Firefox's Blocked-By-Default Java Isn't Going Down Well

JG0LD writes "The Firefox web browser will, henceforth, require users to manually activate Java objects on sites that they visit, Mozilla has confirmed. This even affects up-to-date versions of Java, which you can see on the block list. The change is aimed at improving security and moving away from a dependence on proprietary plug-ins, but critics say it will cause untold headaches for developers, admins and less-technical end-users. "

Didn't they learn from Microsoft?

Users hate authorizing things, and become trained drones blindly okaying everything anyway.

As security models go, it's a poor one.

Re:Didn't they learn from Microsoft?

[buchner.johannes]

Actually it's not an authorization dialog, but a "click-to-play" on the embed objects. You can get the same functionality already by setting plugins.click_to_play to true in about:config. That is just going to be a default setting on new installs, but you can set it to false. I set it to true myself, because it is useful to not have arbitrary Flash code to just start running (and playing).

The gamble Mozilla makes is that because of the extra step, companies will move to putting content into HTML5 rather than external plugins, because it makes their website more clunky. They also do replace external PDF viewer plugins with a HTML5/JS based one, so it is a coherent strategy towards open technologies. There are plenty of benefits if it works out, security is one of them. And it's a phased, non-invasive method, which can be disabled.

At this rate...

[JohnA]

Firefox will be exactly what Scott Adams predicted...

http://dilbert.com/strips/comic/1995-03-25/

Applets may be "The Debil", but they also fill a need that can't be filled by Flash or HTML5.

Mozilla needs to get over themselves.

Re:Already considering uninstalling firefox

[Kjella]

Well, if you're in Norway then 800-900,000 people use it daily and 2.9 million occasionally to access their bank and various other public services through BankID. They are moving away from Java now after all the security issues, it was announced in April but hasn't happened yet so with this I expect Firefox usage here will drop like a rock.

Re:Headaches for developers?

[Dahamma]

Because Java allows native access to USB hardware. Haven't seen that in Javascript.

And no offense, but do you know what a digital signature is? Having the source code to the algorithm doesn't affect security. That would be like saying "I know how AES works, therefore I can decrypt all AES-encrypted data!" Doesn't work that way.

What's the big deal?

Oracle Java has ALSO decided, due to the persistent security problems due at least in part to having concurrent (i.e., old) versions installed (and the fact that the largest exploit kits have used Java as one of their main vectors for some time now, alongside Adobe Reader of course) to disable Java plugins in the browser by default in recent updates.

So, what's the big deal? This is the correct decision from a security perspective. I can't remember the last time I saw someone on the World Wide Web actually USE a Java applet for good, rather than for evil. And I'd have noticed, because even after all these years, it still runs like an absolute dog. It's the kind of thing you might use on a local application (such as Minecraft, which is what I think probably most people who still have it installed use it for now, albeit they'd likely have the 64-bit version which wouldn't have a working browser plugin in a 32-bit browser anyway!) or an intranet site (which is your administrator's problem, to re-enable it for that site only, or to use a different browser for the web and the intranet, which you can totally do and is good practice).

I've got many other criticisms about Firefox recently from a security and performance perspective - let's face it, it's just not the zippy, efficient browser it used to be, even relatively-speaking, it's lost its mojo and the security team have a reputation for having a slow, and fairly arsey, response - but this seems to be the right decision and they should be lauded for it. IE has also done it, as has Chrome.

Re:Untold headaches?

[macraig]

You just succinctly explained why tools like NoScript are so desperately needed, not why they aren't. The real problem is Web design that serves an agenda contrary to the desires and rights of those who use the Web. Fix that problem and annoying tools like NoScript won't be necessary.

What that means, BTW, is that Web developers need to grow both a conscience and a spine and say NO when they're asked to code Bad Things. It also means that the pushovers and corporate plants over at the W3C need to stop adding crap to the standard that aids and abets these Bad Things.

Re:Headaches for developers?

[BitterOak]

Because Java allows native access to USB hardware.

Maybe that's a darn good reason for requiring people to authorize Java applets manually!

Re:What need?

[Anonymous+Brave+Guy]

If you are still developing/depending on applets, 1995 called they want their stupid ideas back.

Hi 2013, this is 1995 calling. When your new shiny toys have the portability and performance and flexibility that we had nearly two decades ago, and developers can write software using them with a reasonable expectation that it will still be working in 5 or 10 years (or even 1 or 2 years) without needing constant maintenance, then you get a vote. Until then, we'll keep our "stupid" ideas, because they've been helping us get useful work done since before you were born. Kthxbye.