5

Chrome 11 is now asking user permission to run both signed and unsigned Applets (yes, for signed applets the user is asked twice). Chromium team decided that this measure is needed even when the user is using an up-to-date JRE. Here's my bug report (which reflects solely my opinion: http://code.google.com/p/chromium/issues/detail?id=84001).

My question is, how do you guys see it? Is Java Sandbox dated and unsafe? Do browsers need to impose a second layer of protection by default?

Update:

I'm also curious about how many of you guys have a clean record experience with Java against how many every hit a piece of malicious software? As a Java Power User for more than 10 years, the only time my antivirus ever complained about something related to Java was a false positive (I was downloading some libraries from Maven Central repository).

Anthony Accioly
  • 199
  • 5

3 Answers3

5

I try not to be too much of a conspiracy theorist but I could see this as being retaliation for Oracle's copyright/patent infringement lawsuit against Google over Android. I doubt most regular users will even notice since Java applets are basically dead anyway on consumer web sites.

I prefer the approach of Firefox, which disables known vulnerable Java versions rather than trying to paint the whole approach as flawed.

Jeremy
  • 361
  • 1
  • 2
  • 1
    Fair thought since that's the first thing that crossed my mind too. It seems unfair to block new Java Versions, and a "Learn More" including bold **erros and crashes: Blocked Plug-ins** is not fair when comparing the database of Java vulnerabilities to that of XSS Attacks, Flash Crashes, etc. And blocking Java Plugin because it is not "wildely used" is just lame. justification. – Anthony Accioly May 26 '11 at 13:11
  • Just to be fair. Besides popular games, Internet Banks, File Unploaders and the general stuff that still use Applets, there is JavaFX that is a (even if not that popular) alternative to Flash and Silverlight. Besides some applets do background stuff, sometimes the users don't even need to be ware about them (no, I'm not talking about server side Java, I'm talking about client side background stuff). – Anthony Accioly May 26 '11 at 13:19
1

Here's my opinion on the matter:

There are a whole whack of people smarter than me developing both Chrome and Chromium. I leave it in their capable hands to determine what's secure and what's not.

Not super helpful, but there's my opinion :)

Demian Brecht
  • 17,555
  • 1
  • 47
  • 81
  • Fair, and I must say that Indeed they now a whole lotta more about security vulnerabilities than I do. Still, Firefox, IE and Safari teams are also highly skilled developers, and they didn't go down that road. – Anthony Accioly May 26 '11 at 13:13
  • @Anthony: someone has to make a start. You can't expect all browser vendors come with a solution out of nothing, unless it's something like comodogate. – Lekensteyn May 26 '11 at 14:33
  • @Lekensteyn I see what you mean. But my question here is if this is something that needed to be started at all. As a Java Developer and enthusiast I'm totally biased (if Firefox starts blocking applets I will jump to Opera, Konqueror or any other browser that doesn't). But religious matters apart, what I'm wondering is if it technically necessary? If other, less biased developers think this is a fair tradeoff. – Anthony Accioly May 26 '11 at 16:42
  • @Anthony: oh in that sense. It's a trade-off between security and usuability. Java can be helpful, but old versions are known to contains severe vulnerabilities. The same applies to Flash, but Flash is more used (take Youtube for example). In the past, I could see applets with a "cool clock" or "nice menu effects" on websites, but nowadays Flash is the technique being used. For the best safety, install NoScript in a browser. You can like it or not, but if visitors do trust your applet, they'll accept the warnings. Also known as social engineering for other uses. – Lekensteyn May 26 '11 at 17:09
0

If you are paranoid, then you should disable Java applets. (You should also disable Javascript if you are REALLY paranoid.)

There are vulnerabilities in the various sandboxes - a few google checks will reveal this. Some of these may be dated, and later (or leading edge) implementations may be better than it all was a few years back.

So, it depends what you are doing: If building an embedded brick and you don't ever want to get a support call for it, then turn off as much as you possibly can. If its for a desktop app, then question the use, the users, the circumstances, the level of security, how much other virus protection you have. Then make a decision based on an evaluation of your known knowns, your known unknowns, and your trade-offs. In this case, excessive paranoia may be... well... excessive.

quickly_now
  • 14,822
  • 1
  • 35
  • 48