Feeds

back to article Firefox devs mull dumping Java to stop BEAST attacks

Firefox developers searching for a way to protect users against a new attack that decrypts sensitive web traffic are seriously considering an update that stops the open-source browser from working with Oracle's Java software framework. The move, which would prevent Firefox from working with scores of popular websites and …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Baby? bathwater?

see title

8
0
Paris Hilton

Re: Baby? bathwater?

I guess we are forgetting who pays for electricity that powers the mozilla's computers.

0
0
Silver badge

"I really hope Oracle gets an update of their own out..."

Sure, but if BEAST isn't going to cost Oracle any money, does Oracle really care?

4
0
Silver badge
Joke

Its not a bug!

Its a feature!

I guess there are more people out there who dislike Oracle and its products.

2
1
Mushroom

Fascinating

http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue

Turns out that Opera supposedly also has only Java to be concerned with. And you can change plugin policy SO easily....in fact I just did. Right now. Hole==CLOSED.

1
3
Flame

"Horrible user experience"

That's a good one! It's difficult to conceive of a more "horrible user experience" than the buggy, sloth-like, pig-ugly dinosaur that is client-side Java. Put it out of it's misery, please.

13
15
Silver badge

What?

Client side java can be as attractive or ugly as the developers / designers make it. I can think of apps which look very attractive, others which look like any other Windows native app, and others which look pig ugly.

6
0
Bronze badge
WTF?

Re: Horrible user experience

Why does everyone assume it is the language that is responsible for crap software. Ever thought it might be the ability of the developers and or time scales that are the cause.

4
0
Flame

There are excellent Java apps

Eclipse being one of the major ones I use. Unfortunately it's fits right in there under "sloth". I have yet to see a major java client app that is all of nimble, usable and and attractive. And as for in-browser applets, and corporate in-house monstrosities - they are just invariably shit.

Blame the developers? If a platform can't deliver the facilities to enable developers to deliver responsive, attractive apps on schedule - that's a problem with the platform much more than the developers. Unless one thinks the very act of learning java puts one in a creative straitjacket ;-)

3
1
Thumb Down

Huh?

First, for any confused folks out there: Java and Javascript are completely different things. Java is a statically-typed compiled programming language also used in places other than inside web browsers. Javascript (very similar to the scripting inside Flash) is a run-time typed scripting language used mostly inside web browsers.

"The researchers settled on a Java applet as their means to bypass SOP". Ok, so the guys that showed the exploit chose to use Java to do so. That does not mean that there aren't other ways to do the bypass. What about Javascript? "BEAST injects JavaScript into an SSL session to recover secret information". Sounds like Javascript is more at fault than Java.

Not enough info in the article, but perhaps some of the interfaces available to Java applets make the bypass job easier than other methods. I fail to see why removing Java is a fix for the basic problem. Perhaps removing some specific interface is a better answer. But, if that is done, then make sure that interface is removed from *all* browser API's, especially those available to Javascript. Also anything that can be triggered by the new HTML5/CSS features.

Sounds like the Firefox guys want to be seen to be doing something, and just marking Java as "bad" is the easiest thing they could think of. It certainly doesn't seem like a "right" answer to me.

Javascript may be the real culprit here, but they can't remove that because many many websites would be completely broken without it. Even many of El Reg's pages won't properly display Flash files unless Javascript is enabled (it seems to depend on the author - Lewis's pages require Javascript).

10
5
Silver badge

'"The researchers settled on a Java applet as their means to bypass SOP". Ok, so the guys that showed the exploit chose to use Java to do so. That does not mean that there aren't other ways to do the bypass. What about Javascript?'

JavaScript is subject to SOP BEFORE it's run, so crafting JS to bypass SOP is much more difficult to do -- kind of a chicken and the egg problem. Also, since every browser's implementation of JavaScript is different (often even between major versions of the same browser) any discovered exploits of this would likely affect only one or two major versions of one browser.

There are TWO exploits here. The first (the vector) is the exploit of an unpatched Java flaw that allows bypassing of SOP. That requires a fix by Oracle, and they have not been forthcoming about whether/when they will do so. The second (the payload) is the JS injection into the SSL stream.

Even if the BEAST payload didn't exist, the fact that Java allows a means to bypass SOP at all means it can be used to deliver all sorts of nasty exploits. So even though Java is not responsible for BEAST per se, it is currently a weak platform. It is also the only known vector for BEAST at this point, making disabling of it a plausible candidate for a short-term workaround.

Nobody (that I know of) is claiming that disabling Java will resolve the underlying issue with SSL. However, from what I know, that appears to be a weakness with the specification, meaning a complete fix is likely to take some time and effort to implement. So it would be folly not to at least consider ways of minimizing the attack surface in the meantime.

15
0
WTF?

Well written.

Java is NOT Javascript. Funny even developers mix up. lol

2
2
Bronze badge
Happy

Java is to Javascript as a Clown is to a Clown Fish.

3
0
Unhappy

Your point?

They're both fucking scary. So they're different types of the same thing.

1
1
Anonymous Coward

F*** me dead!

Wow!

1: An intelligent, reasoned assessment from a poster

2: No mention of Apple as the root of all evil anywhere to be seen.

Maybe Scotty was wrong?

Dweeb

0
0
Megaphone

Fact

None of my customers is using firefox for business (in the last 5 years), only internet explorer. This idea of corporate using firefox is quite far fetched. Unless they are some weird hippy corporation that hasn't yet learned better (not because firefox has a problem per se, just because a lot of business software still doesn't work 100% properly in it).

As long as Microsoft doesn't block it, it will be fine.

Now for the personal preference: I never felt good about having programming capabilities in a web page. Maybe it's time to let web be as pure html and more advanced stuff be done with flash or silverlight, or as apps.

2
33
Anonymous Coward

Irony

Funnily enough, Firefox is one of the supported corporate browsers where I work... at Oracle.

Anon for obvious reasons.

13
0
Silver badge

Different Fact

"This idea of corporate using firefox is quite far fetched"

Not on planet Earth, where there's plenty of companies (including some I do work for) that ban IE and using it to access the web can get you a written warning.

Personally, I rarely switch Java on in any browser I use so this aspect of the BEAST story isn't a big deal.

10
0
Unhappy

Not on Windows

we use Firefox for our users or will to access internal sites that will use Java. Users are not always on Windows platforms and Firefox is supported (Opera and Chrome aren't) by the vendor code on the site.

1
0
Stop

Is Defense Industry Enterprise enough?

"Unless they are some weird hippy corporation that hasn't yet learned better (not because firefox has a problem per se, just because a lot of business software still doesn't work 100% properly in it)."

Do you consider Defense (like government) hippy? So speak for yuorself and not what other oraganisations are running!

5
0
JC_
WTF?

"Not on planet Earth, where there's plenty of companies (including some I do work for) that ban IE and using it to access the web can get you a written warning."

Really? That's just bizarre, since Firefox doesn't play well with AD & group policy. Surely it's better for users to have up-to-date IE than any old version of Firefox?

If it's such a big issue to prevent use of IE, then the written warnings should go to the network administrator for being too incompetent to stop it...

1
5

Fact!

None of my customers is using IE for business (in the last 5 years), only Firefox. This idea of corporate using IE is quite far fetched. Unless they are some weird hippy corporation that hasn't yet learned better (not because IE has a problem per se, just because a lot of business software still doesn't work 100% properly in it).

7
0
Silver badge

Firefox by stealth

"Officially" lots of companies are stuck on IE. Usually this is because of some really stupid past mistakes such as writing / buying tools which use IE controls, or IE JS idioms / HTML quirks which don't work properly on other browsers.

But I bet if you look beyond the surface that many workers would use Chrome or Firefox as their day to day browser and IE for the shitty timekeeping system or whatever. It's also likely that as this internal pressure continues that eventually IT will fix the broken apps or they'll be sure to get a browser neutral replacement the next time around.

The funny part about all these broken internal apps is it probably seemed like such a great idea at the time to develop against one browser but the expense going down the line including replacing this brokenness is probably 10x as much as it would have cost to make the app cross browser compliant in the first place.

3
0

you what?

my company delivers FF as standard on all pcs, why. because we have ie6 for some stupid biz app, but we need a real browser for internet access. you may not have heard about this but a lot of business apps run on t'interweb these days. nice idea about a static web tho, someone go tell everyone that html5 is dead, all you really need is word save as html. so will my flash/ silverlight app run on an iPhone?

1
0

Kind of agree

To be honest I do exactly that, use IE for work apps and Chromium or Firefox for personal use.

I dont curse the use of IE though, if only because I've been involved in testing and only having to do regression and UAT testing (internal company apps) against one browser on one particular version is infinitely preferable to trying to do it against an ever changing background.

WSUS and IE make it a doddle to ensure you are consistent across your environment.

'Maybe' IE is not the best browser but its not about 'bad decisions' its about your TCO and aggravation levels...

0
0

Firefox is not only supported at work, but embraced. I have one app that will only work under Firefox. The ONLY time I launch Firefox is for that one app.

We have hundreds of users with Firefox installed.

Everything else is IE, which is the default browser.

I use Chrome Portable for browsing at work.

0
0
Anonymous Coward

what?

You have either never had a job or are totally ignorant.

0
0
Windows

I knew I was going to get a lot of flak for this, but someone had to say it.

So logically i take it there are 26 corporations (thumbs down) possibly who are represented at the register and use firefox? I need not comment more than this.

I wrote my venting post because i've had enough of people promoting firefox and i've had enough testing it in a productive environment always confirming that it still has a quirk here and there. The difference between business and hippy is that business rarely accepts compromise and expects reliability and stability, besides strict integration of a browser in the network policy. I don't mean any public sector or public sector related business. That's a whole different species. And I would also expect that microsoft competitors do not use IE either, duh!

1
0
Anonymous Coward

Um the NHS mandates only IE for use in a lot of their systems....scary huh?

0
0
Paris Hilton

Just installed no script again, after leaving it for some arbitrary reason I've long forgotten. Firefox literally flies. (and useless exposition is a joy)

2
0
Anonymous Coward

As far as i am aware...

Any place using citrix probably wont be using firefox.

1
2
Bronze badge

Any place using citrix probably wont be using firefox.

Since citrix would use java to connect for home users from their own machine, 25% of them are likely to be using firefox.

In machines controlled by the IT department, they would be using the citrix client (whether via PNA or a web interface) so java would be immaterial.

(Posted from a site that uses citrix and has lots of firefox installs)

0
0
Bronze badge
Boffin

Would lose at least one bank site I know of

Losing Java would instantly make Firefox incompatible with the online banking site of a major bank in the Nordic region (Danske bank, and its affiliates, fortunately that is not the one my money is in). Probably similar cases exist elsewhere as well.

One could argue they would get what they deserve: there is no real need for such complications, as the bank I use nicely demonstrates: works on almost any browser and OS, JavaScript is optional, and has single-use passwords.

2
0
Silver badge
Devil

A lot of banks which use "virtual keyboard" to try to fool keyloggers rely on Java to do so.

0
0
FAIL

Bye bye Firefox

I was just going to say the same thing. Danske Bank took over one of the main Finnish banks (Sampo) and promptly reverted their webbank to something from the 90's. And it now relies entirely on Java for authentication. There was absolutely no need for that and Sampo's previous site worked across all devices. But it is what it is now.

So if they ever did block Java I'm sure most many customers across the Nordic countries would have to give up on Firefox. Never mind all the support calls from extremely confused customers.

3
2
Bronze badge
Big Brother

Og alle de andre

Nykredit and a whole host of other banks as well.

Basically, "no Java" pretty much eliminates banking in Danmark.

IIRC, the new National Digital Identity system is Java based (and yes widely criticised for being that - but I digress). So when use of this identity becomes mandated (and it will become so), then there will be no access to any government site, or any vbank, or any insurance company or any ...

Welcome to Danmark.

And on a side note, the former head of the Danish Communist Party, Ole Sohn, a Soviet boot licker and apologist of the worst kind during the 80s and beyond, has just been appointed as the "Minister of Economic and Business Affairs" in a new Left wing coalition Government.

0
0
Thumb Down

How to lose your users......

In one easy hit!

Life was easier when the world was IE I suppose....

0
3
Anonymous Coward

Should browser and httpd makers not simply be focusing on implementing TLS 1.1/1.2? If i recall a previous article mentioned that these were not vulnerable to the exploit. If providers on both sides were to implement this then surely the whole problem goes away (Except for people who don't bother to update, and they're probably already exposed to countless other exploits anyway for not keeping their software up to date.

8
0
Silver badge
Thumb Up

I agree with AC

From previous reports, there are far less dramatic methods of dealing with this problem, and implementing TLS 1.1/1.2 appear to be right at the top of the list. Disabling something that, rightly or wrongly, forms a major part of the internet experience for most people seems overly cautious, and Mozilla really need to look hard at other options.

4
0
Meh

TLS 1.1/1.2 support needed at both ends

The problem here is that the server side also needs to support TLS 1.1/1.2, which OpenSSL - probably used in the majority of Apache HTTPS servers - doesn't. If the server only supports up to TLS 1.0, then whatever the client advertises support for, the version will end up downgraded to 1.0 as part of the initial negotiation.

However, since the attack only works with block ciphers in CBC mode, there's a second work-around that could easily be implemented: if the server responds that it only supports TLS 1.0, abort the handshake and start again, prioritising a stream cipher (of which RC4-128 is the only viable option in TLS 1.0, AFAIK). Unfortunately it would have to involve disconnecting & reconnecting, since the client outlines its supported ciphers & their priorities in its opening message (i.e. before it is known which TLS version the server wishes to use) and I think only servers can initiate a renegotiation in-session, but it could be done.

2
0
Silver badge

@mangobrain: Chicken and Egg

>>>>>>>>>>>>

The problem here is that the server side also needs to support TLS 1.1/1.2, which OpenSSL - probably used in the majority of Apache HTTPS servers - doesn't. If the server only supports up to TLS 1.0, then whatever the client advertises support for, the version will end up downgraded to 1.0 as part of the initial negotiation.

<<<<<<<<<<<<

Yes indeed, but that doesn't excuse Mozilla from implementing TLS1.2. Even MS have that in IE9, it's just that it's not switched on by default. I gather that Opera supports it too.

The sensible solution is to implement TLS1.2 in all browsers. That would allow website operators to upgrade and start mandating it for secure connections without losing their users. A sensible solution has a feeling of inevitability to it, especially if some market-viable browsers already support it. For example, It would be viable right now for online banking sites to say that you have to switch on TLS1.2 in IE9 or use Opera and bar Mozilla and Chrome. It would cause a lot of phone calls, but they could do that right now.

If Mozilla are going to be lazy buggers and say 'not our problem' then Firefox risks getting labelled as being insecure by design. These musings from the Mozilla dev team might be indications that they're not taking the issue seriously, but this is not the first time that's happened.

But if I may get back to your good point about OpenSSL What is the OpenSSL community doing in not supporting TSL1.1/1.2? It's like they've heard of it, agree that it offers better security, but frankly can't be bothered to incorporate it because they've not got the time or inclination. TLS1.2 was defined by RFC5246 in August 2008 (outrageous quoting from Wikipedia). That's more than three years ago. I don't think that that counts as a hearty demonstration of proactive steps to maintain the worth and reputation of their software. They're essentially conceeding that they're quite happy to be outdone by Microsoft...

1
0
Stop

Citrix and Firefox

Our IT department will install Firefox on request. And you can make it work with citrix - sadly you have to login using IE first to it, but after running an app through the citrix client once that seems to sort out the cerftificate on Firefox too. To my mind web stuff should run on any browser without faffing or ballache.

2
0
Anonymous Coward

Citrix and firefox

I've been at a company that used citrix before. Getting citrix to work in firefox wasn't a particular problem, not to the extent as mentioned by Dave Perry 2 even. It tries to claim the certificates are out of date when you attempt to log in but it's just a simple matter of exporting your certs from FF and then re-importing them. This refreshes the date on them and suddenly firefox no longer seems to care! This was FF 3.6 i think, was a while ago.

0
0
Silver badge

Story needs clarification

If the BEAST attack can also be performed via the Java plugin then the same problem exists in all the other browsers as well, no?

2
0

Clearly it exists with all browsers

But only firefox is considering dumping java as a result (accepting we don't have access to the email threads internally at microsoft).

If it were me I wouldn't dump it, I'd just put up a bloody great warning every time a site tries to use it (which isn't many sites these days) warning that the plugin has a known security hole and they won't be responsible for the results if you use it.

4
0
Silver badge

Not exactly dumping it...

They're talking about a soft block, which means that it will be disabled, the user will be notified, and if the user wants to run the risk of running Java then they can turn it back on again.

More or less what you suggest.

0
0
Silver badge

Can't remember how many versions (and security problems) ago I disabled Java in FF but I've never missed it. In the event I ever do need it, NoScript gives finer control.

It's long past the time FF shipped with Noscript installed and enabled.

4
4
JC_
Thumb Down

NoScript + typical user = broken internet.

Yeye, I use NoScript, too, but most people can't be arsed to put up with Javascript not working by default.

4
1

Same here - I think I've had one occasion in the last 12 months that a site demanded Java (well it did in the big print but had a non-java version available too)

0
0
Silver badge
FAIL

Err... Java isn't Javascript.

NoScript blocks JavaSCRIPT.

1
1

Page:

This topic is closed for new posts.