

What Is Java, Is It Insecure, and Should I Use It? - maudlinmau5
http://lifehacker.com/5988800/what-is-java-is-it-insecure-and-should-i-use-it

======
smoyer
Here's the money quote: "Java has two parts: the runtime that runs on your
computer (and lets you run Java apps), and the browser plug-in that comes
along with it. When people talk about Java being insecure, they're talking
about the browser plug-in. Java apps themselves aren't inherently insecure,
it's the browser plug-in that causes problems."

A world in which Java (the run-time) suddenly disappeared would be completely
non-functional due to the amount of enterprise software that runs on the JRE.
And while Java (the language) is often bashed for it's verbosity, many of the
up-and-coming, "cool" languages target the JRE as their run-time environment.

Unfortunately, burying that paragraph in a long article and stating "you
probably don't need it" is the wrong story to tell. You probably couldn't live
(your modern life) without it, but you may not need to have it installed on
your computer.

EDIT 1:

I also should have mentioned that Javascript is not "safe" ... it's "safer"
than it used to be because browsers have gotten way better at "sand-boxing"
its behavior (I love LocalStorage!). Applets were designed to allow browser-
based applications access to the underlying computer's OS, so it should be no
surprise that there are more vulnerabilities. And if you think about the
biggest attack vectors on the IE browsers (at least the older ones), ActiveX
shares this trait (I won't call it a problem).

For Android users, you should realize that when you authorize applications to
use various features of your phone or tablet, you're explicitly opening holes
in Android's default security model (fully sand-boxed).

EDIT 2:

My favorite quote (so far) on the life-hacker site is "Java does have some
legitimate uses (namely Minecraft) ...". The rest of his commentary sounds
like the rants typically found in language wars (I won't participate).

~~~
martinced
Spot on.

People do not realize that in some countries virtually all the citizen are
carrying a Java SmartCard on them at all time (either an ID card or a medical
security card). People do not realize that there are billions of devices
running Java (like TV decoders) and that Java is even officially part of some
specs ( _e.g._ you cannot have a Blu-Ray player without having Java). In
addition to basically power the entire banking infrastructure (it's damn near
close to impossible to make an electronic payment without having Java involved
in the process) and pretty much the entire corporate world, Java _also_ powers
a gigantic number of high-target websites (like eBay and FedEx).

And even in browsers, without needing applets, Java is also used to generate
JavaScript (GWT and ClojureScript being to examples -- at this point
ClojureScript still needs the JVM to compile to JavaScript).

And Android, of course.

Java is going to dwarf COBOL's legacy. Big times.

The real sadness here is that the writing _was_ on the wall: any knowledgeable
Java programmer knew, 15 years ago, that Java applets were an insecure piece
of excremental technology.

You don't know how many time I've vomited on Java applet in Usenet's
comp.lang.java.programmer years ago, saying how big of a mistake and loss of
energy it was... Only to have the likes of Jon Skeet and Roedy Green defending
Java applets tooth and nail.

~~~
moccajoghurt
Why do corporations spend resources in mounting the JRE to their devices?
Wouldn't it be much simpler to use the instruction set of the hardware and
write stuff in C / Assembly?

I am asking because my first language was Java and after learning C / gnu AS
it feels much more comfortable to actually have control over the resources you
are using than relying on the magic the JRE does for you.

~~~
riobard
“it feels much more comfortable to actually have control over the resources
you are using than relying on the magic the JRE does for you.”

That's exactly the problem Java/JRE was trying to solve. People make mistakes.
Given the large quantities of programers corporations hire, it is almost
certain that mistakes, especially those dealing with hardware resources (e.g.
memory), will happen. Java/JRE reduces a large part of them (e.g. memory
allocation/deallocation due to GC) so corporations can hire average programers
to do the majority of tedious tasks without blowing things (too much) off. You
cannot have such guarantee with C/C++.

------
ZoFreX
"The browser plug-in is the security problem in question, but the Java runtime
has its own annoyances—like constantly nagging you for updates, taking up
space in your system tray, and (when you first install it) because it likes to
install things like toolbars on your system. For these reasons, we generally
recommend uninstalling the Java runtime too, just for the convenience."

I completely agree with this advice, but it kills me to do so. All of my non-
trivial desktop applications are written in Java. They're performant, secure,
and easy on the RAM. A huge part of Java's advantage is that it's installed
everywhere, and it seems like Oracle are trying their hardest to make sure
that's not the case. I really hope I can keep writing applications in Java in
the future.

------
zdw
(sysadmin here)

I'd totally get rid of Java is so many pieces of hardware didn't have it as
their primary user interface. Most equipment in the 2000-2007 range expects to
load a Java app in a browser.

I have HP and Canon Printers, HP and Qlogic network gear, etc. that all
requires Java, in a browser, for at least some of their functionality. There's
simply no way around this.

The alternate CLI interface on many devices frequently is frustrating - unable
to set all features (frequently it's just the network settings), no readline
style command line editing support, frequently won't even let you backspace!

That said, I shouldn't complain too much. Some gear tried HTML interfaces
before they were ready, and as a result only work properly in IE6
(Cisco/Linksys SRWxxxx, I'm looking at you).

------
jtheory
It seems like every other day we get a new article on Java problems, all
written for non-technical readers.

I know there are new 0day exploits appearing -- but I have no idea what's
actually required to activate them.

Oracle's oh-crap patch at the beginning of this recent PR mess was to force a
user confirmation dialog for running _any_ applet.

Are the new exploits bypassing _that_ as well, or are these situations where
the sucker has to click "yes, I want to run this possible dangerous content"
before bad things happen?

It really does make a big difference, but none of the article authors seems to
know or care about what actually happens for each exploit to work.

~~~
brazzy
AFAIK most Java plugin exploits are based on a myriad different and
arbitrarily involved ways to break out of the applet sandbox. The confirmation
dialog should stop those completely.

------
cwgem
Is there a print view or something of this article that doesn't make me feel
like I've viewing the mobile version of this website? The text is squished
into this narrow column from a confusing layout that it's annoying to read.

------
rhplus
The LifeHacker article only mentions how to disable on Chrome and Firefox.
Instructions for Internet Explorer and Safari are listed here:

<http://www.java.com/en/download/help/disable_browser.xml>

------
ved_a
Wow- when a lifehacker(finest resource of everything computer science) page
hits Hacker News Front Page.

------
NelsonMinar
As a Mac / Chrome user I don't even really have the option of using Java in my
browser any more. Can't say I really miss it, although I was fishing around
for the command line appletviewer the other day..

------
monochromatic
Why is this fluff on HN?

~~~
oinksoft
No clue, but Java security seems to be a hot topic right now. OP's post
history is very bot-like, a single fluff article every day, never more than
one, and one comment on registration day, no more.

But it's altogether possible OP is just very consistent and persistent.

------
berlinbrown
And I am assuming this applies to the Oracle web plugin on Windows? E.g. does
the Icedtea plugin on Ubuntu have these issues?

