Oracle to kill off Java browser plugins with JDK 9 Oracle has announced that it will kill off Java browser plugins once JDK 9 debuts. Big Red's post on the matter says it's sniffed the anti-plugin winds and agrees with the idea that plugins are so 90s and have no place in the modern browser, so “developers of applications that rely on the Java browser plugin need to consider …
Working in schools, the swansong of Flash is already being sung.
Flash doesn't work on iPads. Keeping multiple versions of Flash inside multiple browsers up to date is a pain. Most educational content suppliers are moving from Flash to HTML5.
And these are the people who are STILL selling disks they made in the 90's using Quicktime.
But with Flash not on most tablets (Android support stopped a long time ago, iPads have nothing in the way of Flash, etc.), they can't cater to a large sector of their market and get complaints all the time. Their solution universally appears to be HTML5 - and I can't say I disagree. As a coder, I was amazed at what's possible with emscripten, Node.js and even an unaccelerated browser on a cheap iPad, smartphone or Android tablet.
Java's "write once, run anywhere" has ironically been replaced with Javascript in a browser, where it's actually closer to being true. I wrote an SDL app in C99 the other day - a change of compiler name from "gcc" to "emcc" and it turns into Javascript that runs on iPad, smartphone, Android tablets, all major browsers (not IE, but Edge, so that's not a problem), and runs more than fast enough even with business-level unaccelerated graphics cards to play games. Add in SDL_Mixer and it plays sounds through the browser too. Wrap an ordinary service in websockify and it can talk plain sockets to your servers. Put in OpenGL and it becomes WebGL.
Even the kids have caught on. 3D games are available in-browser, no plugins required. Go look at the example games on the emscripten website, for instance.
Flash is dead in the face of this. And good riddance.
The issue is that OpenJDK would have eventually replaced their proprietary VM given time, had they not taken steps to improve their behavior. The monetization of Java was always on the enterprise end (support and app servers). Trying to monetize client installs was a bad approach, especially with capable alternatives.
"Big Red's post on the matter says it's sniffed the anti-plugin-free wind and agrees with their thinking..."
Wait, what is "anti-plugin-free"? Isn't that just 'pro-plugin?' Well, never mind that, what about the concept that Oracle "agrees" with eliminating their own plugin? Can we all agree that this is comedy gold?
Today, the best thing you can say about the Java plugin is that it’s gone.
Java should have been a good idea, providing a cross-browser platform delivered over the Web. The language itself was (is) good (if somewhat dated) and the whole byte-code mechanism promised flexibility and a vendor-neutral environment. Too bad it never really happened and the cost of relying on a buggy insecure plugin that didn’t quite do the job more than outweighed the benefit.
At least maybe now the Australian Government might get the hint and dump Java for its web security. Or maybe not …
The idea behind Java is indeed excellent, and the implementation has indeed been poor.
The pitiful outcome is that the world seems to have chosen the worst possible language (Javascript) to use instead. And thus once again the lowest and crummiest common denominator wins.
Of course there's not a lot to guarantee that Javascript is any more secure. The browsers are simply becoming a new OS in which (web) applications run. There's plenty of opportunities for cock ups in there, which will become apparent if Web apps become dominant.
Of course there's not a lot to guarantee that Javascript is any more secure. The browsers are simply becoming a new OS in which (web) applications run. There's plenty of opportunities for cock ups in there, which will become apparent if Web apps become dominant.
There is also the huge "ecosystem" that has quickly sprouted around Javascript. Have been looking at it lately more closely than I would like, for work reasons, and felt like an explorer on an alien planet. The Javascript way seems to be to layer library upon library, downloaded from all over the net, with little concern for security (or licenses -one I looked had an interesting patent poison pill that should give fits to any corporate lawyer). The extremely dynamic nature of the language also invites obscure hacks (it's rather like LISP with a C-like syntax), and means most errors can only be detected at run-time. A simple-looking web page may be the result of hundreds of Kb of Javascript libraries, implementing the latest cool way to do the same old thing... The complexity pretty much guarantees there will be spectacular security holes.
The Javascript way seems to be to layer library upon library, downloaded from all over the net, with little concern for security (or licenses ...
...or efficiency, or speed of loading.
I have a feeling that Javascript will one day be seen to have been an even bigger security and usability problem than Java ever was. The design and implementation of the Java plugin environment in the browser has always been well short of ideal, but the language itself is far better than Javascript and given a well thought-out execution environment it could have been so much better than the ugly mess that we get with Javascript.
The Javascript way seems to be to layer library upon library, downloaded from all over the net, with little concern for security (or licenses -one I looked had an interesting patent poison pill that should give fits to any corporate lawyer). The extremely dynamic nature of the language also invites obscure hacks (it's rather like LISP with a C-like syntax), and means most errors can only be detected at run-time. A simple-looking web page may be the result of hundreds of Kb of Javascript libraries, implementing the latest cool way to do the same old thing...
Sounds almost exactly like Perl then. So, that's two languages to avoid now... :D
Heartily disagree, if you look at the recent security issues in the java plugin many come from a large attack surface of APIs not intended at all for the browser. The attack surface of JavaScript is significantly lower. It's a much better language for Web development. If you consider the significance of REST in webdev having the flexible object literal notation of JavaScript really makes it a good choice. Python perhaps, but it would have to be a significantly cut down version.
"JavaScript is far more insecure than Java. It's just that the web dudes haven't seen it yet."
And they probably never will. Most of them know next to nothing about good programming practice (those of them that can actually code and don't just build a page lego brick style by including someone elses scripts) or the world of coding outside their little niche. Its not entirely their fault since it seems for a lot of schools and colleges, development begins and ends inside a browser so if you only get taught HTML + javascript and you have little curiosity about anything else then HTML and javascript are your coding world and you'll try and use them for everything whether appropriate or not. Hence we have V8 and node.js.
Java was designed to build portable "desktop" applications, "write once, run anywhere!".
It didn't work as expected, and it became mostly a server side language (for its capability to sandbox the developer).
When it was born, the web was still in its infancy and not yet dominant as today. When the web got traction, it was attempted to bolt it into the browser so a Java app could be run within. Again, an approach that didn't work.
From some perspectives, the Java approach could be better than the pile of s**t web applications are, including the need to run within somethig still called a "brower", and their over reliance on a protocol like HTTP not designed for full duplex communication. But Java made its best to become overly complex, and its runtime never became a standard like the actual JavaScript runtime, the thing called "the browser".
Its deprecated because of the need to provide backwards compatibility for previous versions of the jdk. They have got a better and newer version of data apis ripped seemingly directly from jodatime. In java 9 modules should be making an appearance, which means the ridiculous memory footprint should be being resolved, and the old data api will never get loaded.
Java has served me well over the last 15 years so I've got a bit of love for it but the browser plugin should have been abandoned at birth. Even back in the day when people thought running applications in browsers via a plugin was a good idea the Java plugin was bad. The fact it's still around in Java 8 is, well words fail me.
The thing that really saddens me is that if Sun had got it's act together Java could maybe have become the language used in browsers. Instead we've ended up writing the web in JavaScript - an absolute abomination of a language which is no more or less intrinsically safe than Java.
The only issue with it is just how long it will take organisations to migrate their systems away from Java plugins. Where I work, I hate Java simply because we have numerous different systems running it, some need later versions of Java plugins, some run into issues with Java 8, meaning it's often a bit of a minefield trying to either configure later versions of Java to run these applications (usually successful with enough tweaks to security and the likes), or sometimes finding a middle-of-the-road version of Java which does work with everything (not ideal from a security point of view for obvious reasons)
I do worry that some organisations will cling to outdated versions of Java, rather than investing the necessary resources to upgrade these apps to dump their requirement for the Java plugin. If it can be done though, I'll be one of the first to rejoice!
I don't understand the link between Java plugins and the Ask Toolbar. The latter is a crappy piece of software designed to work as a browser toolbar, and AFAIK is not even written in Java.
The Java plugin is a browser plugin that allows specific Java applications to be run from and displayed inside a browser.
A number of scummy freeware developers have discovered that they can make some money off their work by including someone else's malware with their installer. Apparently Java did this for a while: installing the Ask toolbar while installing Java if the user missed the opt-out button. The claim is that they've now wised up and try to trick users into installing Yahoo's malware with Java instead of Ask's.
I can't comment on the veracity of those claims as I'm too jaded by these and just make an overwhelming effort to check every last install setting for Java and HP drivers to make sure they don't install their malware du'jour on my machine.
Gentoo Linux Java lead here! I predicted this would happen given that Chrome has already dropped NPAPI and Firefox probably will. If for some god awful reason you still need the plugin (and you can find a browser that still supports it, maybe SeaMonkey?), the IcedTea-Web project maintains a perfectly good alternative, as well as its own Web Start implementation. I don't think it supports Windows but it has been looked into.
...won't be upgrading any time soon. Currently we need to have Java 6, 7, or 8 and Firefox or IE11 running in "Enterprise Mode" to support the multitude of internal sites, vendor sites, and various ERP systems we use. I expect that we will be fully migrated off needing the Java plugin sometime around 2025.
Sadly, that is wrong. One of the key pieces of software used at the government agency where I work depends on precisely that plug-in. And when I say key pieces of software what I mean is pretty much the entire accounting system for our multi-billion dollar agency. Given what a piece of crap it is, I suspect this abomination has been mandate from an even higher level in our government. When I first started working here Oracle had recently purchased Sun. And when I went searching on the internet for a fresh copy of the mandated version of Java we had to use, Sun had discontinued support for it more than a year before I made the search. I'll grant they've improved since then. They're actually almost keeping up with the most currently released version of Java. But I still can't see them writing that sort of code conversion before Oracle kills the plug in.
Mind you, this isn't to say I wouldn't like to not miss it. No part of my job is more annoying than dealing with this particular crapware, not even dealing with the dweeb who lives 10 minutes from work but can't get it through his thick skull that the cybersecurity Drow won't let us use remote access tools to fix his laptop while he is teleworking.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
