
 In Firefox 24 and following, mark all versions of Java as unsafe - y0ghur7_xxx
https://bugzilla.mozilla.org/show_bug.cgi?id=914690
======
kevingadd
A lot of the angry comments about this seem to be coming from uninformed
people who haven't actually tried it - that or something about this change
isn't actually rolled out. I just tried it in an up-to-date version of Firefox
24, along with Firefox Nightly.

In both, with my existing old build of Java, I got a placeholder image like
this:

[https://dl.dropboxusercontent.com/u/1643240/outdated_java.pn...](https://dl.dropboxusercontent.com/u/1643240/outdated_java.png)

Clicking it took me to the update page. Exactly what you want. There was an
option in the top-left corner to forcibly load it, which is fine - updating is
the right move.

Once I updated and uninstalled the old JRE, in Firefox 24 the applet I was
trying loaded silently without any confirmation. It was _not_ blacklisted.

In Firefox Nightly, once Java is updated, I see this placeholder where the
applet would have been:

[https://dl.dropboxusercontent.com/u/1643240/activate_java.pn...](https://dl.dropboxusercontent.com/u/1643240/activate_java.png)

Clicking the placeholder opens a prompt asking if I want to allow the plugin
once or allow it always on this site. Very straightforward.

Other than the fact that modern Java 7 is not blocked by default in Firefox 24
for me (maybe they didn't roll that out yet?), everything works fine here, and
I don't see any catastrophic UI mistakes, developer/enterprise-hostile design,
or attempts at destroying the web.

~~~
josteink
> In both, with my existing old build of Java, I got a placeholder image like
> this:

>
> [https://dl.dropboxusercontent.com/u/1643240/outdated_java.pn...](https://dl.dropboxusercontent.com/u/1643240/outdated_java.png)

The problem is that this dialog box is outright _lying_. It will show that
placeholder even with the latest version of Java installed.

Firefox is open source software. Open source software should be trustworthy.
Software which _lies_ to you is by definition not.

As things stand here, right now, it's Firefox which has a problem.

~~~
adamtulinius
I just want to confirm 'gfritzsche' in you being wrong, and ranting about a
lot of stuff that is just _wrong_. You should delete your comment.

~~~
josteink
I went through this routine yesterday. Updated Java and restarted Firefox. I
can 100% vouch for seeing a warning about Java being outdated. The warning was
_still_ there. I stand by it and I wont delete or edit my comment.

As a dedicated Firefox-user who dislikes the direction Chrome is taking, I
still say Firefox has a problem here. This is something real users are
experiencing.

I believe this as a whole will have a very negative impact on Firefox's
perception in the java-heavier regions of the internet.

And damage done is hard to repair. Mozilla should think carefully and _very
quickly_ about what they just have done.

Edit: My bank's facebook page is already filling up with customers saying they
can't log in. When the bank's reply is "Dont use Firefox. Firefox is broken"
and the customer indeed _can_ log in with other browsers, what chance do you
think there is for the user going back to Firefox?

Mozilla needs to get 24.1 java-enabled-edition out there _now_ , until it gets
its UI/UX story straight.

Edit 2: Down-vote as you like. If you don't think this will affect Firefox's
perception, you are a tad more optimistic than I am.

~~~
gfritzsche
If you do see that, please file a bug with details on the steps to trigger
this:
[https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&comp...](https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Plug-
ins)

------
kristofferR
A lot of the commenters here seem to misunderstand this change.

You can still easily run Java applets in Firefox 24 and beyond, you just need
to click the red lego block in the upper left corner and allow it. [1]

It's much less strict than in Chrome (on OS X), where Java doesn't run at all
anymore.

[1] [https://support.mozilla.org/en-US/kb/how-to-enable-java-
if-i...](https://support.mozilla.org/en-US/kb/how-to-enable-java-if-its-been-
blocked)

~~~
johnchristopher
_> You can still easily run Java applets in Firefox 24 and beyond, you just
need to click the red lego block in the upper left corner and allow it. [1]_

Allow me to disagree and to tell you what happened last weekend:

Last Sunday I had a call from my stepfather who "couldn't run the website to
order agro food" anymore. This website runs a Java applet to manage agro food
orders on-line and the code isn't signed (it's a small structure).

He tried to understand what was going on with the warning before clicking
"ok/yes/run". He googled the warning and unfortunately ended up installing
malwares from ads running on some PC help website/forums that promised to fix
"2 just found vulnerabilities": he thought that was related since the warning
actually preventing him from accessing his "working-fine-yesterday" website
seemed to be about security and vulnerabilities in the plug-in.

He then tried to update Java but canceled it at the end of the process because
the window with the Java propaganda ("it powers 3 billions of applications,
your car, your website, etc.") looked too much like the one with malwares from
before and those didn't fix the problem (not being able to access his
website).

When I finally could go to his house to fix it I realized what had happened.

It is definitely not user-friendly. It was working before and in his eyes
Mozilla made it not working anymore.

edit: typo and grammar

~~~
kristofferR
Java actually installs malware (the Ask toolbar) unless you are careful enough
to deselect it during the installation/update process.

~~~
sigzero
Uh no. That is not "malware". Unwanted software yes but not malware.

~~~
Groxx
The difference? Be sure to point out why tricking you into installing it isn't
malicious, why it's not malicious that after _that_ it changes your default
search provider to send your searches to them (privacy much?), and why it's
not malicious that it's abnormally hard to remove (a quick Google will
demonstrate the normal 'remove toolbar' steps don't work, even Wikipedia has a
note and several links on this:
[https://en.wikipedia.org/wiki/Ask.com](https://en.wikipedia.org/wiki/Ask.com)
).

It tricks people to installing it, reports your search activity (maybe other
data? I can't find details, not installing it myself), and takes major,
unnecessary steps to make it hard to uninstall it. Sounds like malware to me.

------
RyanZAG
This will have a pretty bad effect on Firefox's market-share if it goes live.

That said, it's a solution for the current problem and should really be
applied to all plugins - I'm not sure why java is singled out here, many of
the other browser plugins are just as bad. Java has likely the most widely
publicized security vulnerabilities, yet I can guarantee you that many many
0-days are traded daily for practically every single other browser plugin as
well.

~~~
dmpk2k
Will it? I've been browsing without Java for years, and I can only remember
problems with one site (some hilarious throwback from the late 90s). For
general browsing, I doubt anyone will notice a difference.

Maybe for corporate use, but isn't that mostly IE anyway?

~~~
emil0r
Depends on where you are in the world. Java is required for online banking in
Norway, while it's mostly unused in Sweden, the neighbouring country. Both use
Java for online verification to government sites.

~~~
integricho
and they should definitely stop doing that. for me seeing Java on the client
side is a sign of bad development.

~~~
josteink
Seeing browser-developers ignore the real world and just go ahead with their
agendas unconcerned about how it affects the actual users of their browser is
also a sign of bad development.

~~~
marvin
You have to stop and think for a moment, though - it's kind of cool that the
Firefox development team can basically say "Norwegian authorities - you need
to ditch your $100 million outdated software solution because it is unsafe,
and we are going to announce this to all your users".

~~~
Silhouette
Not so cool if you're a Norwegian taxpayer, one suspects.

~~~
unhammer
As a Norwegian taxpayer, I disagree :-) I don't know a single Norwegian who
actually enjoys having to update Java _again_ (and anyone who's turned on the
news in the last 3 years here has heard of Java security holes).

(And if this really is just a click-to-play type inconvenience, well, that's a
hell of a lot less than the hoops that users are used to going through in
order to get into their BankID banks here.)

------
Stratoscope
I'm using Firefox in Ubuntu with Java to connect to a Juniper Networks VPN.
When I upgraded to Ubuntu 13.10 a couple of days ago, the VPN launcher stopped
working. I think Firefox 24 came along with the upgrade (that's the version
running now).

I upgraded to the latest Java r45 and it still didn't work. Then I noticed a
blinking red thing in the address bar where the security lock icon goes. I
clicked that and it gave me an option to enable Java for the VPN connection
site permanently.

Seemed easy enough to fix. I only had to click that icon once, and it's been
working smoothly since.

~~~
datr
You might also want to take a look at
[https://github.com/madscientist/msjnc](https://github.com/madscientist/msjnc).
I found it a lot better than Juniper's manager for linux.

~~~
Stratoscope
I agree, msjnc looks much better than the Juniper launcher. But it doesn't
seem to support two-factor authentication, which I need:

> A number of people have written me to ask about multi-key logins. I don't
> have any knowledge of or experience with these and my (very limited)
> investigation of the Network Connect service doesn't show how to do this
> from the command line. If someone can describe what the expected interface
> to the ncsvc program is for these situations I'll try to add support for it.

[http://mad-scientist.us/juniper.html](http://mad-scientist.us/juniper.html)

At least that _sounds_ like two-factor authentication he's talking about
("multi-key logins"). If it supported that I would definitely use it.

------
jtheory
Does anyone want to write a user-friendly walk-through to help normal users
get Java running? I may have the time to assist, though I'm doubtful I could
do the whole thing.

ScreenLeap has a good start: [http://www.screenleap.com/troubleshooting-
java](http://www.screenleap.com/troubleshooting-java)

The advice they give varies based on the detected browser and OS (as it must)
but it's somewhat out of date, and isn't intended for a general audience.

The applets on my educational site are signed JARs (a wasted expense, it
seems), and they are explicitly run within the sandbox, but every few months
it gets harder and harder for students and their parents to get Java to run.

And now in Firefox my interactive components have just become scary-looking
blocks of DO-NOT-ENTER signs and warnings that are totally unwarranted for my
site. If you work up the courage to click through the browser's warnings, then
of course you get round 2, the warnings that the plugin itself pops up.

I dearly wish to see some of the details on the evil that's being done with
Java applets, and if all of these aggressive measures are actually doing
anything to stop real risks, or if the main effect is to kill sites like mine.

These do not seem to be actions based on data anymore.

~~~
Yoric
Could you consider contributing this to
[http://support.mozilla.org](http://support.mozilla.org) ?

~~~
jtheory
Last night I submitted comments on the Bugzilla bug, and joined the (small)
conversation on the dev list. My message is still in moderation, though (it
wasn't rude or anything, so I suspect it's just because of time differences).

[https://mail.mozilla.org/pipermail/firefox-
dev/2013-October/...](https://mail.mozilla.org/pipermail/firefox-
dev/2013-October/thread.html)

------
marvin
This will be more great publicity for Norwegian government-owned consultancy
Evry, which has built the BankID Java Applet which is used for authentication
of each and every online consumer money transaction performed in the country.

However, it is about time - I've heard online banking developers talk crap
both about BankID and the underlying online banking infrastructure in the
country, and security holes due to Java exploits are rampant. The banks have
paid the bill for this until now, but it causes massive inconvenience
for...every Norwegian who uses an online banking service. (Every adult
Norwegian, more or less).

~~~
gizzlon
" _government-owned_ " is misleading, it's not used for " _every online
consumer money transaction performed_ ", and, if I understand it correctly,
it's just one extra click ..

~~~
marvin
Evry, the consultancy which developed and runs BankID, is largely owned by the
public (The Postal Service: 40%, Telenor: 30%, of which the latter is 53%
state-owned:
[http://www.purehelp.no/company/owner_network/evryasa/9343824...](http://www.purehelp.no/company/owner_network/evryasa/934382404)).
BankID is in fact used to sign all(#) internet banking transactions by
regular, private end users of online banking services.

The problem isn't the extra click - two factor authentication with a one-time
pad is an _excellent_ extra security measure. The problem is that the
implementation sucks and is riddled with security holes, prompting you to
update Java every other time you log into your online bank account. This in
addition to incredibly slow loading and also outright crashes if you are using
a non-standard (i.e. not latest version of IE) browser. It is a giant,
steaming pile of crappy software. We can't switch to a Javascript version fast
enough.

(#) Except for those customers who have not yet been pushed into BankID, which
is the selected standard for online banking. And obviously not for intra-bank
and similar transactions.

------
tmilard
I have reported this big issue forme in the developper forum last week. All
java version, even recent ones, ALL are considered, (not like flash...) as a
"permanent unsecure virus" by Firefox.

\- How can the Mozilla team can think they can get away with this ? This
behavior is all but neutral from firefox!

\- So I have to drop my software that I programmed in 7 years ? I went 4 days
ago in the developper forum to discuss about this :

\--------------------------------- Me: "A red no entry sign" is too radical
for recent java player I think. My users give me a phone call to tell me "No
way I will accept to install your software with this red warning"... Even the
people who know me, tell me they got so scared they have really hesitated to
accept java. Now I do understand at a time when java had urgent security issue
this scary red-message was necessary. But I really wish that Firefox checks
the java version installed ... and give a less-scary-warning-sign or a "go !"
if the user has a recent java version (like the latest on java 1.7 update 30).

Benjamin Smedberg (chef of this idiot change): "We fundamentally disagree
about the risks of the Java plugin. We believe the Java plugin is unsafe, and
we want to present that to our users".

\-- Is there a boss at Mozilla ? someone who cares about developpers. And yea
Benjamin, you know, java is open source by the way. Fuck you idiot ! Thierry

~~~
ce4
This is HN, mind your language please.

~~~
etimberg
It's a copy of one of the comments on the link. It should have been in quotes
at a minimum.

~~~
Yoric
No, it's the same guy. I did tech support for him on my free time because,
hey, that's what the Mozilla community does. I helped him track the rookie
mistake he made when coding his professional website.

Somehow, as a thank you, he decided to insult us.

sigh

------
Tharkun
The sooner Java moves away from Oracle, the better for everyone. That being
said, there is rarely a need to run Java from a browser, aside from the odd
game.

But, given Flash's similar reputation (not to mention it being prone to
crash), why not mark Flash as unsafe as well?

~~~
LaGrange
Juniper VPN is evil, broken, uses Java, and extremely common. And that's just
one example of a common Java plugin.

------
calibwam
This sounds like a major move from Mozilla, but really it is not. In Chrome,
you have to enable Java per site basis, and as long as the UI for enabling
Java is good, it shouldn't be an issue. Java on client side is dying, anyway.
And good riddance.

------
Gonzih
Great news, I'm always paranoid about java plugin. Now I can relax a little
bit.

~~~
fenesiistvan
You were able to disable java in your browser with one click also before ...in
my opinion, this move from FF is a very bad one.

Now what we should use if we need more then HTML5? A) -> Silverlight ...FF
promote a closed technology against the somehow open Java?? B) -> Flash
...which is on a downhill now? C) -> Java ...users need to be IT experts to
enable it

One thing I would like to see: MS should ban FF because it is insecure :)

~~~
Gonzih
Change is to disable java by default. User can enable it for one page but
can't enable it globally for every page. I like that because it close to
things like flashblock.

------
edwintorok
Did they also disable Flash? (well I don't have the plugin installed anyway,
so I wouldn't know)

~~~
SEMW
No. Mozilla's plan for flash is to replace it with a javascript flash runtime,
shumway.js, in the same way they discouraged adobe's acrobat plugin by
bundling pdf.js. But shumway's not finished yet.

See: [https://lwn.net/Articles/569496/](https://lwn.net/Articles/569496/)

------
kibwen
Does there exist a version of the Java plugin with PPAPI support? Because if
not, all the commenters chiming in with "well we're switching our entire
company to Chrome!" will be in for a rude awakening next year when Google
removes NPAPI support from Chrome entirely.

[http://blog.chromium.org/2013/09/saying-goodbye-to-our-
old-f...](http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-
npapi.html)

------
chris_wot
I'm trying to find a summary of why this was done. This is a pretty high
impact change!!!

~~~
tga_d
I hate to state the obvious, but...
[https://bugzilla.mozilla.org/show_bug.cgi?id=914690#c0](https://bugzilla.mozilla.org/show_bug.cgi?id=914690#c0)
That seems like pretty straight-forward reasoning to me.

------
nikbackm
Great, maybe then I can stop checking if the Java updates at work also
sneakily re-enables the Firefox plug-in behind my back each time they're
installed.

------
motif
haha, reading through the bug comments is golden. All the Mozilla folks are
super professional coordinating between teams then it's released to the
testing channel and shit hits the fan :D

------
NKCSS
Very nice :) Maybe this will nudge Oracle a bit (we can always hope, but know
it won't do anything...)

------
DZittersteyn
Wow, this is really irresponsible behavior, I would've expected something
better from Mozilla.. Until now they've first offered an alternative (e.g.
pdf.js) before trying to move away from a tech.

Marking a current version as unsafe, even when there are no known exploits is
simply ridiculous. I'd love to see the reaction of Mozilla if Microsoft
decided to mark all Firefox releases as unsafe, and give a big security
warning whenever you installed FF.

Especially if the UI for unblocking it in FF is as obtuse as the discussion
implies..

~~~
calibwam
Well, when you download the .exe file in IE, you do get a warning that it
might be unsafe from Windows. And you need to verify that you want to install
it.

The way to verify that the installer is legit, verifying the checksum, is not
done by Windows, and must be done manually. Users don't do that, and flagging
everything as unsafe is a good way of notifying the user that they must be
careful.

~~~
josteink
> flagging everything as unsafe is a good way of notifying the user that they
> must be careful

Crying wolf all the time is a 100% guaranteed way of making sure nobody will
ever care.

~~~
DZittersteyn
UAC? is that the window I always have to click 'Yes' on when I run a program?
Yeah, could you disable that?

~~~
josteink
Either you are doing admin-y stuff, or the programs you rely on are broken.

When I write Windows-software, I only signal that the process requires UAC
elevation for the things which actually does so. It's possible. In fact it's
rather easy.

I almost never encounter software which requires UAC elevation, just like most
things in Linux doesn't require me to go full sudo.

------
camus2
That's a great decision. IT departements already acknowledge the fact that
java applets are totally insecure and dangerous , and Java or Flash shouldnt
run in the browser.

You want to program stuffs in the browser ? use javascript and html5 apis.

You want to do socket stuffs in the browser? use a proxy server.

But dont expose your users to exploits by making them install Java.

You want to build future proof solutions ? stop using applets because you cant
learn javascript.

~~~
pkolaczk
What if I need top performance? The only real alternatives are JavaFX or
moving off the browser completely (native app). Despite many man-years put
into optimisation, JavaScript is still nowhere near in performance. Yeah, I
know in _some_ lucky microbenchmarks from Google or Mozilla it can be only
2-4x slower than Java and it _is_ pretty impressive but why do many real
JavaScript games/programs struggle on modern hardware as if it was an old
Pentium II (see: bombermine [1], quake JS demo [2], circuitlab [3]) or Java
applet in year 1998? The only thing that make them look acceptable is that
hardware is extremely fast these days.

[1] about 25 FPS with random hiccups on my Core i7 Quad @ 2.4-3.5 GHz and
proprietary NVidia drivers and Google Chrome

[2] [https://semitwist.com/articles/article/view/quake-shows-
java...](https://semitwist.com/articles/article/view/quake-shows-javascript-
is-slow-not-fast)

[3] about 100x slower than old Berkeley Spice (early 90s technology), despite
much less accurate models and using similar algorithms (sparse LU
decomposition + Newton Raphson)

------
byuu
I'm all for this being blocked by default, and the same goes for all plugins.
But it certainly bothers me when they make it impossible to override their
security constraints. Put in an about:config setting to allow Java, and it's
fine.

All the heavy-handedness is going to do is force Firefox out of corporate IT
environments where many internal websites rely on Java.

~~~
kristofferR
They didn't block Java at all, they just stopped it from running the applets
automatically. You can still run Java applets without any issues, you just
have to allow it by clicking the red lego block.

------
Karunamon
_sigh_

I hope there will be an about:config override for this. It seems like any time
one of these browser authors does something "for security", it ends up being a
perpetual pain in my ass and the ass of the users I support.

------
eonil
If Java is whole source of vulnerabilities, how it's working well in servers?

~~~
jrochkind1
Most of the vulnerabilities in Java that effect browsers are not relevant when
Java is used in other contexts, rather than embedded in a browser.

------
drill_sarge
Well, Icedtea w/ OpenJDK7 still running. So this is Oracle-Java only?

------
eonil
What about Flash?

~~~
camus2
we are talking about Java , why do you want to talk about Flash? because you
want your daily flash bashing fix?

~~~
eonil
We are talking about FireFox's decision. Not only for Java.

------
pjmlp
Now can we mark JavaScript as unsafe as well?

------
_random_
Why stop on the Java? Mark all Java* languages as unsafe.

~~~
GyrosOfWar
What do you even mean with that? Marking all JVM languages as unsafe? Marking
JavaScript as unsafe (because it has so much to do with Java, right?) The
issues Mozilla has with Java are limited to browser applets and the lack of
security updates from Oracle (which, coincidentally, mainly affect the browser
applets)

------
tmilard
I reported this big issue forme in the developper forum. al java version, even
recent ones, ALL are considered, (not like flash...) as a "permanent unsecure
virus" by Firefox.

\- How can the Mozilla team can think they can get away with this ? This
behavior is all but neutral from firefox ?

\- So I have to drop my software that I programmed in 7 years ? Benjamin
Smedberg (the guy at mozilla who made this shit) is an extremist. I went 4
days ago in the developper forum to discuss about this :

\--------------------------------- Me: "A red no entry sign" is too radical
for recent java player I think. My users give me a phone call to tell me "No
way I will accept to install your software with this red warning"... Even the
people who know me, tell me they got so scared they have really hesitated to
accept java. Now I do understand at a time when java had urgent security issue
this scary red-message was necessary. But I really wish that Firefox checks
the java version installed ... and give a less-scary-warning-sign or a "go !"
if the user has a recent java version (like the latest on java 1.7 update 30).

Benjamin Smedberg: "We fundamentally disagree about the risks of the Java
plugin. We believe the Java plugin is unsafe, and we want to present that to
our users".

\-- Is there a boss at Mozilla ? someone who cares about developpers. And yea
Benjamin, you know, java is open source by the way. Fuck you idiot ! Thierry

