To Stop BEAST, Mozilla Developer Proposes Blocking Java Framework

rastos1 writes with this news from The Register: "In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account. ... The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser. ... 'I recommend that we blocklist all versions of the Java Plugin,' Firefox developer Brian Smith wrote on Tuesday in a discussion on Mozilla's online bug forum. 'My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.'"

Stop trying to make the browser more than it is.

[Anonymous Coward]

Web browsers are good for viewing static documents, especially ones that link to other static documents.

Time and time and time again, however, they have been shown to be horrible at hosting more complex applications and interactive functionality.

It doesn't matter which embeddable application technology we consider, they are all rife with security flaws. Java applets, ActiveX controls, JavaScript, Flash, and browser plugins (like PDF viewers) have all suffered from numerous security problems.

If you need to provide your users with application-like behavior, then just write a native application!

Browsers are not operating systems. They are not good at hosting applications in a secure manner. Even after two decades of trying, they still aren't suitable environments for hosting applications. It's looking like they never will be, either.

Re:Java still there

[LWATCDR]

Why?
Java is a much nicer development system than say Flash.
Frankly Java applets got a bad rap because of Java abuse. I blame Microsoft for that. You see FrontPage had animated buttons as an option and they where freaking java applets.
No one should have to wait for java just for buttons.
It is a shame that applets have gotten such a bad rep. It is an even bigger shame that Apple and Google are not supporting Java on IOS, Android, and Chrome.

Re:Java still there

[Pieroxy]

Back in the days, I was impressed by HotJava. This was a full blown web browser developed in Java. No Javascript. It worked well and, as expected, ran Java Applets natively.

I still don't know why they dropped the development...

Re:Java still there

[Creepy]

Java plugin based internet apps for enterprise are very common, especially in the CAD/CAM/CAE space because they can run on multiple platforms and some of those spaces are heavily entrenched in UNIX (with a trend toward Linux UNIX-like), and many of those depend on Firefox for cross platform support.

Bug report says the problem is Java

[chrb]

According to the Mozilla bug report, this problem actually is Java - specifically, the Java implementation of TLS. NSS, the TLS library used by Firefox and Chrome, has already been patched by Google engineers. The question is whether Firefox should block Java applets to protect users, or continue allowing Java applets, in which case Firefox users can still be exploited until Oracle comes out with a fix for Java.