Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

timothy posted about 3 years ago | from the nuclear-option dept.

Firefox 309

rastos1 writes with this news from The Register: "In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account. ... The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser. ... 'I recommend that we blocklist all versions of the Java Plugin,' Firefox developer Brian Smith wrote on Tuesday in a discussion on Mozilla's online bug forum. 'My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.'"

Sorry! There are no comments related to the filter you selected.

Java still there (2, Informative)

Pieroxy (222434) | about 3 years ago | (#37552910)

I have to say I am actually surprised to see how many people still have a Java plugin for their browsers. I had a look at the analytics of my website and it looks like more than 80% of my visitors have one.

I heavily use Java on the desktop (Eclipse, etc) and on my servers (Tomcat) but I thought Java Applets to be dead for long.

Re:Java still there (0)

Anonymous Coward | about 3 years ago | (#37552940)

I have to say I am actually surprised to see how many people still have a Java plugin for their browsers. I had a look at the analytics of my website and it looks like more than 80% of my visitors have one.

I heavily use Java on the desktop (Eclipse, etc) and on my servers (Tomcat) but I thought Java Applets to be dead for long.

You wouldn't imagine the number of banking websites that require java.
So entertainment applets may be dead, java for online banking not by a long shot.

Re:Java still there (1)

nschubach (922175) | about 3 years ago | (#37553118)

Also, VPN portals..

Re:Java still there (1)

CFBMoo1 (157453) | about 3 years ago | (#37552956)

Not really since games like Minecraft run on the desktop or in the browser using Java.

Re:Java still there (1)

djdanlib (732853) | about 3 years ago | (#37553412)

I play too, but I disabled the browser plugin after installing Java. That's the thing - you can't JUST install the JRE, which would be a lot safer. You always get the browser plugin no matter what.

Used for Games, apps, and several websites (0)

Anonymous Coward | about 3 years ago | (#37552958)

Nope, pretty much all board game apps require Java, many bank websites, etc require this. I'm not saying they should, just saying they do.

Re:Used for Games, apps, and several websites (1)

gilleain (1310105) | about 3 years ago | (#37553714)

Nope, pretty much all board game apps require Java, many bank websites, etc require this. I'm not saying they should, just saying they do.

That may change in the near future. In my area, applets are often used for simple chemical structure editors, but there are some commercial and free/open-source javascript solutions for this. Even 3D molecular viewers, like twirlymol:

http://baoilleach.blogspot.com/2009/01/twistymol-is-dead-long-live-twirlymol.html [blogspot.com]

There are many advantages, such as better page integration, no startup time, no "install java" popup, etc.

Re:Java still there (0)

Anonymous Coward | about 3 years ago | (#37552992)

Still required for a lot of things, like interfaces for certain hardware such as an HP Procurve Switch, or SuperMicro server remote administration. Frankly I would rather see this technology than ActiveX controls that so many folks depended on.

Re:Java still there (1)

ToasterMonkey (467067) | about 3 years ago | (#37553224)

... and DRAC remote console on any Dell server among many other things.

You can infer a lot from the "Java is dead" crowd, like they probably don't have a job in IT, or they don't use UNIX, like to say things are dead a lot, etc.

Re:Java still there (0)

Pieroxy (222434) | about 3 years ago | (#37553280)

You can infer a lot from the "Java is dead" crowd, like they probably don't have a job in IT

Wrong, I do.

, or they don't use UNIX

Wrong, I do.

, like to say things are dead a lot

Uhhh, nope, I don't.

, etc.

Looks like you have a hard time thinking outside the box. You environment is not the environment of everyone working in IT and on unices. Surprise, you are not the center of the world.

Re:Java still there (5, Informative)

Anonymous Coward | about 3 years ago | (#37553034)

I know no one rtfa but thearticle gives plenty of examples of webapps that rely on Java. Loads of corporate apps rely on it. I think that this is a bad move without a whitelist being released in tandem,which they are considering

Re:Java still there (1)

Short Circuit (52384) | about 3 years ago | (#37553404)

I know IE/ActiveX supports trust levels for remote code. (I.e. "I don't want these users running ActiveX code from anything but the trusted servers on our intranet"). Does Java have similar capabilities?

Re:Java still there (5, Interesting)

LWATCDR (28044) | about 3 years ago | (#37553110)

Why?
Java is a much nicer development system than say Flash.
Frankly Java applets got a bad rap because of Java abuse. I blame Microsoft for that. You see FrontPage had animated buttons as an option and they where freaking java applets.
No one should have to wait for java just for buttons.
It is a shame that applets have gotten such a bad rep. It is an even bigger shame that Apple and Google are not supporting Java on IOS, Android, and Chrome.

Re:Java still there (1, Interesting)

Pieroxy (222434) | about 3 years ago | (#37553170)

Back in the days, I was impressed by HotJava. This was a full blown web browser developed in Java. No Javascript. It worked well and, as expected, ran Java Applets natively.

I still don't know why they dropped the development...

Re:Java still there (1)

sgt scrub (869860) | about 3 years ago | (#37553708)

My guess is there wasn't a way to take advantage of NPAPI. ie. You had to write native Java apps to integrate other types of content.

Re:Java still there (2)

egamma (572162) | about 3 years ago | (#37553396)

No one should have to wait for java just for buttons.

People don't like to wait, period. Java is slow, at least on Windows, and I suspect any platform other than Solaris.

The first applet is slower (2)

tepples (727027) | about 3 years ago | (#37553488)

Java is slow for the first applet you view in a browser session. After that, the important class libraries are already in RAM, and further applets load just as fast as, say, SWF objects.

Re:Java still there (1)

LWATCDR (28044) | about 3 years ago | (#37553650)

Not any more. Really that is one of those myths that will never die. On a modern system Java will load up pretty dang fast. The browsers could also have an option to preload in the background using a thread if enough people where using Java to make it worth while.

Re:Java still there (0)

Anonymous Coward | about 3 years ago | (#37553664)

Java has high start up time, but generally fast performance after boot due to runtime optimization and JIT. This is one of the reasons why Java is popular for servers.

Re:Java still there (1)

UnknowingFool (672806) | about 3 years ago | (#37553692)

That's what's wrong with kids these days. Back in my day we didn't have these fancy personal computers to compile code; we had to wait our turn with the one computer with our punch cards. And the punch cards at my school weren't those sissy paper ones. Ours were manly stone cards. If you made a mistake, you had to walk uphill both ways in the snow (even during summer!) to cut another one. If you were lucky, Chuck Norris would lend you his comb to cut the stone. If you weren't, you had to use your swinging cod piece. Kids these days.

Re:Java still there (1)

Anonymous Coward | about 3 years ago | (#37553632)

Why?
Java is a much nicer development system than say Flash.
Frankly Java applets got a bad rap because of Java abuse. I blame Microsoft for that. You see FrontPage had animated buttons as an option and they where freaking java applets.
No one should have to wait for java just for buttons.
It is a shame that applets have gotten such a bad rep. It is an even bigger shame that Apple and Google are not supporting Java on IOS, Android, and Chrome.

Wrong.

Android heavily supports java. Java applets on android's browser is a different story.

Also, Microsoft is not the one to blame. Instead blame Oracle (or Sun, the former Java maintainer) for all the exploit abuses that are on the loose.

Get your facts straight.

Re:Java still there (0)

Anonymous Coward | about 3 years ago | (#37553154)

We had one at work due for some software. At home I was surprised during the 2010 Olympics where I needed it for one page. They still get some deals here and there that make you want to install it.

Re:Java still there (1)

jellomizer (103300) | about 3 years ago | (#37553248)

Legacy Systems tend to have a Java Applet to "Web Base" their applications... Mostly because these apps were webified back in the early 2000's where HTML was quite limited, as well the fact that HTML disconnects makes it rather impractical or at least a demanding job to interface with those old telnet/terminal application. That don't disconnect after each request. Being that Java was supposed to be cross platform it was a better choice then choosing ActiveX.

Then there are those Java Applet Games that stuck around for too long, like the ones that Yahoo use to host. And there is those Java Auto Launch apps, that require java to be installed for them to run... Once Java is setup the Applets are setup too...

Then there are also things like the IBM/Lenovo driver update tools off the website that finds the newest drivers for your PC etc....

Java isn't dead, It is just not often used for anything big like they hoped (on the desktop)

Re:Java still there (1)

thegarbz (1787294) | about 3 years ago | (#37553328)

Java plugins are distributed via the JRE and could also be delivered by 1 click as a plugin when needed by a website. It's quite conceivable that someone doesn't even know it's installed. I just looked and not only do I have it installed but it's the most up to date version too.

Plus my Mozilla has something called the Windows Live Photo Gallery, whatever that is. I certainly don't remember installing anything like that.

Re:Java still there (1)

drinkypoo (153816) | about 3 years ago | (#37553334)

I still have an antique printer (HPLJ2100) and the management console uses Java applets.

Re:Java still there (1)

Oirad (19452) | about 3 years ago | (#37553410)

Not to pick nits, but that's your "antique" jetdirect card, not the printer...

Re:Java still there (0)

Anonymous Coward | about 3 years ago | (#37553336)

What you fail to realize is how many people play Yahoo games which are largely applet based. I just checked Yahoo Pool and the room I was in had 800 users online.

Re:Java still there (1)

djdanlib (732853) | about 3 years ago | (#37553378)

Your average Web user will install ANYTHING if they want to view a website or if some banner ad promises them some "cool" thing. They'll just blindly bomb that OK button like a trained hamster pushing the button to get a pellet. (That's not a bad simile.) Seriously, you could title it "Spy Formatter Pro" and they would install it, because they wouldn't even read the title.

Then once installed, it's out of sight, out of mind - the idea that "this plugin is going to stick around after I close this website" is way too technical for everyone to understand, never mind "other websites might use it maliciously". The web is like a newspaper for most folks, I guess. When you're reading the newspaper, your attention span isn't going to include the previous few pages, or something from last month, unless you specifically knew you needed to remember it. You're not even going to care that the paper is selling your identity to make a few extra bucks and subsidize your paper. You just want to pay your nickel and read your paper.

Quite a pain in the rear for those of us who have desktop users and/or family, for whose computers we take some responsibility. We obviously shouldn't take it out on them no matter how much it pains us to see them repeat the same mistakes over and over. They just don't know what they're doing, so we have to make sure there are safeguards in place like BANISHING JAVA from your average computer and maybe requiring approval for plugin installation from someone with the smarts to know better than to install "Free Funny Video Plugin.exe" or whatever!

Re:Java still there (0)

Anonymous Coward | about 3 years ago | (#37553498)

The traditional PC model is broken for precisely the reasons you specify. The PC provides an open platform to provide application developers a playground to do anything. In order to make it secure for the common user, the developer needs to go through painstaking levels of detail.

For this reason, the PC platform needs to go away for the masses and a new era of compute designed around and for the common end user needs to be ushered in. We are beginning to see this in the form of iPad/Android/Kindle Fire/ChromeBooke/Name-todays-new-platform. PC won't go away, but it won't be the compute option of choice for the masses.

How to prove one has the smarts to know better? (1)

tepples (727027) | about 3 years ago | (#37553548)

we have to make sure there are safeguards in place like [...] maybe requiring approval for plugin installation from someone with the smarts to know better than to install [a trojan disguised as a video player component]

So how would a more knowledgeable PC owner prove he has "the smarts to know better" in order to approve a plugin installation?

Re:Java still there (1)

mattb112885 (1122739) | about 3 years ago | (#37553504)

My school (and the school I graduated from before this) use Blackboard Vista for posting grades, assignments, and so on. It relies on Java for its function.

Problematic (0)

Anonymous Coward | about 3 years ago | (#37553580)

It would be problematic blocking the Java Plugin entirely, especially in this country, because citizens here rely on a common log-in solution (managed by one single company) that both internet banks and government websites use as the only authentication method. The solution itself relies 100% on a Java Applet.

Of course you can just use a different browser, but that's not quite the point..

warning? (3, Insightful)

Anonymous Coward | about 3 years ago | (#37552916)

How about a simple warning before loading a Java Applet? For example, one of those yellow bars at the top of the page? That would prevent all legitimate applets from being instantly unusable in Firefox, whilst providing some security.

Re:warning? (1)

webheaded (997188) | about 3 years ago | (#37553044)

This. I wonder if there's some sort of Flashblock-like extension to do this. I would certainly prefer it. Unfortunately we actually have a very very important Java applet at work here that I have no real choice but to use.

Re:warning? (0)

Anonymous Coward | about 3 years ago | (#37553156)

Your your administrator could deploy a sandboxed browser intended specifically to access this applet and nothing else.

Re:warning? (0)

Anonymous Coward | about 3 years ago | (#37553212)

NoScript takes care of Java, as well as the normal javascript and flash nonsense. It doesn't take long to get the normal sites you visit whitelisted, so it's pretty much the way to go for a bit more security at no cost on FF

Re:warning? (0)

Anonymous Coward | about 3 years ago | (#37553218)

There is. It's called "Opera".

You can set plugins to "load on demand" which is exactly like Flashblock.

Re:warning? (0)

Anonymous Coward | about 3 years ago | (#37553116)

A prompt already happens when the applet itself asks to run.

It tells you if it was signed, and whether the certificate come from a trusted certificate authority, or if it was self-signed.

Java applets don't, on the other hand, tell you what they are able to do/going to do, unlike Cell Phone Apps.

If they block Java, I'm sure someone will engineer comparable exploits in Flash, and even JavaScript. If it isn't Browser JavaScript, it will be JavaScript embedded in a PDF or something. You know it, I know it, so just ban and blocklist everything.

Re:warning? (1)

L4t3r4lu5 (1216702) | about 3 years ago | (#37553274)

We already do. It's called a Whitelist.

Re:warning? (1)

archen (447353) | about 3 years ago | (#37553128)

As the article says, if you create a whitelisting system, most people will just click "whatever" to make it go away. The Slashdot summary isn't totally accurate, as it's implied that all CURRENT versions of Java should potentially be blacklisted until Oracle releases a fix.

Re:warning? (0)

Anonymous Coward | about 3 years ago | (#37553152)

Chrome already does this.

Re:warning? (0)

Anonymous Coward | about 3 years ago | (#37553238)

Agreed. There are just too many useful Java applets out there: mortgage calculator, tetris, breakout, etc.

Re:warning? (0)

Anonymous Coward | about 3 years ago | (#37553506)

Yes. This approach is like (yes, this is a hyperbole, but I have the feeling otherwise some people are to thick to get it) killing all Jews because there are a few who are cons. Or killing all Muslims because some are crazy, to take this to a more modern setting.

How about we merge Ghostery (!!), AdBlock, NoScript, and a newly made generic PluginBlock which is like FlashBlock but for every plug-in into one suite of a add-on and call it FireExtinguisher or something?
Then we can each set which stuff we turst.
And to save us from the work, we allow setting our trusted more expert friends as whitelist sources (multiple ones).

That way a cascading trust network forms, which makes it very convenient, and since there is no global authority (like with AdBlock, abuse has no power. (Just one person is the chain from the abuser to you has to end his trust in that other person he knows.
Also, if somebody trusts the wrong people, than that's his own damn fault, and considering he will do the same in RL, he will not live very long anyway... unless he has friends who care for him. But in that case they would also provide the list or make him get the list from them. So that is not a problem.

Finally, expand that trust network to everything. From Wikipedia to Anti-Virus to News to download sources.

Totally overblown. (1)

Anonymous Coward | about 3 years ago | (#37552944)

The viability of the BEAST attack is totally overblown. The attacker must be a man-in-the-middle and control a website that you visit in order to have any chance of getting a cookie/password/thing-of-value that it must already be able to guess. The actual attack is merely defeating the CBC in order to encrypt the guessed value in precisely the same way as the target value, allowing you to compare to see if the encrypted data are equal.

Re:Totally overblown. (2)

Hatta (162192) | about 3 years ago | (#37553136)

The attacker must be a man-in-the-middle and control a website that you visit in order to have any chance of getting a cookie/password/thing-of-value that it must already be able to guess.

Why is that so implausible? With high profile sites like kernel.org, linux.com, mysql.com being compromised on what seems like a biweekly basis these days, I wouldn't put that out of the realm of plausibility.

SSL man in the middle (2)

tepples (727027) | about 3 years ago | (#37553586)

The attacker must be a man-in-the-middle

The server's ISP is a man-in-the-middle. The operator of a national firewall is a man-in-the-middle. This is not unlike what Perspectives calls the "Lserver attack" [slashdot.org] .

Won't help (2)

ArsenneLupin (766289) | about 3 years ago | (#37552948)

Couldn't the same exploit be run withing a plain (hidden) auto-refresh frame containing an <img src="..."> tag pointing to the victim server?

Indeed, image doesn't enforce "same origin" either, and the server (of the frame) can stil introduce the needed padding into the URL...

Re:Won't help (0)

Anonymous Coward | about 3 years ago | (#37553024)

Quickly, we need to block tags too!
As a matter of fact, shut down the whole browsing feature!
It's just a liability anyway.

Re:Won't help (0)

Dunbal (464142) | about 3 years ago | (#37553268)

If you shut down the whole internet, there will be no more internet-based attacks. Just like if you handcuff everyone to their beds, there will be no more crime.

Re:Won't help (3)

BattleApple (956701) | about 3 years ago | (#37553526)

Just like if you handcuff everyone to their beds, there will be no more crime.

There's still a chance some of them would rip off that label on their mattress.

Re:Won't help (0)

Anonymous Coward | about 3 years ago | (#37553068)

There are any number of ways to implement this exploit. Java was used for the PoC, but if you look at the author's write-up on the issue, there are place holders for using Silverlight as well as other technologies. This proposal on Firefox's part is security theater and action for action's sake.

Re:Won't help (1)

Tridus (79566) | about 3 years ago | (#37553322)

Doesn't that pretty much perfectly describe everything Mozilla's been doing in the last 6 months?

That is a monsterous solution (1)

mrflash818 (226638) | about 3 years ago | (#37552976)

...and will further put a stake into the heart of Java in the web.

Re:That is a monsterous solution (1)

Anonymous Coward | about 3 years ago | (#37553022)

quick, someone find a way to exploit it with flash and silverlight!

Re:That is a monsterous solution (0)

Anonymous Coward | about 3 years ago | (#37553098)

javascript and html too - then we shall have victory over the web!

Re:That is a monsterous solution (1)

roman_mir (125474) | about 3 years ago | (#37553350)

Actually I think it would put a stake into Mozilla based browsers, because if they block Java plug in today, how do you know what they will do to the browser tomorrow?

AFAIC if they go this road, they are dead as a browser.

Stop trying to make the browser more than it is. (2, Interesting)

Anonymous Coward | about 3 years ago | (#37553010)

Web browsers are good for viewing static documents, especially ones that link to other static documents.

Time and time and time again, however, they have been shown to be horrible at hosting more complex applications and interactive functionality.

It doesn't matter which embeddable application technology we consider, they are all rife with security flaws. Java applets, ActiveX controls, JavaScript, Flash, and browser plugins (like PDF viewers) have all suffered from numerous security problems.

If you need to provide your users with application-like behavior, then just write a native application!

Browsers are not operating systems. They are not good at hosting applications in a secure manner. Even after two decades of trying, they still aren't suitable environments for hosting applications. It's looking like they never will be, either.

Re:Stop trying to make the browser more than it is (1)

Anonymous Coward | about 3 years ago | (#37553074)

You seem to think that OSes have fared any better. The only reason that exploits come primarily through the browser is because it is far simpler to get a user to run a website/webapp than to download and run a native application. Remove the capability of the browser and force the user's hand into running native applications (and attackers into exploiting them) to do the things he/she wants and your idea of the mighty, secure OS will quickly evaporate.

Re:Stop trying to make the browser more than it is (0)

Anonymous Coward | about 3 years ago | (#37553194)

I said the same shit back in 1995; letting someone else run arbitrary code on your system sounds like a bad idea.

Of course the geniuses in CS disagreed with me.

Re:Stop trying to make the browser more than it is (1)

ceoyoyo (59147) | about 3 years ago | (#37553258)

That IS the problem with browsers. It's like allowing executable code in a data document - it's something that SHOULD be safe but isn't.

Spyware, too (1)

bigtrike (904535) | about 3 years ago | (#37553314)

Spyware/malware used to be much more of a pain because you had to download and trust a large number of applications to do much with your computer. Many user's needs are sandboxed into webapps these days, preventing a lot of issues.

Re:Stop trying to make the browser more than it is (0)

Anonymous Coward | about 3 years ago | (#37553082)

Agreed 100%. Unfortunately thats not the way the world is going.

Re:Stop trying to make the browser more than it is (2)

Lisandro (799651) | about 3 years ago | (#37553102)

You know, the issue here is not the browser. It's the HTTP protocol - it was simply designed for nothing else but static content. The number of kludges and patches you need to implement basic session handling and interactvity is getting ridiculous. Do we even have a RFC for cookies, for example?

Re:Stop trying to make the browser more than it is (1)

Pieroxy (222434) | about 3 years ago | (#37553210)

You know, the issue here is not the browser. It's the HTTP protocol - it was simply designed for nothing else but static content. The number of kludges and patches you need to implement basic session handling and interactvity is getting ridiculous. Do we even have a RFC for cookies, for example?

The only flaw with HTTP is that it is stateless. It is also its greatest strength.

I'd hardly call cookies 'number of kludges and patches' though. Ah, here is the RFC: http://www.ietf.org/rfc/rfc2109.txt [ietf.org]

Re:Stop trying to make the browser more than it is (1)

Lisandro (799651) | about 3 years ago | (#37553246)

Thanks for the RFC reference. Cookies are perhaps the most painless aspect of "modern" HTTP dev work; i was aiming more at atrocities like AJAX.

Re:Stop trying to make the browser more than it is (1)

Pieroxy (222434) | about 3 years ago | (#37553478)

Ajax conforms to the HTTP protocol pretty much like everything else. It is an http request sent by the browser basically indistinguishable from another regular http request to get an image or an html file. Nothing was done in the HTTP protocol for AJAX. What are you talking about exactly?

Re:Stop trying to make the browser more than it is (1)

w_dragon (1802458) | about 3 years ago | (#37553550)

He's probably talking about things like how the browser/web server create a new TCP session for each and every AJAX request, even if they're going to happen every few seconds for as long as you're on a page. Google gets around this by setting some silly-long keep-alive on the TCP connection for the original page request on pages like gmail so the first few AJAX requests at least don't take the extra overhead.

Re:Stop trying to make the browser more than it is (1)

Pieroxy (222434) | about 3 years ago | (#37553660)

But this is just a lack of optimization on the part of the browsers... It'll come in time. But it is not an "atrocity" like the GP was saying...

Re:Stop trying to make the browser more than it is (1)

Lisandro (799651) | about 3 years ago | (#37553724)

No. The parent poster raises a nice point regarding TCP sockets and how they're handled to provide "instant" UI response. Google does it beautifuly but it requires a crapload of work and testing in order to get it right, not to mention it basically (again!) abuses a TCP feature intended for a completely different thing.

If it's about mistuned servers (1)

tepples (727027) | about 3 years ago | (#37553662)

So it appears someone's core complaint about AJAX is that a lot of AJAX sites are run on mistuned servers whose default keep-alive time is too short for AJAX. If the problem is with the TCP keep-alive mechanism, wouldn't a connection-oriented protocol have exactly the same problem?

Re:Stop trying to make the browser more than it is (1)

Lisandro (799651) | about 3 years ago | (#37553636)

I'm talking the fact that you need to execute an HTML call in scripting language inside the same browse to retrieve HTML content which most of the times requires a framework tool in order to be reprocessed and inserted into the main pages' DOM. It's a (very ugly) workaround for the fact that HTML is was designed as a one-way method of comunication - static content.

Re:Stop trying to make the browser more than it is (1)

dingen (958134) | about 3 years ago | (#37553484)

WebSocket [wikipedia.org] is developed to shine where HTTP fails. It's not yet ready for the masses, but Firefox 4, Opera, Chrome and Safari already have some support. WebSocket will make Ajax and polling in general a thing of the past, enabling even more application-like behaviour in your browser.

Re:Stop trying to make the browser more than it is (2)

dingen (958134) | about 3 years ago | (#37553148)

If you need to provide your users with application-like behavior, then just write a native application!

When there was just one popular platform to run these native applications on, this was a fine solution. I mean back when everybody did everything in Windows. But nowadays, people are using all sorts of systems. Not just Mac OS X and Linux on the desktop, but iOS, Android, Windows Phone, BlackberryOS and Symbian on mobile devices as well. So "just write a native applications" actually becomes "write a native applications and then port it to 7 other platforms". That's when a web application suddenly starts to look like a viable alternative.

Re:Stop trying to make the browser more than it is (1)

Lisandro (799651) | about 3 years ago | (#37553174)

Nowadays you have a lot of options to ease code porting - including the allmighty "write once, run everywhere" Java. Lately i've been working a lot with Python and i'm amazed of how painless it was to port apps between Windows and *nix (i.e, no pain at all).

Re:Stop trying to make the browser more than it is (1)

Chibi Merrow (226057) | about 3 years ago | (#37553216)

Okay. Now try porting it to iOS. Or ChromeOS. Or WebOS. Or Blackberry.

I'm gonna bet WP7 and Android wouldn't be painless, either. And good luck getting people to install Python on their Windows box before they can even try your app.

Re:Stop trying to make the browser more than it is (1)

Lisandro (799651) | about 3 years ago | (#37553394)

PyObjC [sourceforge.net] . It's completely doable.

And even then, it is not the desired target. If you use the right tools for each platform it gets way easer; Java paves and easy road for porting between desktops, Android, iOS, Chrome and Blackberry, for example.

Re:Stop trying to make the browser more than it is (1)

maxume (22995) | about 3 years ago | (#37553490)

You can bundle a python interpreter and app up so that installation and execution are the same as any other app.

Makes for a larger install package, but that's about it.

Different implementations for different platforms. (0)

Anonymous Coward | about 3 years ago | (#37553496)

Look, if you're trying to get the exact same app to run on Windows, Mac OS X, desktop Linux, iOS, Android, WebOS, ChromeOS, and BlackBerry OS, you're doing something very wrong. They are very different environments, running on devices with very different capabilities. One single application targeting all those platforms never works well.

So do the sensible thing and have several native implementations. Yes, it means you'll have to work slightly harder, but the experience for your users will be much better. That way they won't get stuck running some shitty mobile-compatible app on their desktop Windows system, or vice versa.

Application logic in which language? (1)

tepples (727027) | about 3 years ago | (#37553706)

So do the sensible thing and have several native implementations.

Ideally, these native implementations should be able to share the same application logic, just with a different front-end per platform. This way, if I fix a defect in the application logic, it's fixed across all ports. This is one advantage of separating model and view layers [pineight.com] . But apart from JavaScript in a web browser, is there a single programming language that can be used on Windows, Mac OS X, desktop Linux, iOS, Android, WebOS, ChromeOS, BlackBerry OS, and Windows Phone 7, in which to write this application logic?

Microsoft has ended support for J# (1)

tepples (727027) | about 3 years ago | (#37553420)

A Java application does not run on Windows Phone 7. Only web applications and applications written in verifiably type-safe .NET languages work on Windows Phone 7, and Microsoft has ended support for J# as far as I know. Python doesn't work on a lot of these more locked-down platforms either: it and other DLR languages require Reflection.Emit, which isn't present on a lot of the minimal CLRs. Nor will Java or Python help you get Sony or Nintendo to approve your application for execution on a PSP, PS3, PSVita, DSi, Wii, or 3DS, all of which come with a web browser or have one available for download at no charge.

Re:Microsoft has ended support for J# (1)

Lisandro (799651) | about 3 years ago | (#37553474)

Agreed, but then again, there's no magical solution for porting. There are great tools that ease the process though, in pretty much any platform and technology you'd like.

The fact that porting requires work shouldn't be an excuse to turn web browsers into fancy VMs.

Re:Microsoft has ended support for J# (1)

dingen (958134) | about 3 years ago | (#37553716)

The fact that porting requires work shouldn't be an excuse to turn web browsers into fancy VMs.

Why not? Isn't it about getting your application to as many people as possible, with the least amount of effort?

Re:Stop trying to make the browser more than it is (1)

ceoyoyo (59147) | about 3 years ago | (#37553332)

Meh. If your application is primarily presenting a UI then a web app isn't such a bad solution. For applications that actually do something, most of the work is behind the scenes. If it's Desktop only write it in Python or the like and you've suddenly got the entire desktop/notebook market finished. If you want it to run on a phone or tablet (and it SHOULDN'T run on both a phone and a desktop) then write it in C and slap Android and iOS UIs on it.

Re:Stop trying to make the browser more than it is (1)

thegarbz (1787294) | about 3 years ago | (#37553244)

Web browsers are good for viewing static documents, especially ones that link to other static documents.

Yep, but in the past 10 years they've gotten damn good at other things too beside hosting a page with the blink tag. Frankly I don't miss the days of a static web page.

It doesn't matter which embeddable application technology we consider, they are all rife with security flaws. Java applets, ActiveX controls, JavaScript, Flash, and browser plugins (like PDF viewers) have all suffered from numerous security problems.

The same could be said for nearly every application written in any other language. Security is something that needs to be applied from the ground up whether you're designing a database front end designed to run in a web browser or writing a simple native program in C.

Even after two decades of trying, they still aren't suitable environments for hosting applications. It's looking like they never will be, either.

Two decades of trying? Just when do you think Web2.0 actually took off? The proliferation of the browser as an end user environment has really only been popular for less than a decade unless you count the HTML tag that found its way onto every site during the dotcom bubble an application.

You said the environment isn't suitable, I say I'd rather take it with it's standard OS type model of find flaw, fix flaw, rinse repeat then go back to a world of having to find a different bloody native application on every different operating system to do essentially the same function often over a lovely proprietary protocol.

Re:Stop trying to make the browser more than it is (1)

cavreader (1903280) | about 3 years ago | (#37553722)

Today's computing ecosystem is still to volatile to guarantee perfect security whether you build from the ground up or apply endless patches and updates. Look at the number of permutations of Operating Systems, OS Versions, OS Security Patch Levels, OS Bug Patch Levels,Hardware platforms, and custom Applications. It's amazing anything works or is even half way secure especially when you introduce user actions into the mix.

Re:Stop trying to make the browser more than it is (1)

tepples (727027) | about 3 years ago | (#37553434)

If you need to provide your users with application-like behavior, then just write a native application!

Give me a solid workaround for each of these problems and I'll agree with you:

  • Unlike native applications made for Windows, web applications work on Macintosh computers and PCs running Linux. (Workaround: Qt)
  • Unlike native applications made for PCs, web applications work on video game consoles and smartphones. (Workaround: ?)
  • Unlike native applications, web applications can be used by limited users who have no privileges to install applications on a machine. (Workaround: ?)

Stop trying to make metal into more than it is! (0)

roman_mir (125474) | about 3 years ago | (#37553554)

Metal is good for making big knives and hammers for killing, it's especially good when the other side doesn't have metal.

Time and time and time again, however, it has been shown to be horrible as a food or as a pet. It just doesn't have the same functionality as a tomato.

It doesn't matter what kind of a very hard material we consider, they are all rife with the same problems: they are too hard to chew, they don't taste good, the teeth break all the time. Metal, rock, hard wood, sea shells, diamonds and quartz have all suffered from numerous problems when used as part of meals.

If you need to cook something, just kill a chicken!

Metals are not food sources. They are good at being used to make killing tools in a very specific manner. They can be used as heavy hard objects to hit with or as sharp objects to cut with. Even after THOUSANDS of years of trying, they still aren't as suitable to be eaten as simple banana. It's looking like they never will be, either.

Less radical solution = better (1)

clorkster (1996844) | about 3 years ago | (#37553166)

I have convinced several non-technical people to stop using IE all together when I could conclusively show them that there was no practical way to disable the Java plugin... Choir preaching over.

While Firefox and Chrome allow practical and real disabling of the Java functionality in their browsers, only Chrome offers really practical functionality for plugins (yes, I'm aware there are several other browsers out there that people deeply love, however testing in the above three tend to give proper rendering on all for web elements, so I don't plan on expanding my repertoire).

In Chrome, if the Java (or Windows Media Player, etc.) plugin is requested by a page, users are prompted to give domain specific permanent access to the plugin or allow it for one-time use. As ridiculously problematic as Java is from a security perspective, it is also extremely useful for enterprise-level products that use it exclusively for powerful web-based back ends (Cisco firewalls for one).

Re:Less radical solution = better (0)

Anonymous Coward | about 3 years ago | (#37553454)

Chrome white-listing is a PITA. I always enable onclick invoking.

chrome://flags/ [chrome] :

Click to play
Enables a "click to play" option in the plug-in content settings.

Re:Less radical solution = better (1)

clorkster (1996844) | about 3 years ago | (#37553522)

... or pre-install/integrate NoScript.

Re:Less radical solution = better (1)

Stormy Dragon (800799) | about 3 years ago | (#37553530)

Disabling Java in IE9:

Tools->Manage Addons->Click Java Plugin->Select Disable from Menu

Mozilla Craziness (5, Insightful)

Anonymous Coward | about 3 years ago | (#37553222)

What is with all of the over-the-top craziness coming out of Mozilla recently? Oracle needs to address the bug, but maybe Firefox could handle it in a more graceful manner than disabling the plugin entirely.

Mozilla, you used to be one of the darlings of open source, now you're turning into a crazy cat lady.

- remove version numbers.
- rapid release schedule breaks add-ons.
- gave the middle finger to enterprise users.
- removed the URL bar.

Further decrease market share (3)

Fujisawa Sensei (207127) | about 3 years ago | (#37553262)

Way to further decrease market share. First start fuck with the versions numbering. Now blacklist java.

Keep taking the express elevator to the bottom, just like Netscape did.

Umm... Flash? (4, Insightful)

Tridus (79566) | about 3 years ago | (#37553288)

So they want to block Java over what is a difficult to execute attack that has some serious requirements to even use... but they continue to allow Flash with it's critical flaw of the week that's being actively exploited?

Is this a joke? Flash is the single largest attack vector on the entire fucking Internet.

Re:Umm... Flash? (1)

supersloshy (1273442) | about 3 years ago | (#37553712)

Java isn't far behind, though, and it's rarely used for anything besides Runescape and the occasional application that was made before Flash was big. The danger here is that people have Java installed as a web plugin when it really, really doesn't need to be in most circumstances.

Not blocked, but click to play (5, Insightful)

kangsterizer (1698322) | about 3 years ago | (#37553452)

Quoting decoder from the security team:

"It should be "click to play" by default, which means you have to click on the applet for it to be activated and loaded. "Disabled" might have been the wrong term here, but until you click the applet, nothing can happen."

That's what Chrome does also. Then again in theory, flash should also be click to play. Except flash is used everywhere and its going to piss people off, so its not click to play, either in Chrome. In fact, all plugins should be click to play with a white list of auto play sites that the user can configure. Yeah, Noscript.

Still, I'd prefer default click to play in java.

No ETA for a fix (1)

tgeek (941867) | about 3 years ago | (#37553574)

I guess that means they haven't decided if it should go in the version 8 due after lunch, version 9 tomorrow morning, or version X next Tuesday . . .

Say what! (0)

Anonymous Coward | about 3 years ago | (#37553646)

Instead of fixing the underlying problem they're just going to block the Java applet that exploits it? Am I the only one who sees this as totally wrong-headed? The problem will still be there and someone will just find another way to exploit it without using Java.

Steven

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?