Firefox devs attacked for Java block
Java now requires explicit permission to run in the latest version of Firefox, thanks to a patch that rolled out late last week.
Developers at Mozilla, the not-for-profit behind Firefox, are hoping that it will help protect end users from the notoriously unsafe browser plugin – but many have complained that the move has disrupted their businesses (and even the entire nation of Denmark).
Since January, the browser has already blocked out-of-date (and vulnerable) versions of Java. However, in the wake of a particularly nasty SSL-decrypting exploit, Firefox devs made the decision to prevent any version of Java from auto-running.
The blocks were implemented last week, displaying an ominous red dialog (or an easy-to-miss icon, shown below) when users land on a page with a Java applet.
Despite the move being made with the best possible intentions, by the end of the weekend the bug ticket began to fill up with complaints from irate users.
“Have you all suddenly gone insane?” asked one, a user named ‘ipatrol’, who compared the situation to a Dilbert comic in which a character proclaims: “Security is more important than usability.” Others were even less kind: one described the move as “ultra-irresponsible”.
“Our company and our users are legitimate users of Firefox,” wrote a software engineer at Ephox, which produces in-browser rich text editing software. “We have needs and requirements – one of those is for Java to work.”
Users of outdated government sites appeared to be particularly affected. “It affects all citizens of Denmark, as the national login is blocked,” noted one commenter. Another, claiming to work in Spanish local government, said that “just about ever [sic] ministerial applet is written in JAVA – and since yesterday we're screwed”.
And the comments kept coming. “Our business depends on using some java applications,” said one sysadmin. “Blocking java the way you did it, simply means: We can't use Firefox in our company anymore.”
Mozillans attempted to point out that Java was still a couple of clicks away, and that sysadmins can enable Java en masse with a Click-To-Play manager plugin. However, commenters emphasised the difficulty of educating users about the changes, and some even claimed that the click-to-play dialog did not appear for them.
Firefox’s developers are not the first to shield users from Java applets. The Chrome team implemented a similar – if less alarmist – permissions dialog over a year ago, and the latest version of Java already has a similar dialog by default across all browsers.
Still, Mozilla’s bold move appears to have a struck a nerve – even if it may be among a relative minority. For better or worse, Java applets are still crucial to a number of web users.
Source: Jaxenter