dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1067
share rss forum feed

redwolfe_98
Premium
join:2001-06-11
kudos:1

3 recommendations

Never Trust Java

the latest version of "java" fails "security 101" test:

»nakedsecurity.sophos.com/2013/09···ve-ways/



HA Nut
Premium
join:2004-05-13
USA

I had read this somewhere else a while back. For sure, Java appears to be a complete mess.

We MUST use it at work because all of our key software is Java based. Thankfully, it's an offline environment.

Due to all this hassle, I have it turned off for browsing for most users. When use on the web is still required for a handful of users, it's turned on only for a specific browser (Chrome). Since Chrome is sandboxed, it seems the best option to run it in.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 edit

1 recommendation

reply to redwolfe_98

Oracle Java, easily the most attacked and successfully exploited browser plugin,

Note the words browser plugin. That is why it is insecure; not because it is 'Java'.

A browser plugin of that nature allows your browser to download programs from web sites and then run them, and usually with a minimum of human interference. That's why it's insecure: you're runnning programs you don't even know about. Not because of the choice of programming language.

I grant you that Java VMs pretend that they can offer a secure sandbox. Sure they can, just like ActiveX can.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

reply to redwolfe_98

One of the guy's complaints is

ISSUE: Oracle admits the Java 'sandbox' is a failure and unsafe:

That doesn't seem like a problem to me. The problem, to my mind, was pretending it was safe.

Though he does go on to say that, apparently, signed applets don't run in the sandbox. That seems like a mistake. All applets should be signed and all of them should run in the sandbox. If you want an unfettered program, you should deliberately download it and run it, like a program written in any other programming language.


goalieskates
Premium
join:2004-09-12
land of big

2 recommendations

reply to redwolfe_98

said by redwolfe_98:

Never Trust Java

A rule like that could apply to anything, not just Java. Windows, MacOS, Chrome, Office, Facebook, Flash ... and that's just some software, never mind other things entirely like cell phones and hammers.

Anything with the power to do good by definition has the power to do harm, especially when used by people who don't bother to learn proper use. Beating on one doesn't absolve the others.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
reply to redwolfe_98

I wonder why Sun/Oracle never redid its Java plug-in from scratch to fix all these issues.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

Because rewriting large software entities with known problems can result in you having large software entities with unknown problems.

(and Oracle doesn't really care about Java anyway)



dib22

join:2002-01-27
Kansas City, MO

1 recommendation

reply to antdude

said by antdude:

I wonder why Sun/Oracle never redid its Java plug-in from scratch to fix all these issues.




They should... but that would cost money.

The real problem with java is still all the little devices that run it that will *never* get patched.

Java everywhere is gonna end up being a curse instead of a trademark.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to redwolfe_98

I had to use Opera 12.15 to read that. My other browsers open a blank page to sophos blog.

The first reply is correct. Oracle needs to allow us to WHITELIST and Whitelist should NOT be held to only signed applets. Saying disable Java and then enable when necessary and then disable again is NOT as safe as allowing Whitelisting I think. I keep Java disabled and then enable when I want to do a speed test (gross ignorance in those replies as ONLY JAVA speed tests are accurate, useful and provide a ton more information about your connection compared to all the junk Flash tests out there). Once I have done my speed test, I might want to do another one in a few minutes if that one shows problems so I don't disable Java immediately. I then may forget to disable Java whenever I am finally through with the speed tests.

It would be far better, IMO, if we were allowed to whitelist as I would whitelist the handful of public NDT (Web 100) speed tests and the best speed test of all, Visualware's MySpeed, and that would be it for Java on my computers. For me, being able to white list these few sites would be safer than having to remember to disable Java after I finish the speed tests. Yes, I would be alerted to any attempt to run Java for something else while enabled and I could deny it. However, what if a security bug made it able for Java to run without notifying me first and asking permission? Seems to me that it would be safer to whitelist. Not too likely that the universities and scientific institutions that host NDT (Web 100) tests would be hacked and taken over and same for Visualware's servers.

Plus, what if I want to do speed tests daily for two weeks? What if I want to run MySpeed (not the public test sites from my browser) application for several weeks doing a speed test every twenty minutes? I have to have Java enabled all that time. So, I really like the suggestion that Oracle allow us to whitelist.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



justin
..needs sleep
Australian
join:1999-05-28
kudos:15
reply to redwolfe_98

What a mistake it was to take a shortcut to popularity and name ECMAScript "JavaScript": All the browser implementation security issues Java has (not Java alone, Flash and of course ActiveX as well) is a drag on ECMAScript.


HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to redwolfe_98

...there are not enough facepalms on this plane of existence to express the fsckup THIS one's been...

Regards


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to justin

Not to mention the utter confusion caused by naming a programming language after an entirely different unrelated programming language.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to antdude

said by antdude:

I wonder why Sun/Oracle never redid its Java plug-in from scratch to fix all these issues.

I should point out that both the Java language and the Java Virtual Machine are well-documented, and therefore anyone can implement their own Java system. Oracle doesn't have to do it.

Though given the sue-happiness of Oracle, maybe no-one wants the headache.