Making Java secure again

The recent total failure of Java security is neither the first one, nor will it be the last one. Java in the browser (in the form of Java applets) is not secure and will never be secure. Oracle can provide all the security patches they want, the next major security breach is just around the corner.

This is comparable with Microsoft Windows security a couple of years ago. Year after year they tried to fix it and ran from bugfix to bugfix before noticing it will not change too much and that a complete redesign of their operating system is required. In case of Java the only solution (in my eyes) is to remove Java browser support with the next major release Java 8. This feature is not widely used any more, applets are plain old technology. Oracle should announce the stop of support right now. Don’t tell people to deactivate it, this is not a solution. Don’t even ship it. Users still requiring Java in the browser can use Java 7 in the transition period. This should provide enough time for all companies and all products to switch from unsecure Java applets to much safer Java web applications. And companies still using Java applets should ask themselves, why they force their users to rely on an unsafe technology.

Oracle keeps telling (e.g. in the JRE installation dialog) us that 3 billion devices run Java. This number will go down rapidly with every new major security problem. The security problems of one little part of the platform will have a negative influence on the rest of the platform. Word will spread that Java is insecure. This makes the usage of Java in any project harder than necessary. Server side Java is safe, Java desktop applications are safe, Java embedded is safe (in the usual dimensions). But it’s hard to argue about Java safety with everybody hearing about Java security failures in mainstream news. Normal users do not and cannot differentiate between web and desktop application security as we developers do. For a normal user Java is failing. This will be a huge problem in the future.

And finally, removing Java browser support will give more time for all the great Oracle Java employees on moving the platform forward. The rest of the Java platform would surely benefit from that.

Published by Dominik

Java architect, developer, author, trainer, speaker, JCrypTool project lead and secure programming enthusiast.