Slashdot Mirror
Ask Slashdot: Options After Google Chrome Discontinues NPAPI Support?
An anonymous reader writes: I've been using Google Chrome almost exclusively for more than 3 years. I stopped using Mozilla Firefox because it was becoming bloated and slow, and I migrated all my bookmarks etc. to Chrome. Now Chrome plans to end NPAPI support — which means that I will not be able to access any sites that use Java, and I need this for work. I tried going back to Firefox for a couple of days but it still seems slow — starting it takes time, even the time taken to load a page seems more than Chrome. So what are my options now? Export all my bookmarks and go back to Mozilla Firefox and just learn to live with the performance drop? Or can I tweak Firefox performance in any way? FWIW, I am on a Windows 7 machine at work.
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
It is a mistake to discontinue the NPAPI: there are *lots* of commercial/corporate/etc. plugins using it (!)
If your Firefox install and profile are reasonably old, you'll probably have a bunch of cruft. Start fresh (reinstall and start a new profile), import bookmarks, install only the addons you need. Should be plenty fast after that.
Only problem is that it seems for every new version that comes out, you have to install more and more addons just to keep the browser the same. You could always just use Firefox only when accessing a site that requires java, and use another browser for everything else.
On behalf of all the black hats and script kiddies out there: I applaud your advice, sir.
Mod me down, my New Earth Global Warmingist friends!
From the Chromium Blog:
In April 2015 NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet. We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI while they wait for mission-critical plugins to make the transition.
Tweak firefox with:
new tab, type "about:config" into the address bar.
find "network.http.pipelining" and set it to "true"
find "network.http.pipelining.max-optimistic-requests" and set it to 8
find "network.http.pipelining.max.requests" and set it to 32 if it isn't that already. Don't take this one too high.
They sentenced me to twenty years of boredom
Hell must have frozen over. People on Slashdot are actually *recommending* Internet Explorer.
Google announced in September 2013 that it would phase out NPAPI support in Chrome during 2014.
NPAPI support is disabled by default since April 2015 (version 42) for Windows and OS X, but can be turned on in the settings.
Google plans to drop Chrome NPAPI support from all platforms in September 2015.
I wont call 2 years warning aggressive. I would call it more then a fair warning.
And if web-apps or plug-in's are not up to modern standards by now. Then extending to time they have to fix it wont help. Because the only things that's not updated by now wont be as long as they do not have to.
Now they are being forced to do it. And it comes as a chock for some that they only got 2 years warning.
Per the Java support site, go here: chrome://flags/#enable-npapi
They probably won't support enabling it forever, but for now it's a workaround.
You did get the part where he's talking about using Java for work, in a secure environment, yes? You aren't seriously claiming that everyone that uses SuperMicro servers doesn't care about security because their IPMI interface is a Java webstart application, are you?
I mean, for my own part, I have two choices when doing hardware tests of our appliance builds: I can drive across the Twin Cities from my home office and stand at the R&D rack in a cold and noisy staging area for several kickstart/chef bootstrap/chef converge cycles. Conversely I, as a professional, can assume the risk of using a Java IPMI interface to access a server I physically took from a box and placed in the rack of a secured staging room over a secured subnet accessed over a secured VPN connection on my development VM (with a weekly maintenance snapshot, taken every Monday morning, which I don't hesitate reverting to 'cause SystemD, but that's another story), using HTTPS with the SSL cert from that box I physically placed in the rack.
If you are somehow cracking past all those barriers into the imaging subnet of our R&D department's subnet, you've already got half a dozen usernames and passwords and have changed a cert that lives on a box whose OS has an average lifespan on the order of an hour (that is, owning that box isn't incredibly useful in and of itself). Even at that point, the new SSL cert is going to tip me off. But if somehow you managed to get past all that, with all that knowledge just to infect my desktop VM, it seems to me that you already have the keys to the kingdom, so to speak.
That is all to say, just because someone has, or even chooses, to use Java doesn't mean they don't care about security. I'm sure I don't need to explain to you of all people (I read your username and it immediately rang a bell; a quick Google search confirmed my suspicion - I run a lot of code you wrote, and most likely vice versa but to a much lesser degree)that security is about defense in layers, attack surface, vectors and risk/reward. I'm sure there are plenty of other people that use Java in their professional lives that understand and accept the risk of how and where they use it.
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.