A lot of the angry comments about this seem to be coming from uninformed people who haven't actually tried it - that or something about this change isn't actually rolled out. I just tried it in an up-to-date version of Firefox 24, along with Firefox Nightly.
In both, with my existing old build of Java, I got a placeholder image like this:
Clicking it took me to the update page. Exactly what you want. There was an option in the top-left corner to forcibly load it, which is fine - updating is the right move.
Once I updated and uninstalled the old JRE, in Firefox 24 the applet I was trying loaded silently without any confirmation. It was not blacklisted.
In Firefox Nightly, once Java is updated, I see this placeholder where the applet would have been:
Clicking the placeholder opens a prompt asking if I want to allow the plugin once or allow it always on this site. Very straightforward.
Other than the fact that modern Java 7 is not blocked by default in Firefox 24 for me (maybe they didn't roll that out yet?), everything works fine here, and I don't see any catastrophic UI mistakes, developer/enterprise-hostile design, or attempts at destroying the web.
The applet loading without user action after the Java update sounds like you had already allowed it for that site before (or maybe you haven't got the blocklist update yet for some reason?).
I went through this routine yesterday. Updated Java and restarted Firefox. I can 100% vouch for seeing a warning about Java being outdated. The warning was still there. I stand by it and I wont delete or edit my comment.
As a dedicated Firefox-user who dislikes the direction Chrome is taking, I still say Firefox has a problem here. This is something real users are experiencing.
I believe this as a whole will have a very negative impact on Firefox's perception in the java-heavier regions of the internet.
And damage done is hard to repair. Mozilla should think carefully and very quickly about what they just have done.
Edit: My bank's facebook page is already filling up with customers saying they can't log in. When the bank's reply is "Dont use Firefox. Firefox is broken" and the customer indeed can log in with other browsers, what chance do you think there is for the user going back to Firefox?
Mozilla needs to get 24.1 java-enabled-edition out there now, until it gets its UI/UX story straight.
Edit 2: Down-vote as you like. If you don't think this will affect Firefox's perception, you are a tad more optimistic than I am.
Weird.
It appears to be working as claimed in my Firefox build from yesterday (26.0a2 (2013-10-21)). Most likely a bug then, and should be treated as such, instead of assuming Mozilla is lying about updates being available, or not.
Is there a chance that you have more than one instance of Java installed? I've seen this on a few machines. An up to date copy of Java in "c:\Program Files" and an outdated version still sitting in "c:\Windows". Try about:plugins in the address bar, I think that should list all installed versions.
> You can still easily run Java applets in Firefox 24 and beyond, you just need to click the red lego block in the upper left corner and allow it. [1]
Allow me to disagree and to tell you what happened last weekend:
Last Sunday I had a call from my stepfather who "couldn't run the website to order agro food" anymore. This website runs a Java applet to manage agro food orders on-line and the code isn't signed (it's a small structure).
He tried to understand what was going on with the warning before clicking "ok/yes/run". He googled the warning and unfortunately ended up installing malwares from ads running on some PC help website/forums that promised to fix "2 just found vulnerabilities": he thought that was related since the warning actually preventing him from accessing his "working-fine-yesterday" website seemed to be about security and vulnerabilities in the plug-in.
He then tried to update Java but canceled it at the end of the process because the window with the Java propaganda ("it powers 3 billions of applications, your car, your website, etc.") looked too much like the one with malwares from before and those didn't fix the problem (not being able to access his website).
When I finally could go to his house to fix it I realized what had happened.
It is definitely not user-friendly. It was working before and in his eyes Mozilla made it not working anymore.
There was a bunch of other crap: a lollipop promotion app, a trojan and internet explorer settings changed.
Funny, but he didn't installed the Ask toolbar :). I did when uninstalling/reinstalling Java and clicking a little bit too fast :). Hopefully it's not as tedious to remove as a trojan.
The difference? Be sure to point out why tricking you into installing it isn't malicious, why it's not malicious that after that it changes your default search provider to send your searches to them (privacy much?), and why it's not malicious that it's abnormally hard to remove (a quick Google will demonstrate the normal 'remove toolbar' steps don't work, even Wikipedia has a note and several links on this: https://en.wikipedia.org/wiki/Ask.com ).
It tricks people to installing it, reports your search activity (maybe other data? I can't find details, not installing it myself), and takes major, unnecessary steps to make it hard to uninstall it. Sounds like malware to me.
After reviewing the facts by discussing them with nknighthb it appears the warning message that prompted me to blame Mozilla for a confusing warning message was due to Oracle and their Java warning pop-up. https://dl.dropboxusercontent.com/u/202857/java.png
My apologies :], I am a little bit ashamed for not spotting it sooner.
This is honestly what makes the Firefox warnings even more damaging than they already are.
If a brave user decides to click past the "DO NOT ENTER" sign on the Firefox warning, they are immediately presented with another worrying warning, popped up by the Java plugin. What kind of fool says "yes, please go ahead and do this dangerous thing" when two separate pieces of software have already told them not to? Not most, unfortunately.
At least I can make the Java plugin warning dialog be relatively calm by signing my JARs. The Firefox one is completely beyond my control.
I'd like to know if the Firefox developers have details on exploits that bypass the Java plugin dialogs. If they do, I'd like to know as well. If they don't, that means they're duplicating a security feature that's already in the plugin... what's the good of that? It just confuses and frightens the users of valid, secure Java applets.
This is clearly a person who would have wound up with malware regardless. It's as if you blamed telephones for allowing a scammer to call a gullible mark from the Official Credit Card Office.
He wouldn't have ended up on treacherous paths if that warning had been more explicit about what was going on.
I agree he's not computer savy but I am not blaming Mozilla for his installing malware. I am blaming Mozilla for a confusing message about security. See https://news.ycombinator.com/item?id=6590686
There are thousands of "confusing" messages to be found on a typical computer. The messages Firefox presents for Java[1][2][3] aren't even competitive.
You have a user who has not been trained to not install random software, is fooled by extremely common ads, and who does not have the basic judgement necessary to not flail about when presented with something they don't understand but to consult someone who will understand.
This is a recipe for the exact scenario you described, but is in no way dependent on Firefox's Java messages. Any message appearing on their screen that they don't understand can be the trigger, including scammy ads encountered by millions of people in routine daily browsing.
edit: here I should replace firefox and mozilla with oracle
That's quite a stretch.
I have a user who uses frequently one specific website and for no apparent reason Firefox decides to tell him it's now dangerous to use with fearful and technological terms (vulnerabilities, plug-in, risk, etc.).
If Mozilla decides its users are dumb and should not be trusted to allow Java applet to be run then they should not warn them with techno-cryptic messages they know their users can't understand (because if Mozilla thought they could then Mozilla would know users could make the difference between a good and a bad applet and that warning wouldn't be needed).
A shorter and less scarier note would have been a better message for everyone.
The warnings are 8-14 and 5-8 words respectively, and state the case concisely. The word "risk" appears nowhere, and is a common English word anyway, and "vulnerable" and its derivatives are also common English words.
How would you rephrase the warning in fewer than 8 words that would have helped your stepfather understand the problem and how to deal with it?
Congratulations, you've just lambasted Mozilla for a Java message. Java pops up that same message for applets in all browsers. Go talk to Oracle, it has absolutely nothing to do with Mozilla or Firefox.
While I agree with your opening sentiment, and I agree regarding OP's dad not having the appropriate training and judgement, I disagree with the conclusion that he should be the resolution to that problem.
The appropriate training is nothing less than years of experience working with computers or being in the IT business. Why do we believe that this ought to be standard knowledge for users? It seems to me that we're placing too much burden on the user to make good judgements in the face of insufficient application and operating system trustworthiness.
The appropriate training has been given by me to the various family members I have to support. They started out just like his stepfather. It did not require them to have years of experience before they stopped trusting random websites, installing whatever came across their screen. It required me explaining the relevant concepts a few times. That was it.
We absolutely place too much burden on end-users -- one reason the iPad is such a hit -- but "don't believe everything you read on the Internet" and "ask me before you try to fix something you don't really understand" is not a heavy burden. If it were, we'd have a lot more mechanics and a lot fewer operable cars on the road.
I had a look at the mozilla website and the english phrasing seems okay to me. I think the french is too verbose (and it adds nuances that are confusing like "some versions of the plugin is disabled", "trusted sites": does it mean sites that are guaranteed to be trusted because of a certificate or sthg or sites I trust because I know who coded it or it's so universally known (eg: google) that I should trust it anyway ?) even ignoring the fact french is de facto more verbose than english.
Unmovable window, can't close firefox without first actioning something in it, one checkbox+one butotn to allow "something scary" to run (something that wasn't scary yesterday). This is what prompted my user to google the warning.
You can still easily run Java applets in Firefox 24 and beyond, you just need to click the red lego block in the upper left corner and allow it.
I've had multiple calls in the past week from Java users who didn't know that and just thought the page in question had stopped working. Your idea of "easily" and theirs are very different.
It's much less strict than in Chrome, where Java doesn't run at all anymore.
I've spent much of this morning testing applets in Chrome. In fact, I've got one running right now, and I just confirmed that Chrome is up-to-date. Perhaps you've misunderstood something?
Yeah, it's true that lot of the sites still using Java hasn't been updated with the correct instructions about how to enable it in FF 24 yet - and they should fix that as soon as possible of course.
Still, it's a much easier thing for normal users to figure out than how to update Java (which they must do quite regularly to get Java to run at all).
I did a little Googling and it turns out that Java still runs in Chrome on Windows, it's just banned on OS X.
Yeah, it's true that lot of the sites still using Java hasn't been updated with the correct instructions about how to enable it in FF 24 yet - and they should fix that as soon as possible of course.
Unfortunately, the applets I work on at the moment run on embedded web servers in network-enabled devices. You can't just roll out a quick update to this software every time Mozilla or Oracle break things.
If you were deploying web servers on embedded devices without planning for easy and painless upgrades, joke's on you. That's terrible for your client's security.
Some of those clients' security involves (among other things) firewalled private networks, biometric access controls overseen by armed guards, and a requirement to provide complete systems free of charge for several months of testing and auditing before any new software roll-out is approved. There is no such thing as easy and painless upgrades in that kind of environment, and that is by design. You don't exactly want the patient records in your healthcare systems or the performance monitoring tools with access to all of the traffic on your telecoms infrastructure or the card processing systems at your bank to be accessible on the public WiFi, after all.
These are the exact opposite of the kinds of places you would expect an untested Firefox update to show up. You are being inconsistent. Is it a tightly-controlled environment or not?
The environment in which these devices exist and the environment in which the machines used to access them exist are not necessarily the same. Obviously they will be connected in some way, but it is perfectly rational to want to apply security updates to staff computers that might encounter software or data from external sources but which might also be used to access in-house systems that are tightly controlled.
Yep, banned on OS X, kind of frustrating since I need to use Java for work occasionally, and when I click on the link and it redirects after opening in Chrome I need to go back, copy and paste the link into Firefox.
They are actually users, and those users paid a very large amount of money for very expensive equipment that happens to use Java applets as part of its remote management interface.
Did any of that money go to Mozilla or any other organization seeking to advance and secure the internet for the vast majority of people who did not waste money on overpriced products from a company that doesn't want to take responsibility for its poor judgement and inflexibility?
Please take your obvious trolling somewhere else. Not all software that runs in web browsers was written in the last year or two, after HTML5 and CSS3 and all the related new technologies became viable options for doing heavily interactive graphics on web sites. For many years before that, tools like Flash and Java applets were the only games in town, and a lot of production software with many years of development behind it that is still widely useful was built using those tools.
We are supporting our users. The point is that in this case we shouldn't have to. The problem is an entirely artificial one of Mozilla's creation, and no support from anyone should ever have been necessary.
The problem is entirely of Oracle's and your own creation. Oracle is not adequately supporting their software, and you have failed to notice the signs over the past several years that browsers were headed in exactly this direction and adapt accordingly.
Mozilla is taking the only responsible course to protect the vast majority of their users. It's been a long time coming, and absolutely no one should be surprised that it finally arrived. If anything, I'm surprised it took this for the first major browser to do it.
An unfortunate comment, because some of the devices I had in mind when writing those last few posts are in fact medical equipment.
If Java-based UIs are no longer readily available to clinical staff the way they were last week, then effectively their instruments just got broken. Delays and increased suffering for patients are all but certain consequences until the IT staff have chance to fix things again.
Fortunately, the software running on equipment that could actually cause death as a direct result of failure is written to much higher standards and shouldn't depend on this kind of technology in the first place.
> Delays and increased suffering for patients are all but certain consequences
If the product you are building is not future proof it is your problem not Mozilla's.
Dont blame Mozilla for your poor technology choices. Applets will eventually stop working, and you'll be responsible if your product fails , not Mozilla.
Dont blame anybody else but you. You broke the medical staff instruments by choosing or maintaining a dead technology thus putting patient lives in danger. Do you think they'll sue you ? or Mozilla if there is an accident? You are responsible.
If the product you are building is not future proof it is your problem not Mozilla's.
Nothing is future-proof if the people controlling the platforms move the goalposts. We have standards and value backward compatibility for a reason: it's because violating those standards and breaking that compatibility hurts. And it's going to become Mozilla's problem if they continue down this path, because Firefox will cease to be a viable browser choice for a significant proportion of their potential market.
Dont blame Mozilla for your poor technology choices. Applets will eventually stop working
I don't know why you're writing as if I personally broke these medical devices. I've never personally worked on any of those projects, I'm just familiar with them and citing them as examples of why this sort of change is damaging.
In any case, people really should get off the "Java applets is a dead technology" bandwagon. Viable replacements using HTML/CSS/JS are very recent developments, and people have been developing web-based user interfaces for all kinds of devices for decades. Of course they're not all going to throw out all that work and rewrite everything from scratch. There's nothing wrong with it, and contrary to your claim, there is no reason those applets must eventually stop working. They'll work just fine as long as browsers run Java applets, which they've been doing just fine for many years.
Obviously applets will stop working if browser makers deliberately drop support for them even though it's been available for a very long time. However, that's like saying obviously CSS3 is no use for anything because it's not all W3C standardised in stone yet so you're stupid if you use it today because it might all be different at some arbitrary point in the future that no-one can predict. You can shoot down any technology, no matter how modern and trendy, with such a generic argument, but it doesn't demonstrate anything particularly helpful to do so.
You broke the medical staff instruments by choosing or maintaining a dead technology thus putting patient lives in danger.
No, I didn't, but if the serious software I work on were medical in nature, you could literally bet your life that I wouldn't be letting either Java or Firefox anywhere near it and would be using an entirely different level of engineering practice to build it, as I do for certain projects in other fields where reliability is essential.
However, while we build the literally life-or-death systems that way, chances are the word processor, KVM, and, yes, web browser that organisations doing vital work use for day-to-day activities are not developed to the same standards. Breaking them still hurts, if only in efficiency (which can obviously still be harmful in a medical context). Unless you're claiming that all software that runs in any medical facility must be developed to the same standards as control software for high-risk, safety-critical systems, again, your argument is so generic that it doesn't really prove anything interesting.
TLDR it's your problem , not Mozilla's. You can still tell your clients to uee another browser, heck they had to install java on their machines for your solution to work... they should not had too, but smart people always make poor technology choices.
You can still tell your clients to uee another browser
Actually, we've been doing that for quite some time on one of the major projects I work on that uses Java applets, for exactly this reason. We usually recommend a recent version of IE, and as a general policy we don't offer any sort of guaranteed support for Firefox or Chrome. Of course we still test on those other browsers routinely and we'll help customers who have problems if we can, but no-one is getting any money back if they break later because of the kinds of changes we're talking about.
The worrying thing for Mozilla should be how many businesses are essentially telling us that they agree and they're moving or already planning to move back to IE as their corporate standard. It's certainly not always because of Java, but choices like rapid update cycles, lack of long-term support, and willingness to drop useful functionality do seem to be generating an increasing amount of hostility from institutional users.
The sorry state of medical IT and medical device vendors is not Mozilla's fault. It is especially not Mozilla's fault if medical organizations and their vendors are rolling out updates they haven't tested themselves.
You're probably aware that in many, if not almost all commercial EULAs, you'll find an all-caps passage like this one I just pulled out of Apple's OS X license document:
> E. YOU FURTHER ACKNOWLEDGE THAT THE APPLE SOFTWARE AND SERVICES ARE NOT INTENDED OR SUITABLE FOR USE IN SITUATIONS OR ENVIRONMENTS WHERE THE FAILURE OR TIME DELAYS OF, OR ERRORS OR INACCURACIES IN THE CONTENT, DATA OR INFORMATION PROVIDED BY, THE APPLE SOFTWARE OR SERVICES COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE, INCLUDING WITHOUT LIMITATION THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, LIFE SUPPORT OR WEAPONS SYSTEMS.
It's stated clearly and at length because absolutely no one writing general-purpose software wants to bear this responsibility. FOSS no less than commercial, but FOSS is generally a less-attractive lawsuit target.
Trying to foist this responsibility onto Mozilla is just evil. They didn't ask for it. They didn't offer their software as a solution to medical IT's woes. But you want to blame them for obvious misuse of their software causing harm to patients.
If I were to die of an aneurysm tomorrow, would it be your fault for not being a competent neurosurgeon and healing me? No. Nor should it be Mozilla's fault that it does not produce a medical device, but a piece of software someone has decided to misuse as one.
> If Java-based UIs are no longer readily available to clinical staff the way they were last week, then effectively their instruments just got broken.
Would that be a failure of Firefox (or other browser vendors) or a failure of hospital IT staff to manage the medical devices / desktops / network effectively?
That's a fair question. However, I don't think some people posting in this discussion would like the equally fair answer.
Logically, if Firefox is not going to support long term stability and compatibility -- and clearly it doesn't in the case we're discussing -- then the only possible conclusion is that Firefox can't be part of an effectively managed IT infrastructure for these kinds of organisations. That means the correct course of action for those responsible for that infrastructure is to plan to remove any dependencies on Firefox as quickly as possible and to replace it with something more stable, which presumably means IE in this context.
Yes, Mozilla has been pretty clear on this. If you want more stability, you need the ESR release, and if that's not enough, you're out of luck. Mainline Firefox is simply not intended for use within organizations that demand the kind of stability you want.
You need to evaluate the ESR release, and/or find a different browser entirely. IE may indeed be the best option if you only support Windows clients. Though Microsoft hasn't exactly been shy about forcing IE along more quickly of late, either.
Mainline Firefox is simply not intended for use within organizations that demand the kind of stability you want.
I'm not sure who mainline Firefox is intended for any more. That's part of the problem, I think.
It seems like Mozilla are chasing Google to the exclusion of almost anything else, and the main goal for both of them seems to be ticking boxes to say they have more bleeding edge features, even though hardly any real projects can actually use most of those features because they aren't stable and portable enough yet. Meanwhile, users get interfaces that subtly shift around every few days, developers are fighting a constant battle just to stand still, and as we've been discussing, organisations can't manage large-scale deployments robustly at all any more.
Your mistake is in conflating Java with the browser. The two are unrelated. Neither is really built with the other in mind, their development is not integrated or synchronized in any way, and the paradigms are just generally incompatible. And now, one poses a clear and present danger to the security of the other.
If you had a Java application, you would not have a problem. If you had a web application, you would not have a problem. If you had a C or C++ application built against either native Windows APIs or a mature cross-platform toolkit, you would not have a problem.
Instead, you rely on browsers continuing to put their users at risk by automatically running code in a constantly-leaking sandbox managed by a company that doesn't give a shit.
Understand this: Java is a hole in the defenses of modern web browsers. It is behind. Way behind. And it will remain so forever. It and its owner are not up to the task of dealing with the modern web.
So yes, you're going to be fighting a constant battle so long as you insist on relying on what everybody already knew was crap in the mid-90s.
Or you could just tell your users to click the magic button.
I really hope you aren't one of the same people who say IE6 and IE7 have to die, and so web developers are right to try to force their users to use modern browsers.
I work with the NHS in the UK; quite a few of the medical professionals are forced to use IE6 or IE7 because the hospital IT staff are managing their medical devices / desktops / network effectively, just as you say.
When Firefox makes a decision like this, what they apparently did not seem to consider is that they are drawing a cutoff line which has serious costs to some of their users. I didn't see any discussion of this whatsoever in the issue thread.
Imagine a relatively forward-thinking hospital that has been able to allow their staff to use fairly-recent versions of Firefox (once new versions have been vetted by IT). Changes like this may force them to stop deploying new versions completely, until some time possibly a decade from now when they're finally able to replace the Java-based UI.
My immediate point was that it's not as if Firefox is all of the sudden automatically updating itself on the hospital computers and people start dying because Java applets won't run. If that happened, I would blame the IT staff for allowing such a critical component to update itself without any sort of evaluation.
This will have a pretty bad effect on Firefox's market-share if it goes live.
That said, it's a solution for the current problem and should really be applied to all plugins - I'm not sure why java is singled out here, many of the other browser plugins are just as bad. Java has likely the most widely publicized security vulnerabilities, yet I can guarantee you that many many 0-days are traded daily for practically every single other browser plugin as well.
Will it? I've been browsing without Java for years, and I can only remember problems with one site (some hilarious throwback from the late 90s). For general browsing, I doubt anyone will notice a difference.
Maybe for corporate use, but isn't that mostly IE anyway?
Depends on where you are in the world. Java is required for online banking in Norway, while it's mostly unused in Sweden, the neighbouring country. Both use Java for online verification to government sites.
They will. It was announced earlier this year that the Norwegian banks will move over to a HTML5/js authentication. The government identification has been the same as the banks, so that too will disappear.
Governments and banks. They are not exactly known for hiring the best and implementing best practices, regardless of what you think of Java on the client side.
Seeing browser-developers ignore the real world and just go ahead with their agendas unconcerned about how it affects the actual users of their browser is also a sign of bad development.
Banks in some countries having their heads in the sand for 15 years is not a reason to continue endangering the global economy. It's time for Norway to pull itself out of the dark ages.
You have to stop and think for a moment, though - it's kind of cool that the Firefox development team can basically say "Norwegian authorities - you need to ditch your $100 million outdated software solution because it is unsafe, and we are going to announce this to all your users".
As a Norwegian taxpayer, I disagree :-) I don't know a single Norwegian who actually enjoys having to update Java again (and anyone who's turned on the news in the last 3 years here has heard of Java security holes).
(And if this really is just a click-to-play type inconvenience, well, that's a hell of a lot less than the hoops that users are used to going through in order to get into their BankID banks here.)
> Both use Java for online verification to government sites.
Do they? I thought Sweden used the online bank identity system for verification (bankid), which is either a standalone downloadable application, a smartcard image, or an mobile app. Not sure how an Firefox policy would effect this even if some parts of the bankid uses Java.
I believe apps like Google hangouts use Java/Need Java enabled.
I think the commenter shiloh.enriquez on that Mozilla thread had a decent point in that many users just want the thing to work, won't necessarily understand or have the patience to understand and will move from FF to Chrome or IE.
Confirmed. It broke my SO's ability to do online banking yesterday and I was (as usual) called in as tech support.
I just assumed Java was out of date (again) and was surprised to see it still blacklisted after updating to latest version.
There's no part of the UI saying "We've permanently blocked all of Java by default". Even if you agree with the developer's ideological stance here (which you very well may not), the UX part of the job is completely botched.
You know those big, yellow bars that browser and websites tends to come up with when they want to be 100% certain that the user notices something is up?
I've yet to see a single non-technical user even notice or react to its presence once. I see it instantly and can't understand why it doesn't alert or annoy them, but to them, it's just not there.
In light of that sort of behaviour, adding a subtle icon to the location bar is meaningless. Heck, adding anything to the location bar is meaningless if the intent is to communicate with the user; most users never look there.
So yeah. If that's Mozilla's stance, they will find out that nobody's going to notice. I certainly didn't see it. That is effectively dead code which they've written.
Oh interesting - hard to keep track of which version Firefox is up to these days. They should really swap to a system like Ubuntu's - using the date for the version number.
It was released over a month ago too. Has it had any effect on Firefox's market-share? Especially in enterprise? It's a pretty decent test bed for understanding how users react to these kinds of changes. If they just accept them and adapt when forced it shows that we can be more proactive in moving users to better yet incompatible software?
out of curiosity, who isn't on Gregorian calendar for everyday usage nowadays? The only thing I can think of is that for official documents Japan uses the emperor-year, but the months stay the same
a few countries use buddhist calendar variations[0], but I don't think there is anyone using the julian calendar left (well, mount athos republic is one but I wouldn't count it)
Still, many users [http://geeksbynature.dk/2013/03/28/plugins-usage-distributio...] have only Flash, Java and Windows Media plugins installed, maybe also Reader and Office. With Mozilla's efforts to replace Reader with pdf.js and Flash with Shumway (or HTML5), Java is a reasonable next target.
Their PDF replacement is far from good - buggy and unusable. We have to show PDF documents to our customers directly in browser, so we need good UX, and it was disappointing to see how it works in FF compared to other browsers with Reader and how much effort do we need to fix it.
I'm not surprised they screwed up with Java too.
It's disappointing that comments like the parent are getting downvoted here. Objective, factual observations should be encouraged, not censored.
The Reader "replacement" PDF viewer in Firefox is limited and buggy compared to the real thing. We also found it literally unusable for our purposes when it launched, and we routinely disable it on new installations where we still use Firefox at all (which is basically only test machines for web developers now anyway, because of exactly the recent attitude from Mozilla illustrated by this discussion).
It's an early version, and for many uses it's more stable and less intrusive than Reader.
I have avoided Reader for years by using Safari, and later Chrome, which each have their own built in PDF renderers. I'm glad that Firefox has caught up, it's one of the things that has kept me from using Firefox. I read a lot of PDFs, and loading the big, slow, clunky Reader plugin, or downloading the PDF, is a non-starter.
Since I replaced Adobe Reader with SumatraPDF on my Windows machine I found this to be a really good feature and it works for the most PDFs. In recent Firefox version I did not have any problems viewing PDFs. Although they need to make it more responsive, especially on larger documents. But Adobe Reader wasn't really fast to begin with, so it's not that big of a deal.
It works great for me, better than Chrome PDF Viewer. Chrome's viewer lacks even the most basic features like table of contents, and it's integrated pretty poorly -- it doesn't show the title of pdf (so PDFs are impossible to search by title in history), and it doesn't remember last reading position.
Works-for-me approach is good if you are choosing the solution for the systems you are administrating. If you have to deal with customer setups, things usually get much worse. The fact is that we've got degraded UX for our customers with one of the FF updates, because they are not IT professionals and they have chosen FF by someone's advice, not after competent analysis of different solutions.
The real world would be nicer if Oracle actually worked on fixing Java security issues. They have a bad history of pretending that security holes have been fixed and/or pretending that they do not exist, while exploits run rampant.
Most of Java is open-source now. I wonder why the dependence on Oracle is so high. If Apache or a similar foundation would fork(+) and adopt it, it will benefit the Java eco-system tremendously.
Mozilla working on the web platform has more impact. The sites that still rely on a Java plugin were expecting binary compatibility and a big vendor's security support because that sounds cheapest long term, now that it doesn't happen, heads in the sand or a web port are a lot more likely than forking Java.
Apache did try to fork it with Harmony ( http://harmony.apache.org/ ), but Sun pulled every trick in the book to keep people from contributing and/or adopting it. Then again, the code is still extant, could be time to pull it out of the attic.
Indeed, but the situation has changed now. Sun, just before it got acquired by Oracle, had open sourced the last remaining puzzle: the Java compatibility test suite. Which allows anyone to run the test suite, claim and validate that their software is conformant with Java.
Not quite. You have to have your code "substantially based" upon OpenJDK, and be GPLed, in order to use their validation suite. So Harmony still would not be able to use their validation suite.
Sure, and I haven't used Internet Explorer in years. That doesn't mean that suddenly disabling Internet Explorer is going to have no effect even if I (and probably most of us here on HN) would not even notice.
A lot of corporates and financial applications require Java.
I'd personally say the same about Flash and any other browser plugin - they should all be disabled. The amount of money traded on the black market for 0 days for all of these plugins is staggering.
That said, users of these plugins are not just going to stop using these services. They need these services to make bank payments or trade their shares. Getting hacked is a smaller worry than being unable to use those services. That just means they will swap to a different browser. The web becomes no safer, and only Firefox loses market share.
If you get hacked and someone steals from your bank account, the bank will reimburse you and the police will (try) track down the hackers. Same way as if someone broke into a bank vault and stole the money. Being unable to sell off your shares because Firefox blocked your trading app means you are forced to switch browsers.
Basically it's a pointless display. Just show a warning if a website tries to use a plugin (any plugin, including flash - there are numerous undisclosed 0-days) and move on.
This action by Mozilla raises awareness of the fact that Java security updates are too slow and too opaque and it's time to change to something else.
It also raises awareness of the fact that you can't trust some of the big names in the browser industry not to break stuff every few weeks just because they don't like it and then push the changes on you whether you want them or not.
Introducing restrictions so tight that you can't actually do your useful work any more isn't security, it's just broken.
That's a nice theory, but Mozilla's idea of "long term" support is still forcing an upgrade more than once a year just to maintain security patches, and with only a 12-week overlap between a new version starting testing and the complete end of support for the previous version.
That sounds like a long time if you're reading this in Firefox on your home PC, but if you're responsible for a large corporate network with thousands of users and a hundred critical intranet applications to keep working, many of which have a measurable dollar amount attached for every hour of downtime, different rules apply.
There is a reason so many large organisations stuck with IE6 for so long: having tried and tested, stable software is far more valuable in that kind of environment than having the latest shiny features that none of the in-house applications you're actually providing the computers/browsers to use need anyway.
If you're 20-something doing "the startup game" you probably don't see it on the next cool site demos.
If you support the company where most of the users just know to click and login, and one day they just can't, you aren't going to like it, to quote one of the post from the bugzilla:
"I haven't been able to get VPN-ed in for days, until I figured I could still use the Juniper SSL VPN from Internet Explorer. I find it amazing the casualness with which a small group of developers just shut off an entire set of functionality with no regard for its size, utility... You just broke millions of peoples software, and then you complain about this being a bug list, and you can simply do this, or simply do that."
It doesn't help that "advanced users" would know, ordinary users after the automatic update can't do what they were able to do.
This has to be balanced against the extreme risk of turning on java for every site out there.
A few users are inconvenienced. That few being the intersection of those who rely on java applets for something they care about (already a tiny fraction) and those who lack the knowledge to solve the problem on their own (an even smaller fraction). Even losing that fraction of users is unlikely to affect firefox's marketshare to any significant degree.
In the context of a company's IT department, they should be competent enough to know how to set default browser configurations and to provide walk-through documentation. If an IT department thinks that user convenience is a good enough excuse to expose the company's employees to some of the most serious and hard to prevent web-based exploits out there then I say fuck 'em. They have their priorities all wrong and if they want to continue to have their priorities all wrong then they are welcome to their own private hell.
Yes, but unfortunately when they do occur they tend to be rather important; Eurocontrol's air-traffic flow management site, for example. If you need to file or change a flight-plan...
I'm using Firefox in Ubuntu with Java to connect to a Juniper Networks VPN. When I upgraded to Ubuntu 13.10 a couple of days ago, the VPN launcher stopped working. I think Firefox 24 came along with the upgrade (that's the version running now).
I upgraded to the latest Java r45 and it still didn't work. Then I noticed a blinking red thing in the address bar where the security lock icon goes. I clicked that and it gave me an option to enable Java for the VPN connection site permanently.
Seemed easy enough to fix. I only had to click that icon once, and it's been working smoothly since.
I agree, msjnc looks much better than the Juniper launcher. But it doesn't seem to support two-factor authentication, which I need:
> A number of people have written me to ask about multi-key logins. I don't have any knowledge of or experience with these and my (very limited) investigation of the Network Connect service doesn't show how to do this from the command line. If someone can describe what the expected interface to the ncsvc program is for these situations I'll try to add support for it.
Does anyone want to write a user-friendly walk-through to help normal users get Java running? I may have the time to assist, though I'm doubtful I could do the whole thing.
The advice they give varies based on the detected browser and OS (as it must) but it's somewhat out of date, and isn't intended for a general audience.
The applets on my educational site are signed JARs (a wasted expense, it seems), and they are explicitly run within the sandbox, but every few months it gets harder and harder for students and their parents to get Java to run.
And now in Firefox my interactive components have just become scary-looking blocks of DO-NOT-ENTER signs and warnings that are totally unwarranted for my site. If you work up the courage to click through the browser's warnings, then of course you get round 2, the warnings that the plugin itself pops up.
I dearly wish to see some of the details on the evil that's being done with Java applets, and if all of these aggressive measures are actually doing anything to stop real risks, or if the main effect is to kill sites like mine.
These do not seem to be actions based on data anymore.
Last night I submitted comments on the Bugzilla bug, and joined the (small) conversation on the dev list. My message is still in moderation, though (it wasn't rude or anything, so I suspect it's just because of time differences).
I don't have much hope - the pile-on against applets has been unrelenting for months now - but I will give this a shot. It's not obvious to me which part of the site you mean yet, though.
This will be more great publicity for Norwegian government-owned consultancy Evry, which has built the BankID Java Applet which is used for authentication of each and every online consumer money transaction performed in the country.
However, it is about time - I've heard online banking developers talk crap both about BankID and the underlying online banking infrastructure in the country, and security holes due to Java exploits are rampant. The banks have paid the bill for this until now, but it causes massive inconvenience for...every Norwegian who uses an online banking service. (Every adult Norwegian, more or less).
Ive been ducking and diving to avoid my account being converted to BankId for years. My online bank prompts me to "upgrade" to it every month and wont let me say no. However if I abort the sign up wizard half way through it always defaults to the old 2 factor fob.
"government-owned" is misleading, it's not used for "every online consumer money transaction performed", and, if I understand it correctly, it's just one extra click ..
Evry, the consultancy which developed and runs BankID, is largely owned by the public (The Postal Service: 40%, Telenor: 30%, of which the latter is 53% state-owned: http://www.purehelp.no/company/owner_network/evryasa/9343824...). BankID is in fact used to sign all(#) internet banking transactions by regular, private end users of online banking services.
The problem isn't the extra click - two factor authentication with a one-time pad is an excellent extra security measure. The problem is that the implementation sucks and is riddled with security holes, prompting you to update Java every other time you log into your online bank account. This in addition to incredibly slow loading and also outright crashes if you are using a non-standard (i.e. not latest version of IE) browser. It is a giant, steaming pile of crappy software. We can't switch to a Javascript version fast enough.
(#) Except for those customers who have not yet been pushed into BankID, which is the selected standard for online banking. And obviously not for intra-bank and similar transactions.
I have reported this big issue forme in the developper forum last week.
All java version, even recent ones, ALL are considered, (not like flash...) as a "permanent unsecure virus" by Firefox.
- How can the Mozilla team can think they can get away with this ?
This behavior is all but neutral from firefox!
- So I have to drop my software that I programmed in 7 years ?
I went 4 days ago in the developper forum to discuss about this :
---------------------------------
Me: "A red no entry sign" is too radical for recent java player I think.
My users give me a phone call to tell me "No way I will accept to install your software with this red warning"... Even the people who know me, tell me they got so scared they have really hesitated to accept java. Now I do understand at a time when java had urgent security issue this scary red-message was necessary. But I really wish that Firefox checks the java version installed ... and give a less-scary-warning-sign or a "go !" if the user has a recent java version (like the latest on java 1.7 update 30).
Benjamin Smedberg (chef of this idiot change): "We fundamentally disagree about the risks of the Java plugin. We believe the Java plugin is unsafe, and we want to present that to our users".
-- Is there a boss at Mozilla ? someone who cares about developpers.
And yea Benjamin, you know, java is open source by the way.
Fuck you idiot !
Thierry
No, it's the same guy. I did tech support for him on my free time because, hey, that's what the Mozilla community does. I helped him track the rookie mistake he made when coding his professional website.
The sooner Java moves away from Oracle, the better for everyone. That being said, there is rarely a need to run Java from a browser, aside from the odd game.
But, given Flash's similar reputation (not to mention it being prone to crash), why not mark Flash as unsafe as well?
This sounds like a major move from Mozilla, but really it is not. In Chrome, you have to enable Java per site basis, and as long as the UI for enabling Java is good, it shouldn't be an issue. Java on client side is dying, anyway. And good riddance.
You were able to disable java in your browser with one click also before ...in my opinion, this move from FF is a very bad one.
Now what we should use if we need more then HTML5?
A) -> Silverlight ...FF promote a closed technology against the somehow open Java??
B) -> Flash ...which is on a downhill now?
C) -> Java ...users need to be IT experts to enable it
One thing I would like to see:
MS should ban FF because it is insecure :)
Change is to disable java by default. User can enable it for one page but can't enable it globally for every page. I like that because it close to things like flashblock.
No. Mozilla's plan for flash is to replace it with a javascript flash runtime, shumway.js, in the same way they discouraged adobe's acrobat plugin by bundling pdf.js. But shumway's not finished yet.
A few years ago, Flash used to be a security nightmare and Java was shiny and solid. These days, it's pretty much the opposite. Flash security holes are fixed very quickly, Java security holes, slowly-to-never.
So, for the moment, we have not taken the decision to disable Flash.
Does there exist a version of the Java plugin with PPAPI support? Because if not, all the commenters chiming in with "well we're switching our entire company to Chrome!" will be in for a rude awakening next year when Google removes NPAPI support from Chrome entirely.
Great, maybe then I can stop checking if the Java updates at work also sneakily re-enables the Firefox plug-in behind my back each time they're installed.
haha, reading through the bug comments is golden. All the Mozilla folks are super professional coordinating between teams then it's released to the testing channel and shit hits the fan :D
Wow, this is really irresponsible behavior, I would've expected something better from Mozilla.. Until now they've first offered an alternative (e.g. pdf.js) before trying to move away from a tech.
Marking a current version as unsafe, even when there are no known exploits is simply ridiculous. I'd love to see the reaction of Mozilla if Microsoft decided to mark all Firefox releases as unsafe, and give a big security warning whenever you installed FF.
Especially if the UI for unblocking it in FF is as obtuse as the discussion implies..
Well, when you download the .exe file in IE, you do get a warning that it might be unsafe from Windows. And you need to verify that you want to install it.
The way to verify that the installer is legit, verifying the checksum, is not done by Windows, and must be done manually. Users don't do that, and flagging everything as unsafe is a good way of notifying the user that they must be careful.
Either you are doing admin-y stuff, or the programs you rely on are broken.
When I write Windows-software, I only signal that the process requires UAC elevation for the things which actually does so. It's possible. In fact it's rather easy.
I almost never encounter software which requires UAC elevation, just like most things in Linux doesn't require me to go full sudo.
At the moment, as Oracle refuses to fix security bugs timely, Java is permanently unsafe. Please be pissed off at Oracle for not protecting their users, not at Mozilla for doing it for them.
That's a great decision. IT departements already acknowledge the fact that java applets are totally insecure and dangerous , and Java or Flash shouldnt run in the browser.
You want to program stuffs in the browser ? use javascript and html5 apis.
You want to do socket stuffs in the browser? use a proxy server.
But dont expose your users to exploits by making them install Java.
You want to build future proof solutions ? stop using applets because you cant learn javascript.
What if I need top performance? The only real alternatives are JavaFX or moving off the browser completely (native app). Despite many man-years put into optimisation, JavaScript is still nowhere near in performance. Yeah, I know in some lucky microbenchmarks from Google or Mozilla it can be only 2-4x slower than Java and it is pretty impressive but why do many real JavaScript games/programs struggle on modern hardware as if it was an old Pentium II (see: bombermine [1], quake JS demo [2], circuitlab [3]) or Java applet in year 1998? The only thing that make them look acceptable is that hardware is extremely fast these days.
[1] about 25 FPS with random hiccups on my Core i7 Quad @ 2.4-3.5 GHz and proprietary NVidia drivers and Google Chrome
[3] about 100x slower than old Berkeley Spice (early 90s technology), despite much less accurate models and using similar algorithms (sparse LU decomposition + Newton Raphson)
I'm all for this being blocked by default, and the same goes for all plugins. But it certainly bothers me when they make it impossible to override their security constraints. Put in an about:config setting to allow Java, and it's fine.
All the heavy-handedness is going to do is force Firefox out of corporate IT environments where many internal websites rely on Java.
They didn't block Java at all, they just stopped it from running the applets automatically. You can still run Java applets without any issues, you just have to allow it by clicking the red lego block.
I hope there will be an about:config override for this. It seems like any time one of these browser authors does something "for security", it ends up being a perpetual pain in my ass and the ass of the users I support.
What do you even mean with that? Marking all JVM languages as unsafe? Marking JavaScript as unsafe (because it has so much to do with Java, right?) The issues Mozilla has with Java are limited to browser applets and the lack of security updates from Oracle (which, coincidentally, mainly affect the browser applets)
I reported this big issue forme in the developper forum.
al java version, even recent ones, ALL are considered, (not like flash...) as a "permanent unsecure virus" by Firefox.
- How can the Mozilla team can think they can get away with this ?
This behavior is all but neutral from firefox ?
- So I have to drop my software that I programmed in 7 years ?
Benjamin Smedberg (the guy at mozilla who made this shit) is an extremist.
I went 4 days ago in the developper forum to discuss about this :
---------------------------------
Me: "A red no entry sign" is too radical for recent java player I think.
My users give me a phone call to tell me "No way I will accept to install your software with this red warning"... Even the people who know me, tell me they got so scared they have really hesitated to accept java. Now I do understand at a time when java had urgent security issue this scary red-message was necessary. But I really wish that Firefox checks the java version installed ... and give a less-scary-warning-sign or a "go !" if the user has a recent java version (like the latest on java 1.7 update 30).
Benjamin Smedberg: "We fundamentally disagree about the risks of the Java plugin. We believe the Java plugin is unsafe, and we want to present that to our users".
-- Is there a boss at Mozilla ? someone who cares about developpers.
And yea Benjamin, you know, java is open source by the way.
Fuck you idiot !
Thierry
In both, with my existing old build of Java, I got a placeholder image like this:
https://dl.dropboxusercontent.com/u/1643240/outdated_java.pn...
Clicking it took me to the update page. Exactly what you want. There was an option in the top-left corner to forcibly load it, which is fine - updating is the right move.
Once I updated and uninstalled the old JRE, in Firefox 24 the applet I was trying loaded silently without any confirmation. It was not blacklisted.
In Firefox Nightly, once Java is updated, I see this placeholder where the applet would have been:
https://dl.dropboxusercontent.com/u/1643240/activate_java.pn...
Clicking the placeholder opens a prompt asking if I want to allow the plugin once or allow it always on this site. Very straightforward.
Other than the fact that modern Java 7 is not blocked by default in Firefox 24 for me (maybe they didn't roll that out yet?), everything works fine here, and I don't see any catastrophic UI mistakes, developer/enterprise-hostile design, or attempts at destroying the web.