

Mozilla adds all recent versions of Java to its Firefox add-on blocklist - denzil_correa
http://thenextweb.com/apps/2013/01/11/following-active-exploits-mozilla-adds-all-recent-versions-of-java-to-its-firefox-add-on-blocklist/

======
zmmmmm
> Until then, we recommend uninstalling Java if you don’t need it

This advice feels very rash to me. This vulnerability (and most Java
vulnerabilities in its class) affects ONLY the Java browser plugin. Many users
won't know if they need Java on their computer, and common services like
GotoMeeting and others use it transparently. Telling them to uninstall it will
cause support headaches for companies that have coached the user through Java
installation in the past and now suddenly it's gone. The result will be that
after wasted time on everybody's part, they'll end up _reinstalling_ Java and
will be vulnerable all over again.

It would be much better to include proper instructions for how to disable it
(or set it in click-to-play mode) in the browser than telling people to
uninstall it carte blanche.

~~~
meaty
Yes this has shot us. Your approach is much better. Half of our outsourcers
use Firefox with a screenshot tool which is a java applet. This just stopped
working. So Monday is going to be a days work for our operations guys to sort
out the mess.

I don't expect the browser to police the internet - it's not its job.

I'm actually gaining respect for IE these days - it doesn't pull shit like
this and we have more control over it in a corporate environment.

~~~
politician
I _do_ expect the browser to police the internet though tab isolation,
incognito modes, and plugin policies. These plugin vendors are a persistent
source of exploitable security bugs.

An analogy, if my butler allows you into my home and he notices you opening
the door to criminals, then he's going to demand that you leave. If he
doesn't, I'm going to fire him. (Disclosure: I don't have a butler.)

~~~
meaty
Warn yes, ban no. That is the problem. Anything which takes choice away from
the user is negative if you ask me.

------
cpeterso
You can enable click-to-play for all plugins by toggling the about:config pref
"plugins.click_to_play".

~~~
w1ntermute
Why isn't this enabled by default? And why does it work in such a shitty way
(with a popup protruding over the browser window)?

~~~
cpeterso
Disabling plugins, or even just Flash, would break many websites. Users would
blame Mozilla for "breaking the web".

The popup is necessary because many plugin elements are too small for a usable
"click to play" message and button. Some websites use Flash content without
any visible UI (elements that are just 1x1 or 0x0 pixels). For example, Gmail
uses Flash for attachment uploading and audio chat. GitHub uses Flash for
copying repo URLs to the user's clipboard.

~~~
w1ntermute
> Disabling plugins, or even just Flash, would break many websites. Users
> would blame Mozilla for "breaking the web".

Why not make it easier than going into about:config, then? In Chrome it's
available in the settings.

> The popup is necessary because many plugin elements are too small...

How about a whitelist then, so that the main Flash applets on YouTube and
other prominent sites with large, easy to locate Flash applets have a non-
popup click-to-enable dialog (as is used by extensions like Flashblock)? That
would cover 90% of use cases.

Also, how about an option to have click-to-play settings controlled on a per-
plugin basis? I wanted click-to-play enabled for Java, but now I'm getting the
same crap for Flash when I already have an extension (Flashblock) for that.

And even otherwise the popup doesn't have to protrude _over_ the browser
window. It could just be something in the chrome.

~~~
drivebyacct2
I don't know if Firefox has the "badge" setup that Chrome has, but in Chrome
there is a plugin (puzzle) icon shown on pages that may have inaccessible
flash elements. Normally if a page isn't working, my first attempt is to click
the puzzle and say "Run plugins" or "Always allow on this site".

It can be annoying to remember to do it, the first few times you may curse the
site for being broken before you realize what's going on.

~~~
maxerickson
There isn't any visual indicator that there are hidden plugins, but there is a
button on the toolbar for activating a plugin (activates all the elements
using the plugin on the page).

------
throwaway125
I wish Mozilla (and other browsers) also blocked plugins that don't behave
while updating. I want to have java installed so I can decide to run java
programs, but I _don't_ want to have a browser plugin, so I disable it. Every
single time java updates itself it enables the browser plugin again. Users
should not have to put up with every installer under the sky silently
installing browser plugins, or worse, updaters enabling them again.

~~~
dave5104
Didn't Chrome just recently take steps to stop this and inform you which ones
were silently installed?

~~~
jaredsohn
Yes. <http://news.ycombinator.com/item?id=4091618>

------
steeve
God damn. What a downfall for Java in the browser.

~~~
eli
It's only until there's a fixed version, it's not permanently banished from
the browser.

~~~
thaumaturgy
Not necessarily. I'm sure there will be discussion at our next consulting
meeting with at least one of our business clients on whether or not they
should bother re-enabling Java after this; given that DHS also published a
somewhat rare recommendation to completely disable Java, I could see a number
of other corporations having the same conversation.

And sometimes that's all it takes to cripple adoption of a platform.

I wouldn't be sorry to see it go.

~~~
eli
About a year and a half ago, I started disabling Java on new or newly reimaged
computers for my users. I got quite a few complaints. It had many more uses
than I expected.

------
hirenj
Apple disabled the Java plugin via the XProtect plist, which now means that I
am totally unable to log in to online banking in Denmark on any Mac. It's a
bit of a disaster.

------
augustl
Bad news for us norwegians. The national online authentication system, BankID,
commonly used in online banks and government services, uses a Java applet.

~~~
denzil_correa
It is the same in other places like India too.

~~~
veemjeem
you guys will suffer the same fate as korea, who are forever stuck in IE6 due
to ActiveX being used everywhere.

~~~
denzil_correa
There is light at the end of the tunnel - or at least I hope. A few major
private sector banks have moved away, I hope the public sector banks follow
suite.

------
reiichiroh
Now if we could only do this for PDF and Flash.

~~~
camus
and javascript ...

~~~
TruthElixirX
Lets all just go read books.

