a bunch engineers and a lot of the corporate and gov sites they access still use Java. And even worse some are so crappy they are version specific which makes no sense other than they are lazy.

    --
    No good deed goes unpunished.
  8. Java applets? by bigtech · · Score: 3, Insightful

    Did I just step out of a time machine?

  9. Bad for science education by l2718 · · Score: 4, Interesting

    Java applets are an essential tool for science education -- as simulators, calculators etc. Are all these research groups supposed to get some authority to digitally sign their applets?

    Fundametally, a major aspect of Java security is that, since it runs on a VM, an applet it is inherently encapsulated. Yes, VM bugs can cause problems, but the value of all the free educational applets online far exceeds any possibly security benefits of unptached VM bugs.

  10. WAAAAT by GameboyRMH · · Score: 3, Insightful

    Most of the Java apps I use are unsigned.

    Here's what I see happening: Lots of people hanging onto old Java versions, creating an even bigger security disaster.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  11. I thought the whole point of Java... by BitterOak · · Score: 5, Insightful

    I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted. Are they admitting failure here?

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
    1. Re:I thought the whole point of Java... by dbc · · Score: 3, Insightful

      Yes. Exactly. They just plead guilt to selling snake oil, as we knew they were doing all along.

      And my mod points ran out yesterday :-/

  12. Re:Screw java, HTML5 + JavaScript by Anonymous Coward · · Score: 5, Insightful

    please don't ever type "chive" again

  13. Retards by 0123456 · · Score: 3, Insightful

    As others have mentioned, there are a ton of embedded systems which use Java as the control interface and load unsigned or self-signed applets to do so. Block them, and we'll be forced to stick with an old version of Java.

  14. Legacy by mwvdlee · · Score: 3, Insightful

    Does this mean the new Java will start bitching about legacy Java applications I've been running for years?
    What will this do to companies that run their own Java applications? They can no longer apply security patches for Java in the near future without the massive cost of repackaging their self-made Java code?
    This has "money grab" written all over it.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  15. Re:Applets only by shipofgold · · Score: 4, Interesting

    Java as an idea was great....write a program that compiles once and the binary can run on anything.

    <rant>
    Java as an implementation has failed miserably for just the reason mentioned by the parent. I have encountered too many apps that won't run unless a specific version of the VM is available.

    Then there is Tomcat, evil software container...I have lost too many hours of my life trying to keep that beast happy....just today I got an email from a colleague who wants to restart tomcat weekly because something is causing it to leak file descriptors. More than 1024 files open at the same time...I could probably figure it out, but that would again be more hours lost to java.
    </rant>

  16. Re:Applets only by steveg · · Score: 3, Funny

    Every week!?

    I have a cron job that checks every 2 minutes to see if tomcat is still up. It starts it if it's not.

    With Tomcat 5.5 there were days when it would restart 15 or 20 times a day. Tomcat 7 hasn't gone down yet, but it hasn't been used yet either. We'll see what happens the next time the Java class is scheduled.

    --
    Ignorance killed the cat. Curiosity was framed.