×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox's Blocked-By-Default Java Isn't Going Down Well

Soulskill posted about 6 months ago | from the teaching-grandma-to-click-through-dialog-boxes dept.

Firefox 362

JG0LD writes "The Firefox web browser will, henceforth, require users to manually activate Java objects on sites that they visit, Mozilla has confirmed. This even affects up-to-date versions of Java, which you can see on the block list. The change is aimed at improving security and moving away from a dependence on proprietary plug-ins, but critics say it will cause untold headaches for developers, admins and less-technical end-users. "

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

362 comments

Didn't they learn from Microsoft? (5, Insightful)

Anonymous Coward | about 6 months ago | (#45209155)

Users hate authorizing things, and become trained drones blindly okaying everything anyway.

As security models go, it's a poor one.

Re:Didn't they learn from Microsoft? (0, Troll)

Darinbob (1142669) | about 6 months ago | (#45209285)

If they learn from Microsoft, then the lesson is to enable everything by default even if it's amazingly unsecure and let the users sort it out.

Re:Didn't they learn from Microsoft? (4, Insightful)

Doh! (86796) | about 6 months ago | (#45209441)

So... they should disable all plugins like Java and Flash and not let the user authorize anything? That would never work [apple.com].

Re:Didn't they learn from Microsoft? (-1, Troll)

Dahamma (304068) | about 6 months ago | (#45209473)

It certainly won't work when there are usable [microsoft.com] default [apple.com] or better [google.com] alternatives already available on PCs that allow it.

Re:Didn't they learn from Microsoft? (3, Insightful)

Microlith (54737) | about 6 months ago | (#45209609)

Fortunately it still works, it just won't give a security hole riddled platform automatic access to your PC.

Re:Didn't they learn from Microsoft? (2)

Dahamma (304068) | about 6 months ago | (#45209747)

But when the context of "work" is market share, it's TOTAL FAIL. General consumers really don't give a shit if it's the most secure platform on the planet if it's nigh useless in practice. Or are you one of the dozens of people using NetBSD?

Re:Didn't they learn from Microsoft? (4, Insightful)

sortius_nod (1080919) | about 6 months ago | (#45209777)

Indeed, never trust basic security to users. Better to keep a your workstations up-to-date & deal with the IT nightmare that is updating rogue workstations than to deal with the IT apocalypse of click monkeys.

Headaches for developers? (4, Insightful)

Anonymous Coward | about 6 months ago | (#45209163)

They should probably get their heads checked, why are they making Java apps for webpages still?

Re:Headaches for developers? (4, Informative)

characterZer0 (138196) | about 6 months ago | (#45209203)

In my case, applets for doing signatures with USB signature tablets. Can't do that in JavaScript.

Re:Headaches for developers? (0)

mwvdlee (775178) | about 6 months ago | (#45209429)

Why can you do that in Java but not in JavaScript?
In both cases you're effectively giving the sourcecode to the client, so there's no security.

Re:Headaches for developers? (5, Informative)

Dahamma (304068) | about 6 months ago | (#45209485)

Because Java allows native access to USB hardware. Haven't seen that in Javascript.

And no offense, but do you know what a digital signature is? Having the source code to the algorithm doesn't affect security. That would be like saying "I know how AES works, therefore I can decrypt all AES-encrypted data!" Doesn't work that way.

Re:Headaches for developers? (1, Interesting)

cheater512 (783349) | about 6 months ago | (#45209573)

Javascript not having USB access sounds like a good thing to me.....
I'm actually surprised you can do that with Java.

Actually a good work around would be to expose your USB token as a image device.
Use HTML5 (or god forbid Flash) to extract the encoded data from the image presented.
Little bit clunky but it would work everywhere without any setup.

Re:Headaches for developers? (3, Insightful)

Dahamma (304068) | about 6 months ago | (#45209799)

Why is it surprising you can access to hardware features with Java *if you approve it*? I can access hardware with Python after I approve it, and that proves very useful. It's all about granting lower level access from interpreted languages - they already ask when they need these permissions, what else do you want, a human sacrifice?

I mean, really - you can install a native plugin or you can run a Java applet - both require user intervention for this level of access. Maybe I am underestimating the human population, but when both explicitly tell you exactly what enabling them allows it really doesn't matter - you either allow it or you don't.

Re:Headaches for developers? (5, Interesting)

BitterOak (537666) | about 6 months ago | (#45209647)

Because Java allows native access to USB hardware.

Maybe that's a darn good reason for requiring people to authorize Java applets manually!

Re:Headaches for developers? (2)

Dahamma (304068) | about 6 months ago | (#45209775)

And another useful thing about Java is that is has a very mature set of security domains. If anything, it was basically the proving grounds for all of the current iOS and Android apps in that regard. OBVIOUSLY it will of course ask you before running an applet that tries to access devices like that. When the applet wants to access hardware, ask. When it doesn't, don't. Seriously, your /. ID isn't that high, have you really never seen this before or are you just trolling?

Re:Headaches for developers? (0)

Anonymous Coward | about 6 months ago | (#45209765)

Java is compiled to bytecode.

Re:Headaches for developers? (3, Informative)

GumphMaster (772693) | about 6 months ago | (#45209381)

I don't know... they built a substantial client-side Java app some years ago, it still works, and they don't feel the urge to reinvent a perfectly good wheel. E*Trade Australia still uses client-side Java.

Uses of Java applets (4, Informative)

Anonymous Brave Guy (457657) | about 6 months ago | (#45209709)

Must we have this troll comment every time someone mentions Java applets?

Java applets are commonly used, as they have been for many years. According to this Chromium blog post from September 2013 [chromium.org], 8.9% of Chrome users had launched something using the Java plugin in the past month.

Among the common uses that get mentioned every time this discussion comes up are: public access to banking and government systems in various countries, games, user interfaces for devices (scientific equipment, network infrastructure, all kinds of examples), access to local hardware devices that aren't yet available via newer technologies, some popular teleconferencing and VPN software, and little demo graphics written by academics to go on their web sites a decade ago that are still just as relevant today.

In other words, just because you don't use Java applets yourself or know when they're still useful, don't assume everyone else is in the same situation.

Ironic (1)

aaarrrgggh (9205) | about 6 months ago | (#45209167)

Having problems for the past hour with cursed Java on my Mac. Really pisses me off that my Insteon controller absolutely requires it to update the system!!!

Good (1, Offtopic)

Falconhell (1289630) | about 6 months ago | (#45209169)

The developers can suffer, why the hell does a web page need to run 50 scripts for goodness sake!

Re: Good (-1)

Anonymous Coward | about 6 months ago | (#45209205)

Something wicked is happening if a site is running fifty Java "scripts" at once.

Already considering uninstalling firefox (4, Insightful)

Puls4r (724907) | about 6 months ago | (#45209173)

I'm not a developer, but I'm pretty savvy with computers. So the first time I got that message, I went and updated Java. Fixed it, right? Nope. So I clicked around, and finally accidentally clicked on the little red icon up in the menu bar. Success! Now it gave me an option to run it. Which popped up another window asking for permission. Dear Firefox: You have a small portion of the browser market. Making yourself a nuisance by breaking big pieces of the web is not intelligent. It just drives people to chrome, or IE. Especially everyday users who don't want to screw around and just want things to work.

Re:Already considering uninstalling firefox (2, Insightful)

Anonymous Coward | about 6 months ago | (#45209239)

What in the world are you using that requires a Java applet?

Re:Already considering uninstalling firefox (5, Informative)

Kjella (173770) | about 6 months ago | (#45209333)

Well, if you're in Norway then 800-900,000 people use it daily and 2.9 million occasionally to access their bank and various other public services through BankID [bankid.no]. They are moving away from Java now after all the security issues, it was announced in April but hasn't happened yet so with this I expect Firefox usage here will drop like a rock.

Re:Already considering uninstalling firefox (1)

Anonymous Coward | about 6 months ago | (#45209671)

And what is the problem. If your banks are braindamaged and use an applet, you have to generally authorize them to use that piece of shit Java *once*.

My bank have BankID in sweden, but for me it's installed like a plugin in the browser (it took forever for them to make it even compatible with firefox >4). That plugin calls a standalone application, probably still java but the browser dont get to know that.

Anyway, generally warning people before loading any java applet: "This plugin is insecure" is great.

You may not like the GUI, but java is not secure, you can't say that, it just is not that.

Re:Already considering uninstalling firefox (3, Insightful)

Anonymous Brave Guy (457657) | about 6 months ago | (#45209727)

Anyway, generally warning people before loading any java applet: "This plugin is insecure" is great.

No, warning people before loading an insecure plugin that it is insecure is great. Warning people that a newly updated plugin with no known vulnerabilities is insecure confuses them and teaches them that your security messages are worthless and they should just click yes.

I don't think anyone is claiming that Java is some paragon of Internet virtue that should be trusted without question, or that blocking plugins from unknown sites until the user OKs them is necessarily a bad idea. However, crying wolf and creating obscure UIs and turning everyday software into nuisanceware isn't a good response.

Re:Already considering uninstalling firefox (2)

Splab (574204) | about 6 months ago | (#45209723)

Yeah, share your pain (from Denmark, NemID is the name of the game here, same vendor though).

Fun fact, the alternative they are working on is javascript clocking in at $20m for the Danish version alone, Nets claims they are not reusing the code between BankID and NemID, but one does wonder (By the way, did you guys also suffer a 3 day downtime this weekend because the tards forgot to read the release notes?)

Re:Already considering uninstalling firefox (4, Informative)

reve_etrange (2377702) | about 6 months ago | (#45209273)

It just drives people to chrome

Good luck, Chrome has the same behavior. Even with a signed applet and updated Java, Chrome users had to click twice to run.

For the /.ers astounding by the persistence of Java applets, I was working with JMol [sourceforge.net]. I bypassed the issue by switching to the HTML5-and-JavaScript version and using the applet as a fall-back.

Re:Already considering uninstalling firefox (0)

Anonymous Coward | about 6 months ago | (#45209601)

Nothing drives me to chrome or IE. I am being driven to Safari, which I don't care for at all.

Java script (0)

Anonymous Coward | about 6 months ago | (#45209177)

just implement all functionality in JS instead, (damn the performance) - they've already ensured that the 'less technical users' won't disable *that* sucker.

Most wont work in Firefox anyway (1, Insightful)

Billly Gates (198444) | about 6 months ago | (#45209181)

They are coded for IE 6 and maybe up to IE 8 if it is very cutting edge with new css 2.1 glory.

In other words banks and corporate apps. The rest have moved on to flash and ajax last decade.

Webapps in java were a way to makup the shortcumings in Netscaoe 3 to imitate html 5 and ajax today. Obsolete and done

Like? (4, Insightful)

The Cat (19816) | about 6 months ago | (#45209189)

moving away from a dependence on proprietary plug-ins

Like the browsers themselves?

Hey maybe we can get all the people at Adobe and Oracle laid off the same week. Wouldn't that be fun?

Isn't it great how the web is moving away from "proprietary plug-ins" and straight into proprietary mobile devices?

And look at the web users cheer. The people who built the web would recoil in horror at what you have allowed to happen to the Internet.

I give it five years, maybe six, and the Internet will be completely walled off by a McDonalds logo.

Re:Like? (0)

Anonymous Coward | about 6 months ago | (#45209531)

Given that Firefox OS phones exist and you can buy them today, you're already "completely" wrong.

Re:Like? (2, Interesting)

Anonymous Coward | about 6 months ago | (#45209619)

No, that's exactly his point. There's isn't a standardized way of doing things cross-platform. Before there were companies pushing their own products and providing run-times so assuming you installed their blob you'll get the desired behavior. It worked, but you need to install the blob. You normally had to do something undocumented or very odd to lose cross-platform support.

Now you have Google/Apple/Microsoft/Mozilla phones. Each does things their own way and they have no interest in cross-platform development. They all want things tied down to their phones only so they get market share and a cut from app stores. We're worse off, and the people who can't afford data plans even more so.

Flash seemed like the 'best' cross-platform blob, Java was (and still is) the most powerful, and JavaScript is still busy reinventing all the libraries and tool-kits that previously existed. I've written Java applets and JavaScript apps. Java is still more cross-platform (less platform specific code or bugs to deal with) than JavaScript and HTML5.

At this rate... (5, Funny)

JohnA (131062) | about 6 months ago | (#45209199)

Firefox will be exactly what Scott Adams predicted...

http://dilbert.com/strips/comic/1995-03-25/ [dilbert.com]

Applets may be "The Debil", but they also fill a need that can't be filled by Flash or HTML5.

Mozilla needs to get over themselves.

What need? (2, Interesting)

SmallFurryCreature (593017) | about 6 months ago | (#45209663)

I use firefox and haven't encountered a singled issue with java not working... that is because I can't even remember the last time I saw a site with an applet.

Really this is a non-issue that will go the same way as active-x support. Only people in Korea will care.

If you are still developing/depending on applets, 1995 called they want their stupid ideas back. What next, your mail link is an animated gif?

Re:What need? (3, Informative)

Splab (574204) | about 6 months ago | (#45209703)

Java is needed to do banking in many places, the FF change gave me 30 minutes of "wtf?"; trying to work out why it kept complaining about insecure applet, when running newest Java had me perplexed.

If I had an alternative to FF on Mac and Java, I'd ditch FF for this stunt in a heartbeat.

Re:What need? (5, Insightful)

Anonymous Brave Guy (457657) | about 6 months ago | (#45209751)

If you are still developing/depending on applets, 1995 called they want their stupid ideas back.

Hi 2013, this is 1995 calling. When your new shiny toys have the portability and performance and flexibility that we had nearly two decades ago, and developers can write software using them with a reasonable expectation that it will still be working in 5 or 10 years (or even 1 or 2 years) without needing constant maintenance, then you get a vote. Until then, we'll keep our "stupid" ideas, because they've been helping us get useful work done since before you were born. Kthxbye.

Re:What need? (0)

Anonymous Coward | about 6 months ago | (#45209789)

I use firefox and haven't encountered a singled issue with java not working... that is because I can't even remember the last time I saw a site with an applet.

I do. I used map24.com a lot, and it was running Java. I got rid of Java once they figured out a way to crash not just the applet, but the entire browser with it. That's what made me realise that Javas so-called sandbox will never be secure.

Shortly after, Google Maps was launched, and I had no more use for map24.com.

Re:What need? (1)

turbidostato (878842) | about 6 months ago | (#45209815)

"I can't even remember the last time I saw a site with an applet."

Do you have a better idea for, say, a software-based KVM or something that needs to deal with local hardware, like an authentication token?

Who cares? (4, Funny)

Hecatonchires (231908) | about 6 months ago | (#45209207)

Java is huge in the business back end, but front end Java just leaves a bad taste in the mouth of users. Slow, bloated, painful to use and kinda salty.

Java, not JavaScript (0, Redundant)

thegreatbob (693104) | about 6 months ago | (#45209211)

This is regarding Java applets embedded on pages as opposed to JavaScript. There appears to be at least some confusion on this. If I had anything more insightful to add, I would certainly have done so.

Summary describes Java plugins! (0)

Gothmolly (148874) | about 6 months ago | (#45209215)

"it will cause untold headaches for developers, admins and less-technical end-users"

Wait, we're talking about the endlessly incompatible point-oh-oh-one releases of the Java plugin, right?

Bye, Firefox (0)

Anonymous Coward | about 6 months ago | (#45209217)

It's been great knowing you over the years. So sorry that the shot you intended to put through your foot went the other direction and blew your brains out.

Seriously, what kind of bubble to the idiots making these decisions live in?

Re: Bye, Firefox (0)

Anonymous Coward | about 6 months ago | (#45209517)

Given that I had disabled Java plugins in the browser 4 years ago and not had problems with it, I can assure you Java is a special case and you can and should turn that mass of remote backdoors off.

and good riddance to you sir. (0)

Anonymous Coward | about 6 months ago | (#45209563)

Just remember to smile [github.io] as you leave.

Smart sites developed better crosslinking. (0)

Anonymous Coward | about 6 months ago | (#45209259)

Meaning you only have to authorize 2 or 3 domains once. And your good to go.

Noscript (which ive used since forever ago) works fine with sites like youtube or google.

They want our business so make it easy to whitelist. Same with hotmail.

Now, more shady sites or lesser known pages (blip tv) with amateurish developers or packages with shady ad hosts have 100+ objects to unblock. I basically don't bother with the web unless its plain text readable or mainstream anyway.

Captcha: capable

Meaning its capable to deal with java and not need a fucking crazy system of linking to multiple resources. Even /. can tell the future.

Untold headaches? (4, Insightful)

ichthus (72442) | about 6 months ago | (#45209265)

We'll see. I've been running the FlashBlock plugin for years (to manually enable flash elements) with VERY FEW adverse effects. I doubt having to manually activate Java elements will be any worse.

Re:Untold headaches? (0)

Anonymous Coward | about 6 months ago | (#45209383)

This is one of the reasons I like internet explorer. Add-ons can be made to run only from select domains. I wish it had a run once option and the dialog to add a domain actually told you what domain it would be adding. They could also make it so you could remove select items from the domain list instead of clearing the entire list.

Re:Untold headaches? (1)

Anonymous Coward | about 6 months ago | (#45209385)

I don't remember the last time I even ran some java in my browser.
I think it was one of those 4D rubiks cube simulations.

Re:Untold headaches? (2)

Max Threshold (540114) | about 6 months ago | (#45209425)

It's becoming increasingly annoying to use NoScript. Some sites have so many transitive JavaScript dependencies that you have to click "temporarily allow all this page" a dozen times before the site works.

Re:Untold headaches? (5, Insightful)

macraig (621737) | about 6 months ago | (#45209521)

You just succinctly explained why tools like NoScript are so desperately needed, not why they aren't. The real problem is Web design that serves an agenda contrary to the desires and rights of those who use the Web. Fix that problem and annoying tools like NoScript won't be necessary.

What that means, BTW, is that Web developers need to grow both a conscience and a spine and say NO when they're asked to code Bad Things. It also means that the pushovers and corporate plants over at the W3C need to stop adding crap to the standard that aids and abets these Bad Things.

Bad Things require Better Alternatives (3, Insightful)

Anonymous Brave Guy (457657) | about 6 months ago | (#45209769)

You do understand that without those Bad Things you so hate, there probably wouldn't be a Web worth saving, right? Someone has to pay the bills, and if you're not going to pay for content, you're not going to accept advertising, you want full privacy and security when using services you're not paying anything for... Who is going to write the cheque?

I hate DRM and spammy ads and privacy invasions as much as anyone -- more that most, probably, given that I really do give up on some things most people accept because I refuse to support the intrusions. But still, we live in the real world, and you can't just wish Bad Things away without proposing Better Alternatives. BTW, "everything I want should be free and unencumbered" is not a viable Better Alternative.

Re:Untold headaches? (0)

Anonymous Coward | about 6 months ago | (#45209535)

The site-breaking of NoScript is why I switched to AdBlockPlus with relevant auto-updating filters [adblockplus.org], which achieves the same thing with far fewer headaches... The rare times that it eliminates something I really want, I take a few minutes to set an exception filter (which will be as widespread as I need) and just go back to what I was doing. SO much less aggravating than NS was...

(anon due to mod points)

Re:Untold headaches? (1)

lister king of smeg (2481612) | about 6 months ago | (#45209785)

Oddly I have had the exact opposite reaction. I started using adblock plus to adblock plus + noscript, to where now I use; adblock plus (with multiply filter lists), no script, ghostery, https everywhere, and request policy. Yeah it takes longer to view a page for the first time but it is also much safer and much better content to crap ratio.

On a related note anyone else see slashdot has been adding more tracking scripts ever since DICE bought them out.

Re:Untold headaches? (2)

antdude (79039) | about 6 months ago | (#45209695)

Embedded videos, Google Maps' Street View, etc. don't work with FlashBlock. I had to whitelist them. However, I don't use FlashBlock anymore since the latest Mozilla's web browsers come with an plugin ask prompt feature. :)

Re:Untold headaches? (1)

Splab (574204) | about 6 months ago | (#45209711)

Click to play is fine and dandy, however, the warning FF has put in place is just wrong. Even someone working in tech for many a years had to go over everything to work out why the hell it was showing danger alerts when trying to run the banks applet...

Re:Untold headaches? (0)

Anonymous Coward | about 6 months ago | (#45209813)

Wait, you run Java with it's infinite supply of security holes on the SAME computer as you use to do your banking stuff? You don't even have that one two computers on separate networks?

Any bank that cares about security would tell you that any theft from an account accessed from a computer that has Java installed is your own damn fault.

Improve security?? (3, Insightful)

Kwyj1b0 (2757125) | about 6 months ago | (#45209275)

There are two ways to improve security - lock out the user, or educate them.

Locking out the user is great - but it only works on NEW products, and if you don't have competitors. The reason it works well on NEW products is that the user isn't conditioned on what to expect. Remember, trying to change how people use their computer is an uphill battle. It works well when the do not believe they have alternatives.

Educating the user is harder, but that is the real fix. You aren't improving security by saying 'As responsible devs, our software won't do what you want'. Instead, make a two minute video showing them how $technology is flawed, and make them watch it ONCE. Then, let the choose whether to block $technology or live with it. Because right now they get fed up with Firefox (NOT Java), and click the little blue e.

And yes, it isn't a great hassle to keep using FF when you allow users to "click to allow $applet". But the pain is that I need to look at the little red icon in the address bar to permanently enable something [mozilla.org]. You might say that if I can't handle this additional step, I shouldn't be making a choice on whether to run an applet or not (but that is a bad road to head down). You could have just made a popup when I run an applet that says "Do you want to remember this setting?" - it doesn't fix the security problem, but the current solution doesn't either. At least this way, I don't feel frustrated at my browser for someone else's (Oracle, in this case) screw ups.

Good idea (0)

Anonymous Coward | about 6 months ago | (#45209293)

Developers need to get used to the idea that they can't count on either flash or java being present on the client end. That's just the way it is.

Re:Good idea (1)

rudy_wayne (414635) | about 6 months ago | (#45209339)

Developers need to get used to the idea that they can't count on either flash or java being present on the client end. That's just the way it is.

That is correct.

Except for the fact that there are eleventy bazillion websites already in existence which rely on one or more of these programs and they aren't going to change and they aren't going to go away.

Good! (0)

Anonymous Coward | about 6 months ago | (#45209329)

As someone who quite likes Java for server side applications, I am happy to see more nails in the coffin for applets.

In fact, I just recently spent a couple of days writing some HTML+CSS+JS code to replace the functionality of the last couple of Java applets on our web site at work that were in place for at least 7 years. It was quite easy using modern standard features and libraries like jQuery.

And during this process, with two of my testers, I found that IE would give all kinds of warnings about the applets when the Java plugin was enabled, but then DISABLING it caused them to just RUN with no questions asked. WTF!?

Overblown (1)

Anonymous Coward | about 6 months ago | (#45209349)

I've got Java blocked by default, Javascript, cookies, flash, ads, and trackers blocked by default too.
Never causes me more than a few seconds bother.
This is overblown like crazy

This is not security!!! (-1)

Anonymous Coward | about 6 months ago | (#45209393)

I am constantly amazed at how everyone has jumped on the "Java is the devil" bandwagon and started banning it, or as Firefox is doing, making itself nuisance-ware in order to use it. Particularly since Oracle purchased Sun.

* Java is one of the primary programming languages for Flash, but they aren't locking down Flash.
* Javascript runs without a sandbox and can read/write files on your machine without you knowing it, but they aren't locking down JavaScript.
* HTML5 has the ability to access your hardware (cameras, audio, etc..) but they aren't locking down HTML5.

By itself, Java is not a security risk any larger than other technologies we use through our browsers every day, and by design it is actually more secure than many.

I seem to recall many of these same arguments against other, older, technologies and we didn't panic about them. Instead, we added security to our machines and educated our users about what they should and should not do.

We should be doing the same thing now.

Re:This is not security!!! (1, Informative)

Anonymous Coward | about 6 months ago | (#45209545)

8 out of 10 browser exploits in the wild get in through Java.

Re:This is not security!!! (2)

thebjorn (530874) | about 6 months ago | (#45209661)

You obviously know what you're talking about. I would like to subscribe to your newsletter...

This is a perfect example of why Bugzilla needs... (1)

cowwoc2001 (976892) | about 6 months ago | (#45209409)

an anti-vote button. I am willing to bet the vast majority of users would disagree with this move.

Firefox's handling of Bugzilla has been terrible for years. It is the primary reason I switched from Firefox to Chrome. I was tired of the one-way communication, especially coming from a so-called open-source project.

Is it time to fork Firefox yet? (0, Flamebait)

Max Threshold (540114) | about 6 months ago | (#45209417)

I've had about enough of Mozilla's arrogance and stupidity.

Re:Is it time to fork Firefox yet? (1)

Anonymous Coward | about 6 months ago | (#45209543)

I've had about enough of Mozilla's arrogance and stupidity.

There are forks. Try Palemoon.

Re:Is it time to fork Firefox yet? (1)

Microlith (54737) | about 6 months ago | (#45209553)

Yeah! How dare they act in defense of users against a technology notable for its repeated exploits! They should learn humility and how to act intelligently, like Oracle!

Re:Is it time to fork Firefox yet? (4, Insightful)

Anonymous Brave Guy (457657) | about 6 months ago | (#45209781)

The number of support e-mails in my inbox this week from those users suggests that they aren't too happy about being "defended" in this way.

My ebanking (0)

Anonymous Coward | about 6 months ago | (#45209427)

Ohh so that's why my ebanking stopped working on firefox. Thanks guys!

Doesn't affect me in the slightest. (0, Interesting)

Anonymous Coward | about 6 months ago | (#45209471)

If you're one of the select few that still uses applications coded in that piece of trash, well, complain to your vendor or find a new piece of software. I haven't used a java application in years. Like 10 years.

Re:Doesn't affect me in the slightest. (0)

Anonymous Coward | about 6 months ago | (#45209557)

That's probably true. Most of the porn sites that you visit use probably use Flash not Java.

There are still a substantial number of business sites that use Java. Remember the old slogan? Write once, run anywhere? Java was the supposed answer to browser wars, OS wars, DLL hell, etc. With Java you could create your own UI and be reasonably sure all users would have the same experience no matter what platform and OS they ran Java on.

.

This made me use Internet Explorer (2)

amigabill (146897) | about 6 months ago | (#45209477)

My laptop went bad about a week or so ago, and I wiped it and have been reinstalling. One item is a VPN connection client that allows me into my University network from home, so I can access software licenses and work on my labs. This is for an MS degree in Electrical/Computer Engineering. Firefox forbade that from installing on my recovering laptop (Win 7 Ultimate 64) and so I was forced to use MSIE just to get my link installed and configured. Sorry Mozilla, but you did prevent me from doing something tremendously important to me, and there was not a thing to click on to activate Java in this case.

And Java still isn't secure. (1, Insightful)

Animats (122034) | about 6 months ago | (#45209501)

The whole point of all that byte-code stuff and just-in-time compilation was to keep Java programs in a sandbox where they couldn't affect the rest of the system.

FAIL.

Re:And Java still isn't secure. (1)

viperidaenz (2515578) | about 6 months ago | (#45209581)

Wrong. You fail.

The byte code thing is the "write once, run anywhere"

The sand-boxing was tacked on the side.

Re:And Java still isn't secure. (0)

Anonymous Coward | about 6 months ago | (#45209653)

The point of "all that byte-code stuff and just-in-time compilation" was to make the language cross-platform and it did that well. In Java you never recompile your code for different hardware. It had nothing to do with security.

In terms of applets, that works fine too. The only problem was Sun forgot to build a frame for the sandbox (which is written in C++).

Why are you posting when you don't know what you're talking about? Why is /. modding you up?

Re:And Java still isn't secure. (0)

Anonymous Coward | about 6 months ago | (#45209803)

You raise a very good point, actually.

Implementing the sandbox model of Chrome in Firefox should be trivial, makes us wonder why it hasn't been done already.

Considering Java was pretty much built for that from the ground up. You can easily set a new process or thread with limited security tokens, then this process/thread only output would be the rendered screen, just like Chrome does.

Nice SNAFU by Mozilla (4, Informative)

SpaceLifeForm (228190) | about 6 months ago | (#45209505)

Here's the problem: Non-technical users are going to scream about the steps needed to allow the Java Applet to run.

How to enable Java if its been blocked [mozilla.org]

In order to protect you, Firefox has stopped outdated versions of the Java plugin from running automatically because of security issues.

So, now, the lastest version of Java (7.45) is considered outdated.

Absolutely brain-dead decision.

Re:Nice SNAFU by Mozilla (1)

Anonymous Coward | about 6 months ago | (#45209675)

Exactly. Didn't they learn anything from how hard the iPhone tanked because users couldn't view flash content? Apple nearly went bankrupt just because of that.

Re:Nice SNAFU by Mozilla (1)

Splab (574204) | about 6 months ago | (#45209735)

One does wonder, are they going to pop up a warning when opening firefox? Since it most likely also contains various security issues users should be warned when opening every web page (by their logic at least...)

What's the big deal? (5, Insightful)

Anonymous Coward | about 6 months ago | (#45209519)

Oracle Java has ALSO decided, due to the persistent security problems due at least in part to having concurrent (i.e., old) versions installed (and the fact that the largest exploit kits have used Java as one of their main vectors for some time now, alongside Adobe Reader of course) to disable Java plugins in the browser by default in recent updates.

So, what's the big deal? This is the correct decision from a security perspective. I can't remember the last time I saw someone on the World Wide Web actually USE a Java applet for good, rather than for evil. And I'd have noticed, because even after all these years, it still runs like an absolute dog. It's the kind of thing you might use on a local application (such as Minecraft, which is what I think probably most people who still have it installed use it for now, albeit they'd likely have the 64-bit version which wouldn't have a working browser plugin in a 32-bit browser anyway!) or an intranet site (which is your administrator's problem, to re-enable it for that site only, or to use a different browser for the web and the intranet, which you can totally do and is good practice).

I've got many other criticisms about Firefox recently from a security and performance perspective - let's face it, it's just not the zippy, efficient browser it used to be, even relatively-speaking, it's lost its mojo and the security team have a reputation for having a slow, and fairly arsey, response - but this seems to be the right decision and they should be lauded for it. IE has also done it, as has Chrome.

Re:What's the big deal? (0)

Anonymous Coward | about 6 months ago | (#45209559)

Some of the VPN clients I work with, along with WebEx, etc. insist in a working Java to work with Firefox. So I unfortunately end up using IE to work in these, as they install ActiveX controls instead. :( That, and I'm using Waterfox (64-bit Firefox).

I don't understant the hate (0)

Anonymous Coward | about 6 months ago | (#45209537)

I don't get it why people hate Java applets so much they want them to go altogether. It's true that they have been overused (in the 90s?) and HTML5 usually yields nicer results on a web site. But Java applets fill an empty niche: they are the only portable solution to actually do something on a client computer aside from doing UI, like accessing the file system and launching external applications.

For example, I have a Java applet which downloads, decompresses and processes data from a bug tracking system. How should I implement this in HTML5? Or in Flash, which is hardly better than Java? Or would Active-X have been better? Really?

Now being a Chrome user, I already know the behavior now implemented in Firefox and I hate it. I don't see any rationale in generally distrusting Java and generally trusting Flash, for example. By the way, Java asks for permissions to run an applet itself after it's launched, no need for the browser to do it, too! And unlike Chrome, Java will allow you to trust a signed applet forever, so that you don't have to pass through the procedure every single time the applet is launched.

Re:I don't understant the hate (4, Informative)

knorthern knight (513660) | about 6 months ago | (#45209665)

> I don't get it why people hate Java applets so much they want them to go altogether.

Because Java applets are a honking big security hole, and currently the most-often-used attack-vector to take over unsuspecting users' machines. See http://www.cvedetails.com/vulnerability-list.php?vendor_id=5&product_id=1526&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=6.99&year=0&month=0&cweid=0&order=1&trc=35&sha=d158a5520a2bc52f7443268daaab5851ced00564 [cvedetails.com] for a list of recent problems.

Re:I don't understant the hate (1)

putaro (235078) | about 6 months ago | (#45209729)

Well, Windows was the biggest security hole for the longest time but you didn't see FF refusing to run on it.

Backlash not news (1)

Anonymous Coward | about 6 months ago | (#45209589)

Virtually any bug in Firefox's Bugzilla that isn't purely technical ("frob the whizzlork") has some amount of complaining after it's been fixed, and maybe before it's been fixed, and while it's being fixed. This is pretty light in the grand scheme of things; you should see the pages and pages of griping about the status bar.

Whitelisting by site is exactly the correct behavior for an untrustworthy plugin. Give it a week or two for everyone to get used to this radical change in technology (push a button?!) and we'll all forget about it.

Oracle is now involved (3, Informative)

SpaceLifeForm (228190) | about 6 months ago | (#45209613)

They hopefully will convince Mozilla to back this out, and figure out a better UI for the user to deal with. A small red clickable icon that leads to more clicking is not going to fly with non-tech users.

From Link [mozilla.org]:

Donald Smith 2013-10-22 22:03:01 PDT

Disclaimer: I'm in the Java SE Product Management team at Oracle.

Just to add to my colleague in Engineering Joe McGlynn's comment #61 -- we're happy to help here however we can. We do frequently speak with mcoates, but are happy to plug into any other channels the mozilla team think would be worthy (as we seemed to somehow miss this one until it was too late I think we need more contact/channels). For example, I think we can help address questions related to the Java 6 (and Java 5, for that matter) updates as they are still supported and do receive updates along with the latest public baseline(s).

As comment #50 notes, bugzilla is not forum software - so I'll leave it at that and send @bsmedberg a quick note and continue to try to catch up wit @coates.

First I've heard that Java 5 and 6 are not considered dead yet.

Re:Oracle is now involved (1)

Cl1mh4224rd (265427) | about 6 months ago | (#45209821)

They hopefully will convince Mozilla to back this out, and
figure out a better UI for the user to deal with. A small red clickable icon
that leads to more clicking is not going to fly with non-tech users.

From Link [mozilla.org]:

Donald Smith 2013-10-22 22:03:01 PDT

Disclaimer: I'm in the Java SE Product Management team at Oracle.

Just to add to my colleague in Engineering Joe McGlynn's comment #61 -- we're happy to help here however we can. We do frequently speak with mcoates, but are happy to plug into any other channels the mozilla team think would be worthy (as we seemed to somehow miss this one until it was too late I think we need more contact/channels). For example, I think we can help address questions related to the Java 6 (and Java 5, for that matter) updates as they are still supported and do receive updates along with the latest public baseline(s).

As comment #50 notes, bugzilla is not forum software - so I'll leave it at that and send @bsmedberg a quick note and continue to try to catch up wit @coates.

First I've heard that Java 5 and 6 are not considered dead yet.

Yeah, I don't know what he thinks he's talking about. According to Oracle's own website [oracle.com], public updates to Java 5 ended in October 2009, and Java 6 in February 2013.

Enterprises can apparently pay to continue receiving critical bug fixes, but that hardly seems relevant to the discussion.

My Mother (75) got it. So why not other user ? (1, Interesting)

aepervius (535155) | about 6 months ago | (#45209667)

My mother learned in 10 minutes how to enable java script with noscript/flash. She is not technical savvy , but I explained it to her at her level. She got it. I expect a good slice of those using FF now "not getting it" are those not wanting to learn.

Comment 70 says it all (2)

SpaceLifeForm (228190) | about 6 months ago | (#45209669)

From link [mozilla.org]

"Quote" - The plug-in screen shows options for always activate, ask to activate and never activate.

It may in the English version but in FF24 Spanish all I get is ask to activate and never activate.

Chrome (in Spanish) blocks too but at least gives me the always activate option.

Due to the EXTREME IMPACT this has on the Public Sector here - and that we're somewhat forced to use M-Soft for other applications - We had to return to Explorer yesterday. Sorry - But moves like this could well kill off the use of Firefox. Java applets are continuously used in the piping of Digital signatures to secure ministerial sites. This includes PRIVATE citizens. IMO Java has to be "trusted" even if we don't. Otherwise the use of Firefox WILL DIMINISH. 90% of users have NO BLOODY IDEA.

I am a firm fan of Firefox at home - but at work it's causing me more hassle than it's worth.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...