Security → Never Trust Java

the latest version of "java" fails "security 101" test:

»nakedsecurity.sophos.com ··· ve-ways/

I had read this somewhere else a while back. For sure, Java appears to be a complete mess.

We MUST use it at work because all of our key software is Java based. Thankfully, it's an offline environment.

Due to all this hassle, I have it turned off for browsing for most users. When use on the web is still required for a handful of users, it's turned on only for a specific browser (Chrome). Since Chrome is sandboxed, it seems the best option to run it in.

Note the words browser plugin. That is why it is insecure; not because it is 'Java'.

A browser plugin of that nature allows your browser to download programs from web sites and then run them, and usually with a minimum of human interference. That's why it's insecure: you're runnning programs you don't even know about. Not because of the choice of programming language.

I grant you that Java VMs pretend that they can offer a secure sandbox. Sure they can, just like ActiveX can.

One of the guy's complaints isThat doesn't seem like a problem to me. The problem, to my mind, was pretending it was safe.

Though he does go on to say that, apparently, signed applets don't run in the sandbox. That seems like a mistake. All applets should be signed and all of them should run in the sandbox. If you want an unfettered program, you should deliberately download it and run it, like a program written in any other programming language.

A rule like that could apply to anything, not just Java. Windows, MacOS, Chrome, Office, Facebook, Flash ... and that's just some software, never mind other things entirely like cell phones and hammers.

Anything with the power to do good by definition has the power to do harm, especially when used by people who don't bother to learn proper use. Beating on one doesn't absolve the others.

I wonder why Sun/Oracle never redid its Java plug-in from scratch to fix all these issues.

Because rewriting large software entities with known problems can result in you having large software entities with unknown problems.

(and Oracle doesn't really care about Java anyway)

I had to use Opera 12.15 to read that. My other browsers open a blank page to sophos blog.

The first reply is correct. Oracle needs to allow us to WHITELIST and Whitelist should NOT be held to only signed applets. Saying disable Java and then enable when necessary and then disable again is NOT as safe as allowing Whitelisting I think. I keep Java disabled and then enable when I want to do a speed test (gross ignorance in those replies as ONLY JAVA speed tests are accurate, useful and provide a ton more information about your connection compared to all the junk Flash tests out there). Once I have done my speed test, I might want to do another one in a few minutes if that one shows problems so I don't disable Java immediately. I then may forget to disable Java whenever I am finally through with the speed tests.

It would be far better, IMO, if we were allowed to whitelist as I would whitelist the handful of public NDT (Web 100) speed tests and the best speed test of all, Visualware's MySpeed, and that would be it for Java on my computers. For me, being able to white list these few sites would be safer than having to remember to disable Java after I finish the speed tests. Yes, I would be alerted to any attempt to run Java for something else while enabled and I could deny it. However, what if a security bug made it able for Java to run without notifying me first and asking permission? Seems to me that it would be safer to whitelist. Not too likely that the universities and scientific institutions that host NDT (Web 100) tests would be hacked and taken over and same for Visualware's servers.

Plus, what if I want to do speed tests daily for two weeks? What if I want to run MySpeed (not the public test sites from my browser) application for several weeks doing a speed test every twenty minutes? I have to have Java enabled all that time. So, I really like the suggestion that Oracle allow us to whitelist.

What a mistake it was to take a shortcut to popularity and name ECMAScript "JavaScript": All the browser implementation security issues Java has (not Java alone, Flash and of course ActiveX as well) is a drag on ECMAScript.

...there are not enough facepalms on this plane of existence to express the fsckup THIS one's been...

Regards

Not to mention the utter confusion caused by naming a programming language after an entirely different unrelated programming language.

I should point out that both the Java language and the Java Virtual Machine are well-documented, and therefore anyone can implement their own Java system. Oracle doesn't have to do it.

Though given the sue-happiness of Oracle, maybe no-one wants the headache.