Will New Red-Text Warnings Kill Casual Use of Java?

New submitter ddyer writes "Java 1.7.0_40 [Note: released earlier this month] introduces a new 'red text' warning when running unsigned Java applets. 'Running unsigned applications like this will be blocked in a future release...' Or, for self-signed applets,'Running applications by UNKNOWN publishers will be blocked in a future release...' I think I see the point — this will give the powers that be the capability to shut off any malware java applet that is discovered by revoking its certificate. The unfortunate cost of this is that any casual use of Java is going to be killed. It currently costs a minimum of $100/year and a lot of hoop-jumping to maintain a trusted certificate.'"

red spots

[Anonymous Coward]

red spot warnings have not killed off casual sex.

So-- probably not?

Re:

[TWX]

Yeah, but generally that kind of screwing has a strongly anticipated immediate short-term benefit, even with the long-term ramifications. I don't see such euphoria in the original case...

Probably not, but if it does, good

[Anonymous Coward]

While I would hope for the day that Java dies the pathetic death it is due, I doubt that will happen. Much more likely is that "unauthorized" Java VMs will start to crop up that let the user whitelist applets rather than relying on Oracle's certificate system.

Re:

[Gerzel]

Or people will just move to the OSS version.

Re:

[InvalidError]

I doubt Java as a programming language is going to die any time soon since Android, which has been the fastest-growing platform for a while now, is pretty much a JRE running on top of a Linux-based kernel.

Oracle's own walled-garden Java on the other hand might not fare so well.

Re:

[harlows_monkeys]

Technically a Linux based OS should be called GNU/Linux implying that it is a GNU OS running on top of a Linux kernel.

That's historically not accurate. Here's a cut/paste of a comment of mine from another forum on the matter of naming the system that is commonly called Linux:

Historically, naming rights for an OS go to whoever actually puts together and distributes the complete system. For instance, if a workstation company licensed Unix from AT&T and ported it to their workstation, they got to name that OS whatever they wanted. A couple examples of this were Uniplus+, which was UniSoft's Unix, and 386/ix, which was Int

Re:

[pwizard2]

Much more likely is that "unauthorized" Java VMs will start to crop up that let the user whitelist applets rather than relying on Oracle's certificate system.

Doesn't OpenJDK already do this? I haven't done Java in years so I'm a bit behind the times.

We can only hope...

[DavidHumus]

But don't get your hopes too high.

Apparently, applets only

[SirGarlon]

TFA says this is for "Rich Internet Applications," that is, Java applets embedded in Web pages. It doesn't seem this would affect Java programs that you execute locally, such as (for example) Eclipse.

Re:Apparently, applets only

[snookerdoodle]

Exactly.

OP doesn't seem to know anything about Java.

This will not affect standalone Java programs, only applets.

It could be argued that they should have done this a long time ago.

Mark

Re:Apparently, applets only

[i kan reed]

It could also be argued that java has no place in browsers given the modern flexibility of javascript. The UI features are worse, the performance differences are negligible, legit code is sandboxed either way. All you're left with as an advantage for true java is threading.

Re:

[Blaskowicz]

Performance differences negligible?
The most advanced thing I've run in javascript was Wolf3D. I remember javascript doom was not playable (it's not available anymore, because of unauthorized use of the game assets). Java has smooth Minecraft and whatever stuff, for example Text Express from Zylom which is a little game that runs very smooth ; you can barely run a Tetris in javascript and it will look like a Windows 3.1 freeware, use shit ton of CPU, make the whole web browser slow.

Re:Apparently, applets only

[i kan reed]

The most advanced you've played has no bearing on the most advanced you can play. WebGL is fine.

Re:

[locopuyo]

http://www.unrealengine.com/html5/ [unrealengine.com]

Re:

[Anonymous Coward]

>the performance differences are negligible
In javascript you can run multi-threaded computation, you have access to native network buffers (for no copy transfers of large amount of data), ... I was told no.

>given the modern flexibility of javascript
So, you are saying: if there is a Java library to do it, there is _always_ a javascript library to do it. Access to any file format, implementation of any network communication protocol, ...

I am _really_ skeptical. Javascript may be great for accessing web

Re:

[GodfatherofSoul]

Spoken like someone with very little knowledge of one or the other. Yeah, you'll get modded up on Slashdot, but any "java is slow" post is.

Re:

[Darinbob]

However applets could be what it means for "casual use of Java".

Re:Apparently, applets only

[Anonymous Brave Guy]

It could be argued that they should have done this a long time ago.

But it wouldn't be argued by anyone who actually knew what they were talking about.

For one thing, signing a Java applet proves exactly nothing about how trustworthy it is. You can easily get a signing certificate by spending a small amount of money and waiting a small amount of time. The whole concept of granting increased permissions to untrusted software just because it's been signed is absurd.

Secondly, blocking unsigned applets will break numerous existing web-enabled devices, which has been one of the significant remaining use cases for applets in recent years. These are effectively running embedded web servers and serving up the applets from there, so you can't just go in and upgrade them later when your certificate expires (and the longest cert periods you can get from major CAs are only about 2-3 years, a fraction of the normal lifetime of some of these devices).

The craziest thing is that the kinds of device I'm thinking of are typically used by the IT guys in large organisations. Some of them are going to go through months of approval process before they get installed, and when they do it will be in server rooms or data centres, accessed electronically via a separate management network with no connection to the outside world, and accessed physically via biometric security that would make James Bond cry. But in order to keep those applets safe, now they need to be signed too, just in case? Seriously?

Not everyone using applets accesses them from a public web site. They can't necessarily upgrade or replace them on a whim. The kinds of environments still using them are more likely to be exactly the kind of long-running projects where whipping up a quick replacement in JavaScript isn't a sensible option and where backward compatibility really matters.

Also, to anyone who thinks alternative technologies like JavaScript and HTML5 canvas/SVG offer the same flexibility and speed as Java applets, I know a prince in Nigeria who'd like to sell you a classic car from his collection for a great price.

Re:Apparently, applets only

[jonabbey]

This would not affect Eclipse, no, but it does affect locally produced applications that are distributed from an intranet web server with Java Web Start / Java Network Launch Protocol.

Previously, we could just self-sign our app and users could choose to accept the app once and for all and not be bothered so long as the signing cert didn't change. Now, all of our users running Java 1.7.0_40 are given the threatening dialog each and every time they run our internal app, and they can't get rid of it.

We're going to pony up for a code signing cert from a (Java-recognized) certificate authority to make the dialog go away. It's a hassle, but probably still the right thing for Oracle to do at this point.

Re:

[Anonymous Coward]

Can't you make your own CA cert, shove that into the JRE/JVM keystore, and chug along "for free"? Or did you decide that it was worth $100/year to not deal with having to automate running keytool on all your desktops?

Re:

[Anonymous Coward]

But if the cert is signed by a cert in the jvm's cacerts file it will be signed by a certificate authority. That's what that file, and only that file, does; it defines what certificates the jvm recognizes as belonging to a certificate authority..

Re:

[jimshatt]

+1 informative

Re:

[jonabbey]

Yes, you could do that, but then you'd have to distribute the updated cacerts to all desktops that need to run your app, and keep it updated whenever a new JVM comes out.

Oracle did implement a runtime configuration file that could be used to whitelist certain hosts, but the distribution problem remains.

Re:

[bws111]

An certificate signed by an internal CA is not the same thing as a self-signed certificate.

Re:

[bigpat]

Also of note that it appears that the applet will accept any certificate that the browser recognizes from any trusted authority. So there are a variety of SSL certificate options at various yearly prices. Right now I see one offering certificates for $60 per year.

So, yes it will increase the cost of publishing a java applet on a website, but no this doesn't create a central authority out of Oracle for revoking certificates like the OP says. It just ensures that people can verify the identity of web sites

Re:

[bws111]

I doubt many businesses (well run ones anyway) are using self-signed certs. Most likely they are using certs signed by themselves as a CA, which is not the same thing. If they are signing as their own CA then all they need to do is add their signing info to the truststore.

I would think businesses would welcome this change. They can ensure that their own apps run while making sure some app on a webpage somewhere does not run.

Probably Not

[Ksevio]

"Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.

The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.

Re:

[Urza9814]

"Casual" use of Java is fairly rare - if there's an applet on a website, I'm probably going there to find it and won't be worried about it being unsigned. Most sites use Flash or Javascript rather than fire up the JVM.

The typical user will just click "Run" no matter what it says anyways, that's why Google's malware blocking doesn't even give the option to proceed to the website on its warning page.

That's exactly what this is, but worse. They're saying that in some future release there will be no 'just run it anyway' button. Google's malware page *does* give an option to continue, it just takes a couple extra clicks to get there. This will have no such option. Also, appealing Google's block is quick, easy, and free. There's no appeal here, just extortion.

Essentially what Oracle is doing here is saying to all the applet developers: "It'd be a real shame if something were to happen to that app of yours.

Re:

[Ksevio]

Google's malware page *does* give an option to continue

Last I saw, the only way was to copy the URL and paste it in the address bar, but it may have changed.

Re:

[Urza9814]

Last time I encountered it (earlier this week) there was a 'take me back' button, and beside that was a small 'advanced options' link. Click the advanced options link and it'll give you a 'continue anyway' button. Been that way for quite a while.

Re:

[Ksevio]

To be more clear - unsigned applets such as a utility for a game made by a player I know or other cases where the point of visiting the page was to use the applet (where I'd also risk downloading a program). Not cases where I'm browsing the web and there just happens to be a mysterious java applet

Re:

[Ksevio]

You still have the option, it just requires you to check a box first according to TFA.

ACK!

[TheCarp]

The noitice is good, and in the general case this is good. I see some serious problems for system admins who have to use systems with older ILOs. Just about every ILO or remote console I have used in the past few years has been java based and used self-signed certs.

It would be nice if you could whitelist trusted networks. I would like this when going to random google pages, this will be a serious pain when it comes to administering systems.

Re:

[jbmartin6]

Time to start archiving versions of portable Java so they will be available for use with a standalone Firefox Portable to run all those legacy apps. Or something similar.

Re:

[ADRA]

You used to be able to install self-signed certs into a keychain, and I'd be surprised if they took away the ability to do so in the future.

Re:

[TheCarp]

I don't actually deal with ILOs in my current position (often anyway). However the last environment I was in was utterly pathological. the ILO would generate its own self-signed cert, meaning you would litterally need to install a new cert for every single ILO.

Maybe that is fine in a small environment, I have been working in ones where we are talking about something on the order of 2000 systems.

Re:

[TheCarp]

Well promises are worth what? :)

I worked at my first year for 5 years. 5 years before I started they first announced they were going to kill off the old VMS based email system. I was gone for 2 years before they finally actually killed it....because every time they tried, someone raised a stink.

Re:

[CrimsonAvenger]

I worked at my first year for 5 years

And here I was thinking this last year was long...

Re:

[Junta]

Does it do plugin or java web start? In the latter case, this doesn't factor in. Most things that I deal with that once were java plugin centric are now java webstart if they can't manage to pull it off in http/javascript/html

Casual use of Java

[Anonymous Coward]

> The unfortunate cost of this is that any casual use of Java is going to be killed.

You may think you're just a casual user of Java. You may think you just use Java for recreational purposes. Everybody knows Java is just a gateway language for other languages like C#. And we all know what happens to C# programmers.

Re:

[slack_justyb]

Pffft As if. They're developers still, not freaking management or goodness forbid sales department. Besides, being a Microsoft centered guy must be tough. It sucks having everything you learned tossed out the window by the time you've gotten a good grasp of what the hell you're doing. "Hey Dan, looks like we won't need that XAML based program, can you go grab a book on Modern UI?"

Re:Casual use of Java

[Dracolytch]

I was being a bit tongue-in-cheek (apparently that's viewed as more trolling than humorous here, but whatev).

I've been a developer, and I've been management... Most developers get paid as well as their immediate management, and very often better than the sales department. I actually left being a developer/manager to go back to being a developer. Pay raise, better work. Right now my day-to-day is PHP, Java, and C#, depending on the project.

ANY technology is prone to being obsolete before it reaches its full potential. If you jump on the bandwagon just because it's being released by company/group XYZ, you're crazy. Microsoft releases frameworks that don't last. Google kills apps. Blackberry does stupid stuff... It's all variations on a theme.

For every two or three poorly concieved things MS publishes, there is one that is actually really quite good and deserves attention. While C# and Java were once very similar, C# continued to grow as Java stagnated. Now Java's back in the game, but it's owned by Oracle, which scares the #$#( out of me. All that said, Visual Studio is still the best IDE out there.

Casual use of Java..?

[FryingLizard]

Java? Casual? That's like saying the US Tax code is good bed-time reading.
After realizing I was spending half my frickin' life compiling, reloading, and waiting... waiting... (I'm looking at _you_ Tomcat) I switched to Python and never looked back.

Casual use of Java was dead 10 years ago.

[stewsters]

I really don't think that there is a casual use of Java applets anymore. Banks and large corporations use it, but when was the last time you ran someone's java app that wasn't your own or a major corporation's? Large players can pay $100 a year for their app without thinking about it. Personal projects you trust and can push continue on. You shouldn't be running java apps from random other sources if you value security.

Re:

[Urza9814]

Personal projects you trust and can push continue on.

RTFS:

Running applications by UNKNOWN publishers will be blocked in a future release...

There is a 'continue on' button right now, but this is stage one of phasing that out entirely.

Re:

[bws111]

Unknown means unknown by the system running the app, not unknown by the world in general. Make your own cert, put it in the truststore, and now you are known.

Re:

[joe_frisch]

NOAA aviation weather tools are done in java - used extensively by pilots.

Re:

[ultrasawblade]

There's a really cool open source SSL VPN called Adito that allows you to do port forwarding over SSL via a browser-launched Java applet.

Re:

[suutar]

last week. GUI client for one of my favorite chat programs uses Java Web Start and is written/maintained by one guy in Denver.

Re:

[vlueboy]

I really don't think that there is a casual use of Java applets anymore.

Minecraft is hugely popular and the only reason for many of us to temporarily enable browser applets.

You can choose to buy Minecraft without testing its browser demo... but if you want to preview whether your old machine can handle the 3D decently *before* plunking the ~20+ to license the full applet-less version, there's no alternative.

Re:

[stewsters]

This is true. But can Notch afford $100 for a cert? The https part of https://mojang.com/ [mojang.com] hints yes.

Re:

[rahvin112]

If you are spending $25k over a $100 item there is something seriously wrong with your company.

We aren't a big company and our office managers and VP's can sign for $250 and justify it later. There should be no reason to have 4 people in a meeting to discuss spending $100 on an IT asset. At the most you should have a 5 minute conference call between CTO and CEO.

Re:

[stewsters]

No, I work on a corporate website for a living. Last December i put the $100 on my credit card and filled out an expense report. Told the head of IT, no questions asked. Don't know where you work, but it sounds like a hell hole of bureaucracy.

Re:

[bws111]

I think (hope) that you made that up. I can think of two explanations. Your company is hopelessly screwed up, or the real concerns were about the SSL process, and not financial. If it really took $25K (including travel) just to approve a $100 expenditure, get out, quickly. On the other hand, it is entirely possible that management has real concerns about security, etc that they want addressed before letting someone obtain an SSL certificate in their name. That is reasonable. However, if your company h

Java applets?

[bigtech]

Did I just step out of a time machine?

Bad for science education

[l2718]

Java applets are an essential tool for science education -- as simulators [colorado.edu], calculators [hws.edu] etc. Are all these research groups supposed to get some authority to digitally sign their applets?

Fundametally, a major aspect of Java security is that, since it runs on a VM, an applet it is inherently encapsulated. Yes, VM bugs can cause problems, but the value of all the free educational applets online far exceeds any possibly security benefits of unptached VM bugs.

Re:

[ADRA]

I agree in general, but I'd say any apps that want system access (legitimately breaks out of sandbox protections) should be disabled for self-signed apps that haven't been manually white-listed. The number of Java apps needing system access should be low in general.

Re:

[twocows]

I imagine there will be an option in the deployment settings (which were also added with this release, I believe) to allow unsigned applets to run. As for Java running in a VM providing sufficient security, I'm going to have to disagree. Java security exploits have been responsible for a whole lot of malware over the years; in fact, it's one of the most common ways for malware to propagate. I think it's pretty clear by now that whatever security benefits the JVM might have once held are no longer a factor.

Re:

[omnichad]

I'm sure that's great software - but does it really need to run inside a browser? The first link you gave involves downloadable apps and/or Java Web Start - not an embedded JVM. The latter link I'm not sure about.

It's worse than Flash - the sandbox has access to your printer and a whole lot more. It can still be a nuisance even if it's not escalating access.

Re:

[omnichad]

Running automatically inside the browser is better than manually downloading and choosing to run it? Unsandboxed is not such a big threat when you're deliberately choosing to run the file and unsandboxed is still restricted to the local user account.

I'm not sure i know of a java applet where context comes into it at all. And as for updates, plenty of native software has to deal with updates.

Re:

[Anonymous Coward]

Except, you know, the whole being able to produce one package that reliably runs across any platform the VM does. PIP is not a replacement for a .JAR file, nor is it even a convenient alternative.

I mean I know what you're trying to do, "I'll shout out an OSS language and make some sweeping generalization about it taking over in some field...education maybe, yeah, that's a good one... Then the karma will just start rolling in." That's about as much thought as you've given the problem, which is probably why i

I RTFA but I don't see it

[Khashishi]

Does it show the warning in any of the linked articles?

WAAAAT

[GameboyRMH]

Most of the Java apps I use are unsigned.

Here's what I see happening: Lots of people hanging onto old Java versions, creating an even bigger security disaster.

Re:

[omnichad]

If it's internal, why can't you add your signing CA to the java trust store across your organization?

Re:

[omnichad]

Wait - you're talking about a different security change. One that essentially prevents XSS - a legitimate concern.

I thought the whole point of Java...

[BitterOak]

I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted. Are they admitting failure here?

Re:

[dbc]

Yes. Exactly. They just plead guilt to selling snake oil, as we knew they were doing all along.

And my mod points ran out yesterday :-/

Re:

[rahvin112]

They didn't need to "plead guilty", the department of homeland security issued a public press release a year ago telling everyone to uninstall Java. A year later Oracle has basically agreed.

Re:

[DickBreath]

> I thought the whole point of Java is that it runs in a sandbox so applets don't NEED to be trusted.

Yes, and then later Applets are allowed to interact with JavaScript code in the surrounding browser, and vice versa JavaScript can interact with methods of the Applet. That would never open up such complex interactions that nobody could foresee the security problems. Nope, nosiree. (sarcasm)

Re:

[GodfatherofSoul]

How is this post insightful? It posits an incorrect assumption. Java wasn't created for applets. Maybe that's what you've mostly seen. Second, there are unsigned applets that are sandboxed and signed applets that can have expanded access to your system. The whole point of the Java exploit scare was websites hosting an unsigned applet that behave like a signed applet.

A lot of our code and even our certificates are

[WillAffleckUW]

This will be unfortunate.

We've had problems with our university issuing certificates for domains and for code, which is not intended for public use.

Making it not run will mean we will have to dump Java and use one of our other OPEN SOURCE coding methods.

Buh bye!

Not that we're the fifth best world university or in the top ten list of US research universities or anything.

Minecraft

[Rational]

The last reason left to have Java installed?

Re:

[twocows]

Perhaps, but not an excuse to let Java applets run freely in your browser. TFS says that this only applies to applets; programs run out-of-browser will probably function normally. Even if that's not the case, I'm sure they'll have an option to allow unsigned code to run.

Retards

[0123456]

As others have mentioned, there are a ton of embedded systems which use Java as the control interface and load unsigned or self-signed applets to do so. Block them, and we'll be forced to stick with an old version of Java.

Re:

[0123456]

Do those embedded systems run the latest 1.7.0.40 Oracle Java? Because if they don't, it shouldn't matter.

The browser will be running the latest version of Java, and that's where the decision will be made about whether it's allowed to run.

Totally Blocked?

[nurb432]

No, i didn't RTFA... Are they going to refuse to run self-signed at all, or can you opt out of the blockage as the end user?

I'm OK with a warning;"hey do you trust this?" and a choice to say yes, but complete blockage is uncool.

That would be great - drive by malware protection

[Sarusa]

Nobody should be running Java in browser. It's a blinking, gaping 'zero day me here!' for any drive-by malware and Oracle can't keep up with the exploits (though they still keep trying to re-enable their plugin on install, along with trying to install junkware, the evil bastards).

I do use Java for standalone apps, this is not an anti-Java thing - it's the browser plugin that is the problem.

Big slow institutions that are stuck using Java can pay the $100 and still get the extra drive-by protection. Everyone wins. Of course the baddies could still get a cert... but then we're back to 'don't run it in browser.'

Re:

[s122604]

Nobody should be running any fully functional, system aware, computer program in a browser...
A java applet is a java computer program written by "someone" coming from "somewhere" running in a browser on your computer.

Replace "java computer program" with "c++ computer program" (or any other "real" language) in the previous sentence, and it describes a situation no less dangerous, arguably more-so.

It has nothing whatsoever to do with the language, its the paradigm.

Fighting the impossible fight

[WaffleMonster]

Is it more difficult to give up on making the sandbox mechanism secure or to review all code for all applets to make sure they are "trustworthy"

I would think money making conspiracies aside the first approach is a solvable problem while the second is a hopeless fools errand... perhaps I'm wrong given there are just 3 remaining people in the world still using java applets on their websites.

Re:

[the eric conspiracy]

Why isn't sandboxing applets the responsibility of the browser?

Re:

[WaffleMonster]

Why isn't sandboxing applets the responsibility of the browser?

I have not made or even hinted at the above claim. OS jailing of browser and browser jailing of extensions are important yet insufficient.

Java runtime is closer to the application space and therefore best positioned to make contextual access decisions regarding resources it controls or arbitrates in applet mode.

Consider the case where java is running in a sandbox and an application is able to escape the java applet runtime into the execution environment of java runtime. While this does not pose a threat t

Oh hay what?

[bmo]

It currently costs a minimum of $100/year

Wow, I'm a malicious java programmer and this is really going to stop me!

Scarlett: Rhett, Rhett... Rhett, if you go, where shall I go? What shall I do?

--
BMO

Legacy

[mwvdlee]

Does this mean the new Java will start bitching about legacy Java applications I've been running for years?
What will this do to companies that run their own Java applications? They can no longer apply security patches for Java in the near future without the massive cost of repackaging their self-made Java code?
This has "money grab" written all over it.

Same mistake the browser smade...

[TemporalBeing]

Honestly, while having users authenticate a self-signed cert in a browser did help with security, etc it also broke a lot of devices. I still cannot use my WRT54G with any modern browser aside from the default browser on Android 2.3.6; same with my newer model router with latest firmware.

And honestly the problem IS NOT the hardware I'm accessing - its the stupid browsers.

They're only going to cause the same kinds of headaches for everyone.

P.S. I'm not in favor of Java or Java Appletes, but it still

sandboxing = failure

[stenvar]

So that pretty much means that they are admitting that they never managed to get sandboxing to work properly for Java.

Applets dying?

[hobarrera]

So Java applets will become less common on the internet? OMG, I can't belive this!

Re:

[logjon]

I wish this were true.

Re:Applets only

[jasper160]

It would be a welcome gift. I admin for a bunch engineers and a lot of the corporate and gov sites they access still use Java. And even worse some are so crappy they are version specific which makes no sense other than they are lazy.

Re:Applets only

[shipofgold]

Java as an idea was great....write a program that compiles once and the binary can run on anything.

<rant>
Java as an implementation has failed miserably for just the reason mentioned by the parent. I have encountered too many apps that won't run unless a specific version of the VM is available.

Then there is Tomcat, evil software container...I have lost too many hours of my life trying to keep that beast happy....just today I got an email from a colleague who wants to restart tomcat weekly because something is causing it to leak file descriptors. More than 1024 files open at the same time...I could probably figure it out, but that would again be more hours lost to java.
</rant>

Re:Applets only

[steveg]

Every week!?

I have a cron job that checks every 2 minutes to see if tomcat is still up. It starts it if it's not.

With Tomcat 5.5 there were days when it would restart 15 or 20 times a day. Tomcat 7 hasn't gone down yet, but it hasn't been used yet either. We'll see what happens the next time the Java class is scheduled.

Re:

[dtfinch]

The ones I get stuck with always seem to require Java 1.4.2, so any new breaking changes are irrelevant.

Re:

[omnichad]

"Write once, run anywhere" just doesn't hold much appeal if a security update breaks functionality.

That makes no sense...

[Junta]

IPMI is a UDP protocol that has no direct relationship with a browser.

If you are instead implying that service processors frequently have web interfaces that employ java, at least with IBM the current state of affairs is java web start, which means no browser plugin even if it does use java. Even if they were, you don't have to worry about the vendors being too cheap to fork over the chump change.

Re:

[Archfeld]

Launch the same product with a new colored case and the Fanboi's will buy it up....

Re:Screw java, HTML5 + JavaScript

[Anonymous Coward]

please don't ever type "chive" again

Re:

[0123456]

This gives the powers that be the capability to shut off any java applet they do not like for any reason what so ever?

What? Letting users decide what programs should run on their computers, rather than 'the powers that be'? That's such 20th century thinking.

Re:

[lgw]

How many of those actually need to run in a web browser, rather than download-and-run?

Re:

[Altrag]

Reputation and accountability. This kind of "feature" isn't about preventing Walmart from exploiting children in some foreign country, its about preventing malware and ONLY about preventing malware.

If a piece of malware gets written under this scheme, there are two possibilities:
1) Its not signed and the user clicked OK anyway. Its on the user's head if things go bad.
2) It is signed and Oracle can track down the original signer.

No (reputable) company would want to fall under #2 ever and they'd be loathe t

Re:

[GodfatherofSoul]

Obviously not a good living if you're not aware of that.

Re:

[viperidaenz]

Pretty good one actually, but there is no practical use for a Java applet to run in a browser. It's a security nightmare.
Especially when that JVM runs at the privilege level of the user and the sandbox is based on a blacklist that has been broken in the past. (untrusted code is only blocked from accessing specific packages).

The only way to be safe is to not install the java plugin.