Ask Slashdot: Options After Google Chrome Discontinues NPAPI Support?

An anonymous reader writes: I've been using Google Chrome almost exclusively for more than 3 years. I stopped using Mozilla Firefox because it was becoming bloated and slow, and I migrated all my bookmarks etc. to Chrome. Now Chrome plans to end NPAPI support — which means that I will not be able to access any sites that use Java, and I need this for work. I tried going back to Firefox for a couple of days but it still seems slow — starting it takes time, even the time taken to load a page seems more than Chrome. So what are my options now? Export all my bookmarks and go back to Mozilla Firefox and just learn to live with the performance drop? Or can I tweak Firefox performance in any way? FWIW, I am on a Windows 7 machine at work. Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.

Google should revert that decission

[faragon]

It is a mistake to discontinue the NPAPI: there are *lots* of commercial/corporate/etc. plugins using it (!)

Re:Google should revert that decission

they'll get on board in a year or two once it's gone. And then everybody is better off. But right now, a few of us are going to have to take 1 for the team and fire up internet explorer or firefox until they follow suite as well.

Re:Google should revert that decission

[squiggleslash]

Everyone get ready for IE becoming the corporate standard again.

All of which said, I was under the impression Chrome ultimately was going to implement another API instead, rather than abandoning the concept of plug-ins altogether. It seems hard to believe that Chrome is completely closed.

Re:Google should revert that decission

[binarylarry]

Google created a much better replacement, Pepper.

But the assholes at the Mozilla Foundation won't implement it because they prefer shitty insecure APIs like NPAPI. Microsoft won't implement it (which is probably a good thing, they'd just fuck it up like everything else they do).

Mozilla created NPAPI BTW, Netscape Plugin API.

Re:Google should revert that decission

[binarylarry]

Here's the Firefox bug: https://bugzilla.mozilla.org/s...

Re:Google should revert that decission

[tlambert]

Surely it's not because Pepper is designed first and foremost for Chrome, rather than being easy to adopt, like NPAPI was?

Actually, the reason is that it would require widespread adoption of the Chrome sandbox model, which is integral to the implementation.

Re:Google should revert that decission

[Sigma+7]

But the assholes at the Mozilla Foundation won't implement it because they prefer shitty insecure APIs like NPAPI.

If you're worried about security, then it's a better idea to worry about automatically executing anything that comes down the pipe (for example, a rogue Javascript ad that redirects you to a "please update java" page) as opposed to the mechanism at which it automatically executes (as one sandbox break gives easy access to the whole system.)

That's a lesson learned from the pre-1995 virus era. If you don't automatically execute whatever is in your floppy drive (the default setting for BIOS), you don't get infected.

Re:Google should revert that decission

Oracle can't even get its own products to work properly with Java.

Re:Google should revert that decission

[PIBM]

Where were you for the last year and a half??

Re:Google should revert that decission

[dgatwood]

Steve's speech may not have gotten us off of Flash, but it did light a fire under Adobe's backside. At the time, Flash was by far the biggest cause of browser crashes. I think it was well into the double-digit percentages, at a frequency that made the next most frequent crasher bugs seem like noise by comparison. Between the public pressure it put on Adobe to clean up their terrible, buggy, hopelessly insecure code and the effort that various browser teams made to sandbox plug-ins in separate processes, browsers are a lot more stable with Flash installed now than they were back then.

Re: Google should revert that decission

[Z00L00K]

The last good version of Oracle was 8.0, then they messed up shit in the database with Java for no good reason.

Re:Google should revert that decission

Microsoft will be killing the same plugins in I believe the next version of IE, these plugins are security holes, removing them makes browsers significantly more secure.

this is a good move for all browser creators to take, anyone with old plugins no longer supported will just have to re-write them, in the case of many Java apps they should have been full blown applications in the first place, not plugins in a web browser.

Re:Google should revert that decission

[Zombie+Ryushu]

This has been Addressed by FreshPlayerPlugin allowing FireFox to use PPAPI

Keep an older copy of Chrome around?

[tlambert]

Keep an older copy of Chrome around?

Manual installs always offer this as an option, if you have disabled the autoupdate (which sucks a ton of bandwidth anyway).

Re:Keep an older copy of Chrome around?

[binarylarry]

On behalf of all the black hats and script kiddies out there: I applaud your advice, sir.

Re:Keep an older copy of Chrome around?

[ArmoredDragon]

I've never coded in Java before so I can't comment on the language itself, but I am always seeing security vulnerabilities related to it all the time. Furthermore, new versions of Java seem to break older applications (for example, when I was taking a CCNA Security course, we had to use Cisco SDM, which broke with newer versions of Java, and required that we install insecure and older copies (which in itself is a major chore as they are often hard to find and in many cases refuse to install properly.)

That said, I think that if Java (at least, the one maintained by Oracle) finally dies, then the world will be better off.

Same with Flash too.

Re:Keep an older copy of Chrome around?

[fustakrakich]

Use Seamonkey.. It looks old, and it's at least as fast as Firefox, and with better security options. It has an email client, and an HTML editor, it'll play all the latest videos, and make popcorn. It's the browser that does everything, and it only weighs a few meg more than Firefox. It's a *Full Figured* browser.

Re:Keep an older copy of Chrome around?

[sexconker]

Microsoft's implementation of what, exactly?
Java vulnerabilities come from the fucking JVM and the plugin. You can thank Sun and Oracle.

Re:Keep an older copy of Chrome around?

[BestNicksRTaken]

all those years of "write once, run anywhere" bullshit and here we are with seven different installations of java from 1.5 to 1.8 just to run a web application and a database.

and yeah, i agree, like flash java needs to die, fed up of the weekly security exploits.

Reset firefox entirely

[mattventura]

If your Firefox install and profile are reasonably old, you'll probably have a bunch of cruft. Start fresh (reinstall and start a new profile), import bookmarks, install only the addons you need. Should be plenty fast after that.

Only problem is that it seems for every new version that comes out, you have to install more and more addons just to keep the browser the same. You could always just use Firefox only when accessing a site that requires java, and use another browser for everything else.

Re:Reset firefox entirely

[reve_etrange]

Using BarTab Heavy and the other BarTab addons to load and unload tabs in the background makes a huge difference to performance. So does using uBlock Origin instead of ABP. (And NoScript of course).

Due to stupid security warnings, security

[Cafe+Alpha]

auto-disable and minute long startup times, I haven't seen a java web page in years.
It's interesting to note that while CS departments are pushing ever more extreme forms of static typing, javascript has won in the most used platform. They never seem to notice that.

Re:Due to stupid security warnings, security

[Virtucon]

Static typing doesn't make an application more or less secure.

Re:Due to stupid security warnings, security

[Alomex]

This is demonstrably false. While one can write good/bad applications in any language, the set of insecure programs in an untyped language is a superset of the set of insecure programs in a typed language of similar syntax.

Re:Due to stupid security warnings, security

[Cafe+Alpha]

There are uses for static typing and other S&M limitations on programming.
If I had a medical appliance or anything my life depends on, I'd prefer it not even do any memory management - all memory should be pre-assigned.

In academia they're emphasizing proofs of correctness too - they're all mathematicians not engineers.

And a language like Java that not only lacks dynamic types but also lacks all abstraction that could obscure what code does, such as macros or templates or overloading - it's horrible to program in, but it saves companies from the effects of having truly stupid engineers and even more incompetent managers who don't allow programmers to document their code let alone require it.

So horrible Java code has the advantage that it never does anything that can't be understood by reading the code long enough...

It's the "I can't hire competent people to save my life" department's friend. But a good programmer can accomplish a lot more in a more powerful language.

On the positive side Java and .net have better garbage collection, more scalable gc more scaleable multithread support than their competition, so there's a niche in hugeness.

Re:Due to stupid security warnings, security

[Cafe+Alpha]

This is demonstrably false. While one can write good/bad applications in any language, the set of insecure programs in an untyped language is a superset of the set of insecure programs in a typed language of similar syntax.

You really have to be a math nerd to think you've just said anything meaningful about software engineering. You haven't. My God, you haven't!

Re:Due to stupid security warnings, security

[NostalgiaForInfinity]

While one can write good/bad applications in any language, the set of insecure programs in an untyped language is a superset of the set of insecure programs in a typed language of similar syntax.

You're confusing "untyped" with "statically typed". Static typing is about whether type information is available at compile time. C is statically typed, but it has lots of type system loopholes that cause no end of security headaches. In contrast, many dynamically typed languages have no type loopholes at all.

In fact, in practice, even statically typed languages with bullet proof type systems end up being less secure than dynamically typed languages, because programs often need some form of dynamic typing. If all that's available is a static type system, programmers come up with all sorts of home-grown emulations of dynamic typing, which usually end up less secure than if they had used a proper dynamic type system in the first place.

Re:Due to stupid security warnings, security

[NostalgiaForInfinity]

We declare the name and type so that the compiler/interpreter, can let us know if either one is different later on, because we sure didn't mean that.

That is the intent of static typing and static declarations. However, just because that may be a good thing doesn't mean it's the only way to make a language type safe. Dynamically typed languages are (usually) type safe, just like statically typed languages; they simply detect type errors at runtime.

In reality, it's a good thing to have both static and dynamic typing available in your programming language, and that's what programming languages increasingly are doing (C++, Java, C#, Swift, Objective-C, CommonLisp, etc.). The addition of dynamic typing doesn't make a statically typed language type-unsafe. Some of those languages choose dynamic typing as the default for variables without a type, others require dynamic types to be declared explicitly; that, too, doesn't affect type safety.

this will speed firefox up

[present_arms]

http://lifehacker.com/turn-on-... I've noticed a speed bump doing that, and the usual addons for ad blocking etc.

Re:this will speed firefox up

[thegarbz]

Firefox's problem is not page load times. Firefox itself appears bloated and slow. Even after a fresh install after a long time (which prompted the nuking of my profile and resetting all settings) I get graphic hangs when tabbing between pages, slow program loads, etc.

Notice I didn't say anything about high memory usage, but in reality I think Firefox performed better back in the high memory usage days than it does now.

Re:I'm betting the full phase out will be delayed

[Virtucon]

While it's a good idea to push the discontinuation of NPAPI, I think Google are being too aggressive in their phase out. ... and they'll end up shooting themselves in the foot.

Hasn't stopped them before. Google could give a shit really about what the developers and customers want with Chrome. Just like the BS they introduced with the walled garden approach. Thousands of "don't do it's" were ignored.

Googles Answer...

From the Chromium Blog:
In April 2015 NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet. We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI while they wait for mission-critical plugins to make the transition.

Re:If security risks are no object...

[ogdenk]

Yet people are happily using insecure bug-ridden flash crap every day.

things that seem to help

[dwywit]

Tweak firefox with:

new tab, type "about:config" into the address bar.

find "network.http.pipelining" and set it to "true"
find "network.http.pipelining.max-optimistic-requests" and set it to 8
find "network.http.pipelining.max.requests" and set it to 32 if it isn't that already. Don't take this one too high.

Re:things that seem to help

[swillden]

Or, tweak Chrome with:

new tab, type "chrome://flags"

find "enable-npapi" and set it to "true"

It will be possible to enable NPAPI in Chrome for some time yet. The reason for disabling it by default is to push plugin vendors to port to better approaches that don't leave your system security at the mercy of whatever web page you happen to hit.

Re: Obviously

[blockhouse]

Hell must have frozen over. People on Slashdot are actually *recommending* Internet Explorer.

Re:I'm betting the full phase out will be delayed

[fateblossom]

Google announced in September 2013 that it would phase out NPAPI support in Chrome during 2014.
NPAPI support is disabled by default since April 2015 (version 42) for Windows and OS X, but can be turned on in the settings.
Google plans to drop Chrome NPAPI support from all platforms in September 2015.

I wont call 2 years warning aggressive. I would call it more then a fair warning.
And if web-apps or plug-in's are not up to modern standards by now. Then extending to time they have to fix it wont help. Because the only things that's not updated by now wont be as long as they do not have to.
Now they are being forced to do it. And it comes as a chock for some that they only got 2 years warning.

Just go enable it again yourself

[grilled-cheese]

Per the Java support site, go here: chrome://flags/#enable-npapi

They probably won't support enabling it forever, but for now it's a workaround.

Re:Just go enable it again yourself

[djbckr]

They probably won't support enabling it forever, but for now it's a workaround.

Yes, that's exactly what the OP was saying: They are discontinuing support for this.

Re:I'm betting the full phase out will be delayed

[grimmjeeper]

Good point. They'll probably just charge forward without caring who they leave behind.

But things like this is why corporate IT is still clinging to Windows XP and IE8 in droves. They'd rather stick with what's installed and working than spending the time and money to upgrade.

Use 2 Browsers

This is only a problem because you insist that everything happen in one piece of software. That is not a requirement, or at least not one you shared with us.

If you want to complete a task that requires a particular piece of software, use the required software for that task. Then use whatever software you want for all other tasks. This will not only let you use the browser you want for most things, but will let you optimize the NPAPI browser for that particular use without worrying about security and updates and whatnot.

Re:Firefox is NOT an option

[nicoleb_x]

It didn't happen if there are no pictures. Seriously, I can't image that Chrome is 10% faster or slower loading web pages than Firefox. Let's see some hard data showing that Firefox is slower.

No, give me a break.

[Gazzonyx]

You did get the part where he's talking about using Java for work, in a secure environment, yes? You aren't seriously claiming that everyone that uses SuperMicro servers doesn't care about security because their IPMI interface is a Java webstart application, are you?

I mean, for my own part, I have two choices when doing hardware tests of our appliance builds: I can drive across the Twin Cities from my home office and stand at the R&D rack in a cold and noisy staging area for several kickstart/chef bootstrap/chef converge cycles. Conversely I, as a professional, can assume the risk of using a Java IPMI interface to access a server I physically took from a box and placed in the rack of a secured staging room over a secured subnet accessed over a secured VPN connection on my development VM (with a weekly maintenance snapshot, taken every Monday morning, which I don't hesitate reverting to 'cause SystemD, but that's another story), using HTTPS with the SSL cert from that box I physically placed in the rack.

If you are somehow cracking past all those barriers into the imaging subnet of our R&D department's subnet, you've already got half a dozen usernames and passwords and have changed a cert that lives on a box whose OS has an average lifespan on the order of an hour (that is, owning that box isn't incredibly useful in and of itself). Even at that point, the new SSL cert is going to tip me off. But if somehow you managed to get past all that, with all that knowledge just to infect my desktop VM, it seems to me that you already have the keys to the kingdom, so to speak.

That is all to say, just because someone has, or even chooses, to use Java doesn't mean they don't care about security. I'm sure I don't need to explain to you of all people (I read your username and it immediately rang a bell; a quick Google search confirmed my suspicion - I run a lot of code you wrote, and most likely vice versa but to a much lesser degree)that security is about defense in layers, attack surface, vectors and risk/reward. I'm sure there are plenty of other people that use Java in their professional lives that understand and accept the risk of how and where they use it.

End users can't upgrade software they didn't write

[Gazzonyx]

How about users of enterprise software, managed switches, Cisco gear, and embedded appliances for whom their shiny Windows 7/8/10 (for those corps that would run 8 or 10 - I'm sure they exist somewhere), Fedora 22, Mac OSX-latest still can't access said software, hardware, appliances? You do understand that I didn't write SuperMicro's Java interface and I'm not at will to upgrade to software that doesn't exist on something I didn't make regardless of how shiny my frakkin' operating system is, right?

You are correct, however about not being "forced" to do anything. What is going to happen is that when all of our stuff stops working on Chrome, we'll all use Internet Explorer because that's all that will work and IT will start enforcing it. Meaning I can count on the day where IT officially won't support my Linux laptop even though they turn a blind eye right now because I can operate without Windows. Same goes for my boss that runs a Mac.

It's a win for management who have been taking a political beating/PR hit for the move from Google Accounts for Domains (or whichever the enterprise suite is) to strictly Microsoft though. Which is a bit troubling since prior to acquisition there was hushed talk about the new management not being too keen on us in the R&D department using, writing and contributing to open source projects.

In summary, breaking an interface to other things breaks stuff on ALL supported platforms, because end users can't upgrade software they didn't write or compel their upstream provider to care what Chrome does; it doesn't matter what version of which operating system you're running. There are also unintended consequences for breaking stuff that corporate customers use, and those of us that have a foothold with Open Source in the company are collateral damage.

Re-enable NPAPI in chrome

[swyecso]

Enabling NPAPI in Chrome Version 42 and later As of Chrome Version 42, an additional configuration step is required to continue using NPAPI plugins. In your URL bar, enter: chrome://flags/#enable-npapi Click the Enable link for the Enable NPAPI configuration option. Click the Relaunch button that now appears at the bottom of the configuration page.

NPAPI to PNaCl ports are difficult

[DrYak]

All except PNaCL, which most npapi plugins could be recompiled to within a few days work...

Not exactly. PNaCl plugin run in a restricted sandbox, they are severly limited into what they can execute and which API they can call.
That's not the case with NPAPI: an NPAPI plugin can basically call any API it whishes (e.g.: call the OS's media API).
The closest thing to PNaCl in the Firefox world isn't NPAPI, but ASM.js, that two only runs a very limited set of API (e.g: only use WebGL) and is restricted to what it can do.

Saddly, a lot of the Java applet aren't actually "write-once run everywhere" as Java was intended to be, but rely on native libraries that are packaged together.
(This is also is the reason why some popular Java applet won't run easily on Linux 64bits without some tweaking).
These external DLL/so are clearly out of what the PNaCl model authorises. You can't do a PNaCl-port of Java instead of NPAPI and keep such functionality.

And such thing are really popular in the corporate world:
- Cisco's WebEx conferencing platform - which is immensely popular in the corporate world - relies on native libraries (.DLL or IA32 .so) for all media access.
Without it, all you're left with is using a phone connection to the conference, and you miss screen sharing/webcams.
- Several VNC plug-ins use similar native libraries for low-level access - (including popular ones to remotely admin servers from the lights-out web console)
etc.

All these won't require a simple recompile.
They would require that :
- Java gets ported to PNaCl (or the apps themselves get re-compiled targetting PNaCl instead of JVM).
- Extra functionality that the applets pack into external .so files gets rewritten from scratch to be able to used from within the restricted context of PNaCl.
(That would be great. It means less risks of hacking as everything fits within the PNaCl restrictions, and also as PNaCl is bytecoded, you get tweak-less support for x86_64, ARM, etc.)

Or:
- rewrite the whole functionality from scratch using HTML5/Javascript and using modern API.
(Even better in my taste).

What will probably happen:
- Internet is back as the corporate standard, because 2/3 of all the used business App (like most of the things running on Java in the corporate world) aren't straight recompiles.