Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Will New Red-Text Warnings Kill Casual Use of Java?

timothy posted about 10 months ago | from the brew-more dept.

Java 282

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

cancel ×

282 comments

Sorry! There are no comments related to the filter you selected.

red spots (3, Funny)

Anonymous Coward | about 10 months ago | (#44962205)

red spot warnings have not killed off casual sex.

So-- probably not?

Re:red spots (1, Insightful)

TWX (665546) | about 10 months ago | (#44962323)

Yeah, but generally that kind of screwing has a strongly anticipated immediate short-term benefit, even with the long-term ramifications. I don't see such euphoria in the original case...

Will New Red-Text Warnings Kill Casual Use of Java (-1)

Anonymous Coward | about 10 months ago | (#44962251)

Does the Tin Man have a sheet metal cock?

Probably not, but if it does, good (2, Insightful)

Anonymous Coward | about 10 months ago | (#44962261)

While I would hope for the day that Java dies the pathetic death it is due, I doubt that will happen. Much more likely is that "unauthorized" Java VMs will start to crop up that let the user whitelist applets rather than relying on Oracle's certificate system.

Re:Probably not, but if it does, good (2)

Gerzel (240421) | about 10 months ago | (#44962967)

Or people will just move to the OSS version.

Re:Probably not, but if it does, good (2)

InvalidError (771317) | about 10 months ago | (#44963231)

I doubt Java as a programming language is going to die any time soon since Android, which has been the fastest-growing platform for a while now, is pretty much a JRE running on top of a Linux-based kernel.

Oracle's own walled-garden Java on the other hand might not fare so well.

Screw java, HTML5 + JavaScript (1, Troll)

m1ndcrash (2158084) | about 10 months ago | (#44962271)

It sometimes feels that in order to use java applet you need to hide behind 3 VMs, because as soon as you hit an exploit pack... well you know... HTML5 + JavaScript offer great deal of flexibility and that is way we should chive on.

Re:Screw java, HTML5 + JavaScript (5, Insightful)

Anonymous Coward | about 10 months ago | (#44962767)

please don't ever type "chive" again

Re:Screw java, HTML5 + JavaScript (0)

Anonymous Coward | about 10 months ago | (#44962983)

Upvote this please.

Applets only (0)

Anonymous Coward | about 10 months ago | (#44962297)

No one uses Java Applets anymore so it doesn't matter.

Re:Applets only (2, Insightful)

logjon (1411219) | about 10 months ago | (#44962333)

I wish this were true.

Re:Applets only (4, Insightful)

jasper160 (2642717) | about 10 months ago | (#44962435)

It would be a welcome gift. I admin for a bunch engineers and a lot of the corporate and gov sites they access still use Java. And even worse some are so crappy they are version specific which makes no sense other than they are lazy.

Re:Applets only (0)

TWX (665546) | about 10 months ago | (#44962343)

And Apple is dying...

Re:Applets only (0)

Anonymous Coward | about 10 months ago | (#44962831)

Apple is dying... I can't see Apple being Apple 10 years from now... what are they going to do?

Launch a new version of the same fucking thing + iterator number like "iPhone 13S plus"?
Yeah, like people will fall for it and keep on buying... haha

Re:Applets only (0)

Anonymous Coward | about 10 months ago | (#44962383)

IPMI

Re:Applets only (1)

dtfinch (661405) | about 10 months ago | (#44962779)

The ones I get stuck with always seem to require Java 1.4.2, so any new breaking changes are irrelevant.

Re:Applets only (0)

Anonymous Coward | about 10 months ago | (#44963081)

You are lucky there. Well, your machines are insecure as hell, but at least you are only having to deal with one old version. We've got some requiring 1.4.x, some need 1.5, some can't work without 1.6.0_35, others need 1.6.0_43 or higher, but not 1.6.0_45, some need 1.7. Every last time Oracle issues a new "patch" (they don't patch; they give you a whole install each time), something in one or more enterprise application breaks. People have got to stop using this terrible JVM. The language can be fine - the Oracle JRE implementation should be thrown out.

We can only hope... (3, Insightful)

DavidHumus (725117) | about 10 months ago | (#44962305)

But don't get your hopes too high.

Re:We can only hope... (-1)

Anonymous Coward | about 10 months ago | (#44962605)

Yeah anything that can kill off bloated languages like Java are very welcome. Despite outcries to the contrary with ridiculously contrived microbenchmarks to "prove" Java is faster it is still slow as shit and memory-hogging hungry. Let's fire the dipshits who can't write real code and instead need VM training wheels.

Apparently, applets only (5, Informative)

SirGarlon (845873) | about 10 months ago | (#44962331)

TFA says this is for "Rich Internet Applications," that is, Java applets embedded in Web pages. It doesn't seem this would affect Java programs that you execute locally, such as (for example) Eclipse.

Re:Apparently, applets only (5, Informative)

snookerdoodle (123851) | about 10 months ago | (#44962449)

Exactly.

OP doesn't seem to know anything about Java.

This will not affect standalone Java programs, only applets.

It could be argued that they should have done this a long time ago.

Mark

Re:Apparently, applets only (4, Informative)

i kan reed (749298) | about 10 months ago | (#44962511)

It could also be argued that java has no place in browsers given the modern flexibility of javascript. The UI features are worse, the performance differences are negligible, legit code is sandboxed either way. All you're left with as an advantage for true java is threading.

Re:Apparently, applets only (2)

Blaskowicz (634489) | about 10 months ago | (#44963031)

Performance differences negligible?
The most advanced thing I've run in javascript was Wolf3D. I remember javascript doom was not playable (it's not available anymore, because of unauthorized use of the game assets). Java has smooth Minecraft and whatever stuff, for example Text Express from Zylom which is a little game that runs very smooth ; you can barely run a Tetris in javascript and it will look like a Windows 3.1 freeware, use shit ton of CPU, make the whole web browser slow.

Re:Apparently, applets only (2, Insightful)

Anonymous Coward | about 10 months ago | (#44963331)

>the performance differences are negligible
In javascript you can run multi-threaded computation, you have access to native network buffers (for no copy transfers of large amount of data), ... I was told no.

>given the modern flexibility of javascript
So, you are saying: if there is a Java library to do it, there is _always_ a javascript library to do it. Access to any file format, implementation of any network communication protocol, ...

I am _really_ skeptical. Javascript may be great for accessing web servers and dishing out html, but that's not all that people would like to do in a web page...

Re:Apparently, applets only (0)

Anonymous Coward | about 10 months ago | (#44962485)

oracle's RIA != java applets embedded in web pages

Re:Apparently, applets only (4, Informative)

jonabbey (2498) | about 10 months ago | (#44962547)

This would not affect Eclipse, no, but it does affect locally produced applications that are distributed from an intranet web server with Java Web Start / Java Network Launch Protocol.

Previously, we could just self-sign our app and users could choose to accept the app once and for all and not be bothered so long as the signing cert didn't change. Now, all of our users running Java 1.7.0_40 are given the threatening dialog each and every time they run our internal app, and they can't get rid of it.

We're going to pony up for a code signing cert from a (Java-recognized) certificate authority to make the dialog go away. It's a hassle, but probably still the right thing for Oracle to do at this point.

Re:Apparently, applets only (2, Interesting)

Anonymous Coward | about 10 months ago | (#44963165)

Can't you make your own CA cert, shove that into the JRE/JVM keystore, and chug along "for free"? Or did you decide that it was worth $100/year to not deal with having to automate running keytool on all your desktops?

Re:Apparently, applets only (1)

ddyer (520106) | about 10 months ago | (#44963317)

The current warning promises that in the future, self-signed certs won't be accepted at all.

Why should it cost to be trusted? (1)

EzInKy (115248) | about 10 months ago | (#44962341)

Businesses spend money to make money, and since profiting off others is the ultimate goal why should they be trusted?

Re:Why should it cost to be trusted? (0)

Anonymous Coward | about 10 months ago | (#44962399)

dont be obtuse you dumb ass. it creates a paper trail for scammers and nothing more

Probably Not (2)

Ksevio (865461) | about 10 months ago | (#44962351)

"Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.

The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.

Re:Probably Not (0)

Toad-san (64810) | about 10 months ago | (#44962555)

Those unsigned applets on websites are EXACTLY the scripts you should be worried about!

I totally love my NoScript, but would appreciate the alerts for unsigned scripts more than a generic blocking.

Re:Probably Not (1, Informative)

Anonymous Coward | about 10 months ago | (#44962675)

Now if you only knew the difference between Java and JavaScript.

Re:Probably Not (1)

Ksevio (865461) | about 10 months ago | (#44963049)

To be more clear - unsigned applets such as a utility for a game made by a player I know or other cases where the point of visiting the page was to use the applet (where I'd also risk downloading a program). Not cases where I'm browsing the web and there just happens to be a mysterious java applet

Re:Probably Not (0)

Anonymous Coward | about 10 months ago | (#44962585)

As I read them, the current red box warnings promise that in the future, you won't be able to click on "run anyway".

Re:Probably Not (1)

Ksevio (865461) | about 10 months ago | (#44963065)

You still have the option, it just requires you to check a box first according to TFA.

Re:Probably Not (1)

Impy the Impiuos Imp (442658) | about 10 months ago | (#44962799)

> The typical user will just click "Run" no matter what it says anyways

I don't know what kind of web sites you visit, pal, but mine are much more perverted and I'll be glad to have a dynamic choice to not run stuff.

Re:Probably Not (1)

Urza9814 (883915) | about 10 months ago | (#44962829)

"Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.

The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.

That's exactly what this is, but worse. They're saying that in some future release there will be no 'just run it anyway' button. Google's malware page *does* give an option to continue, it just takes a couple extra clicks to get there. This will have no such option. Also, appealing Google's block is quick, easy, and free. There's no appeal here, just extortion.

Essentially what Oracle is doing here is saying to all the applet developers: "It'd be a real shame if something were to happen to that app of yours...how about we provide some protection, for a small fee of course..."

Re:Probably Not (1)

Ksevio (865461) | about 10 months ago | (#44963001)

Google's malware page *does* give an option to continue

Last I saw, the only way was to copy the URL and paste it in the address bar, but it may have changed.

YES! (0)

Anonymous Coward | about 10 months ago | (#44962361)

I hope so.

As long as it doesn't affect non-in-browser code (0)

Anonymous Coward | about 10 months ago | (#44962363)

I don't care much if this is done for an in-browser program. I've already got java disabled for browsers because of endless security flaws. But Oracle should provide free certificates if the software itself is demonstrably free. If they're doing this for all java uses, including standalone programs (i.e. not in a browser), then this is awful and will kill my interest in java completely. $100 to enable people to run a program I want to supply for free? No thanks. I'll pick a different language.

ACK! (1)

TheCarp (96830) | about 10 months ago | (#44962367)

The noitice is good, and in the general case this is good. I see some serious problems for system admins who have to use systems with older ILOs. Just about every ILO or remote console I have used in the past few years has been java based and used self-signed certs.

It would be nice if you could whitelist trusted networks. I would like this when going to random google pages, this will be a serious pain when it comes to administering systems.

Re:ACK! (1)

jbmartin6 (1232050) | about 10 months ago | (#44962553)

Time to start archiving versions of portable Java so they will be available for use with a standalone Firefox Portable to run all those legacy apps. Or something similar.

Re:ACK! (1)

ADRA (37398) | about 10 months ago | (#44962563)

You used to be able to install self-signed certs into a keychain, and I'd be surprised if they took away the ability to do so in the future.

Re:ACK! (1)

TheCarp (96830) | about 10 months ago | (#44962679)

I don't actually deal with ILOs in my current position (often anyway). However the last environment I was in was utterly pathological. the ILO would generate its own self-signed cert, meaning you would litterally need to install a new cert for every single ILO.

Maybe that is fine in a small environment, I have been working in ones where we are talking about something on the order of 2000 systems.

Re:ACK! (1)

ddyer (520106) | about 10 months ago | (#44962783)

That's exactly what's promised by the red warning seen today.

Re:ACK! (1)

TheCarp (96830) | about 10 months ago | (#44962953)

Well promises are worth what? :)

I worked at my first year for 5 years. 5 years before I started they first announced they were going to kill off the old VMS based email system. I was gone for 2 years before they finally actually killed it....because every time they tried, someone raised a stink.

Reds (-1, Offtopic)

rossdee (243626) | about 10 months ago | (#44962373)

In many countries, Red is the coloir of the political Left (Socialists, Communists, or the Labour Party
In the USA Red is the color of the political Right (Republicans)

Wierd, eh.

As a matter of interest in navigational terms the Red light (on a ship or plane) is on the left. (Port side, remember port wine is red)

Casual use of Java (5, Funny)

Anonymous Coward | about 10 months ago | (#44962395)

> The unfortunate cost of this is that any casual use of Java is going to be killed.

You may think you're just a casual user of Java. You may think you just use Java for recreational purposes. Everybody knows Java is just a gateway language for other languages like C#. And we all know what happens to C# programmers.

Re:Casual use of Java (0, Troll)

Dracolytch (714699) | about 10 months ago | (#44963163)

They get paid well, and have a long happy career using a IDE that doesn't suck?

Casual use of Java..? (3, Interesting)

FryingLizard (512858) | about 10 months ago | (#44962419)

Java? Casual? That's like saying the US Tax code is good bed-time reading.
After realizing I was spending half my frickin' life compiling, reloading, and waiting... waiting... (I'm looking at _you_ Tomcat) I switched to Python and never looked back.

WHAT casual use of Java? (1)

Anonymous Coward | about 10 months ago | (#44962421)

Serious question. What 'casual' use of Java applets is there to kill?

Re:WHAT casual use of Java? (1)

ddyer (520106) | about 10 months ago | (#44962757)

There are lots of java applets that implement games, graphs, and other useful things that require a real program. Making sandboxed java applets harder to use will displace legitimate programs to more dangerous forms (such as downloaded java applications, or other directly executable programs), and in the process train users to ignore the danger.

Casual use of Java was dead 10 years ago. (4, Interesting)

stewsters (1406737) | about 10 months ago | (#44962433)

I really don't think that there is a casual use of Java applets anymore. Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it. Personal projects you trust and can push continue on. You shouldn't be running java apps from random other sources if you value security.

Re:Casual use of Java was dead 10 years ago. (1)

Urza9814 (883915) | about 10 months ago | (#44962867)

Personal projects you trust and can push continue on.

RTFS:

Running applications by UNKNOWN publishers will be blocked in a future release...

There is a 'continue on' button right now, but this is stage one of phasing that out entirely.

Re:Casual use of Java was dead 10 years ago. (0)

Anonymous Coward | about 10 months ago | (#44962943)

> $100 a year for their app without thinking about it

Sounds like you've never worked for a large company. Obtaining our SSL cert for HTTPS took dozens of meetings over a period of eighteens months with four trips to our corporate headquarters. Between salary and travel expenses for our CIO, VP of Engineering, and myself, I know the cert cost us at least $25k to get approved. We're having another in person meeting in January to discuss the renewal in March. I have never worked anywhere that just spends money "without thinking about it." The throw away money without thinking about it fantasy that you describe would quickly destroy a company. It just doesn't happen. Those companies are out of business because they run out of money. Here in the real world, spending $100 costs a lot more in oversight. For technical items, they can easily cost 10 to 100x times as much to purchase.

Are you still in school?

Re:Casual use of Java was dead 10 years ago. (1)

rahvin112 (446269) | about 10 months ago | (#44963285)

If you are spending $25k over a $100 item there is something seriously wrong with your company.

We aren't a big company and our office managers and VP's can sign for $250 and justify it later. There should be no reason to have 4 people in a meeting to discuss spending $100 on an IT asset. At the most you should have a 5 minute conference call between CTO and CEO.

Re:Casual use of Java was dead 10 years ago. (1)

joe_frisch (1366229) | about 10 months ago | (#44962969)

NOAA aviation weather tools are done in java - used extensively by pilots.

Re:Casual use of Java was dead 10 years ago. (1)

Anonymous Coward | about 10 months ago | (#44963175)

Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it.

NOAA aviation weather tools are done in java - used extensively by pilots.

You might not realize this, but NOAA is part of the United States federal government, which is larger than most corporations. It can certainly afford $100 a year to sign apps so that pilots can be sure they're running the real application.

Re:Casual use of Java was dead 10 years ago. (1)

ultrasawblade (2105922) | about 10 months ago | (#44963057)

There's a really cool open source SSL VPN called Adito that allows you to do port forwarding over SSL via a browser-launched Java applet.

Re:Casual use of Java was dead 10 years ago. (1)

imess (805488) | about 10 months ago | (#44963247)

Do you consider MultiBit from a random source?

Re:Casual use of Java was dead 10 years ago. (1)

suutar (1860506) | about 10 months ago | (#44963325)

last week. GUI client for one of my favorite chat programs uses Java Web Start and is written/maintained by one guy in Denver.

Java applets? (3, Insightful)

bigtech (722116) | about 10 months ago | (#44962439)

Did I just step out of a time machine?

Bad for science education (4, Interesting)

l2718 (514756) | about 10 months ago | (#44962527)

Java applets are an essential tool for science education -- as simulators [colorado.edu] , calculators [hws.edu] etc. Are all these research groups supposed to get some authority to digitally sign their applets?

Fundametally, a major aspect of Java security is that, since it runs on a VM, an applet it is inherently encapsulated. Yes, VM bugs can cause problems, but the value of all the free educational applets online far exceeds any possibly security benefits of unptached VM bugs.

Re:Bad for science education (1)

ADRA (37398) | about 10 months ago | (#44962595)

I agree in general, but I'd say any apps that want system access (legitimately breaks out of sandbox protections) should be disabled for self-signed apps that haven't been manually white-listed. The number of Java apps needing system access should be low in general.

Re:Bad for science education (2)

twocows (1216842) | about 10 months ago | (#44962615)

I imagine there will be an option in the deployment settings (which were also added with this release, I believe) to allow unsigned applets to run. As for Java running in a VM providing sufficient security, I'm going to have to disagree. Java security exploits have been responsible for a whole lot of malware over the years; in fact, it's one of the most common ways for malware to propagate. I think it's pretty clear by now that whatever security benefits the JVM might have once held are no longer a factor.

Re:Bad for science education (0, Troll)

Gibgezr (2025238) | about 10 months ago | (#44962739)

Stop using Java versions and switch to Python programs that do the same sort of thing; some educational institutions are doing that right now.

Re:Bad for science education (2, Interesting)

Anonymous Coward | about 10 months ago | (#44963143)

Except, you know, the whole being able to produce one package that reliably runs across any platform the VM does. PIP is not a replacement for a .JAR file, nor is it even a convenient alternative.

I mean I know what you're trying to do, "I'll shout out an OSS language and make some sweeping generalization about it taking over in some field...education maybe, yeah, that's a good one... Then the karma will just start rolling in." That's about as much thought as you've given the problem, which is probably why in any serious workplace you're still going to find Java being used, for better or worse. People like yourself haven't come up with a valid alternative -- worse still you mindlessly promote whatever platform you prefer, without any thought as to the logistics of entirely replacing every program you had written in one language with another entirely.

OSS proponents need to climb down off their soapboxes and do some actual coding for a change. We get it, the open alternative is the better one. If you want us to use an open alternative to Java, make one better than Java, make one that does what Java already does, then improves on it in some way. Matz did it with Perl and Ruby, now Ruby is practically a household name in the OSS community...what's stopping you? Lack of talent, perhaps?

It's much easier to blather out lines like "stop using Java and switch to Python programs that do the same thing," but as you already are obviously unaware, it isn't possible to wave one's hand and turn a Java program into a Python one overnight, not even a small one. Let alone something that's been running for a decade and has MILLIONS of lines of code to be replaced. The fact that you were modded as high as you were for this nonsense only serves to illustrate just how much of a ridiculous circlejerk this site has become.

Re:Bad for science education (0)

Anonymous Coward | about 10 months ago | (#44963037)

If an entire educational institution cannot afford ONE $100 yearly certificate renewal to share among all the apps produced by its faculty, I'd say they have bigger concerns, no?

Step in the right direction (1)

twocows (1216842) | about 10 months ago | (#44962537)

Roger Grimes over at InfoWorld has an excellent security column and Java security has been one of his biggest gripes for a long time (example [infoworld.com] ). This will be great for anyone who doesn't stay on top of patching (and also good for those who do, to a lesser extent). The newest release of Java also allows for finer grain security control, something that's been missing for years. I think Oracle's finally starting to try and seriously tackle Java security. Besides, "casual Java" use (at least for in-browser applets, which this seems to be about) isn't really that common anymore anyway (most of it's Flash now) and it's a small sacrifice to make for greatly increased security.

Sandboxing (1)

Anonymous Coward | about 10 months ago | (#44962559)

Wasn't it the point of sandboxing to allow untrusted programs to run without risk of harm? Why do you need to know who published an applet that can do no harm?

I RTFA but I don't see it (1)

Khashishi (775369) | about 10 months ago | (#44962577)

Does it show the warning in any of the linked articles?

WAAAAT (3, Insightful)

GameboyRMH (1153867) | about 10 months ago | (#44962593)

Most of the Java apps I use are unsigned.

Here's what I see happening: Lots of people hanging onto old Java versions, creating an even bigger security disaster.

Re:WAAAAT (0)

mark_lybarger (199098) | about 10 months ago | (#44962749)

yep. we have an internal applet application that uses a self signed certificate. it's deployed to the local file system and launched from a remote page, thus we're stuck using java less than 1.6.24 due to a security change^^^bug oracle made.

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7020285 [sun.com]

Wouldn't this affect JavaFX? (0)

Anonymous Coward | about 10 months ago | (#44962619)

Not that there are many JavaFX applications out there, but wouldn't this affect those since a JavaFX application is similar to an applet? After all, it is code that is downloaded.

Re:Wouldn't this affect JavaFX? (0)

Anonymous Coward | about 10 months ago | (#44963135)

We can only hope.

Java applets? (0)

Anonymous Coward | about 10 months ago | (#44962631)

Are there any non-casual applets still in use?
The only Java applets I ever see are Game of Life simulators and such on pages that haven't been updated since roughly 2001.
This should kill off Java on the Web. Finally.

Re:Java applets? (1)

nylrym (1976750) | about 10 months ago | (#44962873)

Yes. Epecially in IT where lots of consoles for machines without conventional 'heads' run as a java applet in a webpage hosted on the controller.

I thought the whole point of Java... (5, Insightful)

BitterOak (537666) | about 10 months ago | (#44962641)

I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted. Are they admitting failure here?

Re:I thought the whole point of Java... (3, Insightful)

dbc (135354) | about 10 months ago | (#44962683)

Yes. Exactly. They just plead guilt to selling snake oil, as we knew they were doing all along.

And my mod points ran out yesterday :-/

Re:I thought the whole point of Java... (0)

Anonymous Coward | about 10 months ago | (#44963275)

Unfortunately, it's not that sandboxing Java is impossible (see: Javascript and NaCl), it's that Sun/Oracle's sandbox programmers are apparently incompetent. And probably the fact that Java has sandboxed and unsandboxed modes makes it more difficult.

Re:I thought the whole point of Java... (1)

rahvin112 (446269) | about 10 months ago | (#44963311)

They didn't need to "plead guilty", the department of homeland security issued a public press release a year ago telling everyone to uninstall Java. A year later Oracle has basically agreed.

Re:I thought the whole point of Java... (1)

DickBreath (207180) | about 10 months ago | (#44963083)

> I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted.

Yes, and then later Applets are allowed to interact with JavaScript code in the surrounding browser, and vice versa JavaScript can interact with methods of the Applet. That would never open up such complex interactions that nobody could foresee the security problems. Nope, nosiree. (sarcasm)

Paper is cheap (1)

EzInKy (115248) | about 10 months ago | (#44962687)

So why the $100 cost if it isn't to profit off of those who depend on it?

A lot of our code and even our certificates are (2)

WillAffleckUW (858324) | about 10 months ago | (#44962691)

This will be unfortunate.

We've had problems with our university issuing certificates for domains and for code, which is not intended for public use.

Making it not run will mean we will have to dump Java and use one of our other OPEN SOURCE coding methods.

Buh bye!

Not that we're the fifth best world university or in the top ten list of US research universities or anything.

Minecraft (1)

Rational (1990) | about 10 months ago | (#44962755)

The last reason left to have Java installed?

Re:Minecraft (2)

twocows (1216842) | about 10 months ago | (#44962859)

Perhaps, but not an excuse to let Java applets run freely in your browser. TFS says that this only applies to applets; programs run out-of-browser will probably function normally. Even if that's not the case, I'm sure they'll have an option to allow unsigned code to run.

Retards (3, Insightful)

0123456 (636235) | about 10 months ago | (#44962769)

As others have mentioned, there are a ton of embedded systems which use Java as the control interface and load unsigned or self-signed applets to do so. Block them, and we'll be forced to stick with an old version of Java.

Re:Retards (0)

stewsters (1406737) | about 10 months ago | (#44962853)

Do those embedded systems run the latest 1.7.0.40 Oracle Java? Because if they don't, it shouldn't matter. If they do, add a self signed cert to your embedded system.

Re:Retards (1)

0123456 (636235) | about 10 months ago | (#44962917)

Do those embedded systems run the latest 1.7.0.40 Oracle Java? Because if they don't, it shouldn't matter.

The browser will be running the latest version of Java, and that's where the decision will be made about whether it's allowed to run.

You've got it backwards (0)

Anonymous Coward | about 10 months ago | (#44962991)

The embedded systems may not even HAVE java, just the compiled applet and an itty
bitty web server.

It's the version installed on the client machine.

Who uses java applets casually? (1)

Anonymous Coward | about 10 months ago | (#44962785)

Why can't these "casual" applets get a certificate, or ask users to click "OK"? If your app isn't worth $100 to you, and is not worth 30 seconds of education and one mouse click per run to your users, it is not really all that valuable to anyone.

A programming job in the US pays $20-$60 per hour. $100 is unlikely to be a significant barrier to anyone who has the skill set to create a program worth a user's time.

Given the security benefits of forcing scammers to prove who they are to a cert authority, I am disappointed that this was not done a decade ago.

Re:Who uses java applets casually? (1)

ddyer (520106) | about 10 months ago | (#44962919)

"Prove who you are" consists of cashing your check. The "trust" part of certificates is a bad joke. As I see it, it's the ability for the certificate authority to revoke a certificate (and browsers willingness to enforce the revocation) that provides some damage control.

So if they Just Don't like That One? (0)

Anonymous Coward | about 10 months ago | (#44962819)

"will give the powers that be the capability to shut off any (malware) java applet that is discovered by revoking its certificate"

This gives the powers that be the capability to shut off any java applet they do not like for any reason what so ever? Am I the only one who has a problem with this? Will this affect other Java programs too?

Re:So if they Just Don't like That One? (1)

0123456 (636235) | about 10 months ago | (#44962939)

This gives the powers that be the capability to shut off any java applet they do not like for any reason what so ever?

What? Letting users decide what programs should run on their computers, rather than 'the powers that be'? That's such 20th century thinking.

Totally Blocked? (2)

nurb432 (527695) | about 10 months ago | (#44962835)

No, i didn't RTFA... Are they going to refuse to run self-signed at all, or can you opt out of the blockage as the end user?

I'm OK with a warning;"hey do you trust this?" and a choice to say yes, but complete blockage is uncool.

There goes the *real* API (1)

atari2600a (1892574) | about 10 months ago | (#44962845)

You think people will care enough to switch to openjdk or just....no?

That would be great - drive by malware protection (2)

Sarusa (104047) | about 10 months ago | (#44962935)

Nobody should be running Java in browser. It's a blinking, gaping 'zero day me here!' for any drive-by malware and Oracle can't keep up with the exploits (though they still keep trying to re-enable their plugin on install, along with trying to install junkware, the evil bastards).

I do use Java for standalone apps, this is not an anti-Java thing - it's the browser plugin that is the problem.

Big slow institutions that are stuck using Java can pay the $100 and still get the extra drive-by protection. Everyone wins. Of course the baddies could still get a cert... but then we're back to 'don't run it in browser.'

Re:That would be great - drive by malware protecti (1)

s122604 (1018036) | about 10 months ago | (#44963187)

Nobody should be running any fully functional, system aware, computer program in a browser...
A java applet is a java computer program written by "someone" coming from "somewhere" running in a browser on your computer.

Replace "java computer program" with "c++ computer program" (or any other "real" language) in the previous sentence, and it describes a situation no less dangerous, arguably more-so.

It has nothing whatsoever to do with the language, its the paradigm.

Fighting the impossible fight (2)

WaffleMonster (969671) | about 10 months ago | (#44963023)

Is it more difficult to give up on making the sandbox mechanism secure or to review all code for all applets to make sure they are "trustworthy"

I would think money making conspiracies aside the first approach is a solvable problem while the second is a hopeless fools errand... perhaps I'm wrong given there are just 3 remaining people in the world still using java applets on their websites.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>