Marking all Java versions as insecure could backfire on Mozilla

With Firefox 24 came a change that affects all versions of the Java plugin installed on a system. Mozilla made the decision to mark all existing and future versions of Java as insecure due to the "history of security vulnerabilities in Java" and "poor response times" to fix those issues.

It needs to be noted that the organization is not the only one that decided to change how plugins are handled. Google decided to block all NPAPI plugins -- to which Java belongs -- at the beginning of 2014.

Previously, only Java plugin version with known security vulnerabilities were added to Mozilla's blocklist which prevented the direct execution of them in the Firefox web browser and other Mozilla products.

Along with this comes a change for users of Firefox who rely on Java. This not only affects gamers playing games designed in Java, but also people using Firefox in business environments.

The bug listing on Mozilla has received its fair share of comments by system administrators who report that their users are running into issues running the Java applications in Firefox because of the changes that Mozilla made.

The main points of criticism revolve around Mozilla's premise that Java is inherently insecure, and the implementation of the warning and click to play system.

As far as the first point of criticism is concerned, the core argument here is that other plugin contents and applications are as insecure as Java is. Especially Flash is mentioned here several times.

The second argument criticizes the implementation of the notifications. When users connect to websites that require Java, a small red icon appears in the browser's address bar next to the site address.

java deployment toolkit

If Java elements are visible on the page, a click to play message is displayed in addition to that. This is however not always the case, so that the red icon may be the only indicator that something was not loaded on the page. While it blinks a couple of times, it can be overlooked easily, especially if users are not experienced computer users.

activate java this plugin has security vulnerabilities

activate Java

While most experienced users may have no issues finding out about the change, most inexperienced users may not be able to figure out the solution on their own.

Some developers have proposed that the warning message should be less scary, especially if the latest version of Java is installed on the computer system.

Most administrators appeal to Mozilla to change the policy, for instance by making the process more visible to the user. Others seem to have jumped ship already and moved to another web browser that does not impose the restrictions -- yet -- on their user base.

What's your take on this? Should Mozilla rethink the blocking of all Java versions, even those that have not been released yet?

Now Read: How to fix Java issues in Firefox

Update: Mozilla has restored the original functionality due to "some important bank websites that didn't work properly" anymore. You can follow further development here.

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Marking all Java versions as insecure could backfire on Mozilla

  1. Dave October 22, 2013 at 2:21 pm #

    That is why i never update software. Old version work perfectly and for security I use my own brain...

  2. Anonymous October 22, 2013 at 2:41 pm #

    Like all computing these days: dumbing down, screwing things up, getting rid of usability.

  3. kalmly October 22, 2013 at 2:48 pm #

    Going in the direction all computing these days: dumbing down, screwing things up, destroying usability.

  4. imu October 22, 2013 at 4:15 pm #

    Does it affect me if I use java with java browser plugin not installed?

  5. Transcontinental October 22, 2013 at 4:27 pm #

    Well, if "While it blinks a couple of times, it can be overlooked easily, especially if users are not experienced computer users" then those inexperienced users shouldn't use Java to start with. Either they know the business either they don't. This is a storm in a glass of water.
    If you don't need Java, follow Mozilla's state of mind, don't install it or remove it. And for those who still mistake, Java and Javascript have nothing to do with each other.

    • Martin Brinkmann October 22, 2013 at 4:34 pm #

      While this may work for home computer systems, it won't work at work.

      • Transcontinental October 22, 2013 at 9:44 pm #

        I agree. But if at work you are to handle Java and you ignore at the same time the specificity of Firefox regarding Java, then there is a problem, that's what I was saying.

        I don't know the level required in business concerning dealing with a computer, but if it's the same as on a simple workstation then, obviously, some users might be bothered with Firefox's way of handling Java. It's up to the team manager to inform, no ?

        Perhaps I'm missing something. My point was to consider in the balance Firefox's security philosophy and a simple practical issue which seemed to me over-weighted.

  6. InterestedBystander October 22, 2013 at 8:03 pm #

    I understand the value of Java on the web, but I also understand the difference between proactive and reactive security. (It's only made worse because Oracle's patch-and-update reactions are sluggish to say the least.) Firefox's move is proactive.

    But Java as a web technology is, I think, on the decline. That's the most prominent attack vector and with javascript, HTML5, and Google's foray into native-client programming Java applets are unnecessary. Java for programming cross-platform applications is a somewhat different case, but Firefox's move does not affect that.

    My personal take: I disabled Java a year ago in all the browsers at home and at work. I also removed the JRE from my machines. There are a few Java applications I would like to run, but nothing (so far) that's made it worth re-installing the JRE. My workplace doesn't use Java applications, so no worries there.

  7. InterestedBystander October 22, 2013 at 8:51 pm #

    Martin, you asked "What's your take on this?" Personally, a year ago I disabled Java in all my browsers at home and at work, and removed the JRE from the machines. It may be problematic for some; it wasn't so in my situation.

    The thing is, reactive security is an especially bad bet when the responsible party -- Oracle in this case -- have a sluggish reaction time. Mozilla's move is proactive, usually a more effective way to deal with threats. Remember that the US-CERT advised users to "consider disabling" Java in their browsers back in February. Java on the internet is probably a dying technology anyway, and the blame for that rests with the JRE gatekeepers. More secure technologies win, Java loses and that's the way it should be!

    • Martin Brinkmann October 23, 2013 at 12:13 am #

      I also have disabled Java in browsers, apart from when I enable it for testing. I do not mind that Mozilla makes Java Click to Play, but I think that the "is vulnerable" message is not an appropriate reflection of what is happening. Plus, the indicator that Java was blocked could be improved.

      • InterestedBystander October 23, 2013 at 12:57 am #

        Yes, I take your points. And I apologize for the double-post...My brain glitched.

  8. Bret October 22, 2013 at 9:02 pm #

    I believe Mozilla's intent is to protect users and admonish Oracle over Java's security and patching. Both make sense. However, this behavior is also a bit bold and dumb. Organizations that use Firefox and require Java are being alienated and, as you pointed out, ready to move to other browsers. I already did that in my organization when Mozilla decided to start removing options and joining the version number race. They have gotten quite arrogant and think they know best. In fact, they are getting out of touch with the people who believed in Firefox at the beginning. If they don't turn things around and become bold, smart, and open to criticism and suggestions, they will continue to swirl around the drain.

  9. Neal October 23, 2013 at 8:42 am #

    I personally think it is a overzealous move, just when Java is beginning to get its act together. Unless there is a specific in the exploit running around in the wild, there shouldn't be alarming notice saying there are vulnerabilities. With that said, Java applets on the web is way down anyways at least in the consumer space. Schools, and enterprises is another story.

  10. Conspiracy NOT October 23, 2013 at 9:17 am #

    I will not be surprised if they received money or 'instructions' from somebody to do that. I can recall the drama orchestrated by Ubuntu when they accepted 'donations' from Amazon. Anybody recall the dreadful shopping lens in newer Ubuntu?

    • Clas October 23, 2013 at 5:21 pm #

      hi martin, i also got rid of java a month ago..and i have been surfing and movies and streaming quotes and on and on and have had absolutely no problems or lack of functionality. i made an image backup before getting rid of java so i was covered but do not think i will ever go back. i feel that if a program is just so vulnerable to problems then i just dont need it. i felt the same with internet explorer and havent used it in four years and dont miss it a bit.

  11. Grin October 24, 2013 at 11:18 am #

    Time for web devs to switch from Java to HTML5/CSS3.

Leave a Reply