Java in the browser is dead

So its certificates now. Looks like Java applets don‘t care about certificate revocation lists at all. Signed applets gain full access to the system. An invalid certificate should prevent that. Which means a certificate revocation list is kind of important. But no, let’s forget about that check. No need to hack the sandbox this time (which is easy anyway, see the last couple of Java updates).

This is another huge security failure in Java applet ‘security’ again. One in a long way. And not the last one. In fact there are still some known vulnerabilities even in the latest Java version.

The latest series of security problems caused a lot of damage for the whole Java platform and ecosystem. As a Java developer I can (and do) only advise everybody to uninstall Java or at least to deactivate Java browser support. Like a lot of people do. But what’s Oracle’s reaction? By shipping one critical update after the other. Faster than ever. But that won’t change much, the next critical security hole is just around the corner. Java in the browser is insecure and will remain so. And Java in the browser is that. Oracle just won’t admit it.

The problem with that is: Java on the client will be dead next. Normal users cannot distinguish between Java browser applications and rich clients (kind of our fault, since we told everybody for years now to ignore that border). Server side Java will not die that easily (good!), but the last couple of months caused a lot of damage there too. It became much harder to argue for a Java web application instead of .net for example. Not that other frameworks don’t have security issues too. But all people hear at the moment on a certain (management) level is that Java is insecure and needs security fixes every couple of days. How would you react?

This will become even harder in the future if Oracle continues like that. The only solution in my eyes is to remove Java browser support right now. Get rid of this totally outdated and widely unused peace of technology. Restore Java’s good reputation before it is too late.

Published by Dominik

Java architect, developer, author, trainer, speaker, JCrypTool project lead and secure programming enthusiast.