Marking All Java Versions as Insecure Could Backfire on Mozilla

This sounds like like a war of wise old adages to me; it’s “better safe than sorry” vs. “don’t throw the baby out with the bathwater” …

With Firefox 24 came a change that affects all versions of the Java plugin installed on a system. Mozilla made the decision to mark all existing and future versions of Java as insecure due to the “history of security vulnerabilities in Java” and “poor response times” to fix those issues. It needs to be noted that the organization is not the only one that decided to change how plugins are handled. Google decided to block all NPAPI plugins — to which Java belongs — at the beginning of 2014.

Previously, only Java plugin version with known security vulnerabilities were added to Mozilla’s blocklist which prevented the direct execution of them in the Firefox web browser and other Mozilla products.

Along with this comes a change for users of Firefox who rely on Java. This not only affects gamers playing games designed in Java, but also people using Firefox in business environments.

The bug listing on Mozilla has received its fair share of comments by system administrators who report that their users are running into issues running the Java applications in Firefox because of the changes that Mozilla made.

The main points of criticism revolve around Mozilla’s premise that Java is inherently insecure, and the implementation of the warning and click to play system.

As far as the first point of criticism is concerned, the core argument here is that other plugin contents and applications are as insecure as Java is. Especially Flash is mentioned here several times.

The second argument criticizes the implementation of the notifications. When users connect to websites that require Java, a small red icon appears in the browser’s address bar next to the site address.

java deployment toolkit

If Java elements are visible on the page, a click to play message is displayed in addition to that. This is however not always the case, so that the red icon may be the only indicator that something was not loaded on the page. While it blinks a couple of times, it can be overlooked easily, especially if users are not experienced computer users.

activate java this plugin has security vulnerabilities

activate Java

While most experienced users may have no issues finding out about the change, most inexperienced users may not be able to figure out the solution on their own.

Some developers have proposed that the warning message should be less scary, especially if the latest version of Java is installed on the computer system.

Most administrators appeal to Mozilla to change the policy, for instance by making the process more visible to the user. Others seem to have jumped ship already and moved to another web browser that does not impose the restrictions — yet — on their user base.

What’s your take on this? Should Mozilla rethink the blocking of all Java versions, even those that have not been released yet?

Now Read: How to fix Java issues in Firefox

Link to Original Content

Tags: , , ,

Comments are closed.