Results 1 to 10 of 10

Thread: Java RE to be deprecated

  1. #1
    Member
    Join Date
    May 2006
    Location
    Melksham, Wiltshire
    Posts
    147
    Thanks
    3
    Thanked
    8 times in 7 posts
    • mark_a_scott's system
      • Motherboard:
      • Asus RoG Rampage V Edition 10
      • CPU:
      • Intel Core i7 6950X
      • Memory:
      • Corsair Dominator DDR4-2400 128GB
      • Storage:
      • 512GB Samsung 950 Pro M2, 2TB Samsung 850 Evo, 2x 6TB WD Green, Blu-Ray Writer, DVD Writer
      • Graphics card(s):
      • 2x eVGA GTX980Ti 6GB in SLI
      • PSU:
      • Corsair 850w
      • Case:
      • Corsair Obsidian 800D
      • Operating System:
      • Windows 10 x64
      • Monitor(s):
      • Philips BDM4065UC 40" 4K
      • Internet:
      • Virgin Media Vivid 200Mb/s

    Java RE to be deprecated

    A good year so far for security, not only has Internet Explorer versions pre v11 and Adobe Flash been withdrawn, now Oracle have withdrawn Java Runtime for Java v9 due out later in the year: https://blogs.oracle.com/java-platfo..._a_plugin_free

    Will be interresting to see whether this is just the Web plug in or whether the entire runtime is due to be killed.

  2. #2
    bored out of my tiny mind malfunction's Avatar
    Join Date
    Jul 2003
    Location
    Lurking
    Posts
    3,923
    Thanks
    191
    Thanked
    187 times in 163 posts
    • malfunction's system
      • Motherboard:
      • Gigabyte G1.Sniper (with daft heatsinks and annoying Killer NIC)
      • CPU:
      • Xeon X5670 (6 core LGA 1366) @ 4.4GHz
      • Memory:
      • 48GB DDR3 1600 (6 * 8GB)
      • Storage:
      • 1TB 840 Evo + 1TB 850 Evo
      • Graphics card(s):
      • 290X
      • PSU:
      • Antec True Power New 750W
      • Case:
      • Cooltek W2
      • Operating System:
      • Windows 10
      • Monitor(s):
      • Dell U2715H

    Re: Java RE to be deprecated

    It's just the plug in - the post quite clearly states that java web start is staying around (which requires / launches the JRE). I haven't seen anything use the java plug in for ages.

  3. #3
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,978
    Thanks
    778
    Thanked
    1,586 times in 1,341 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 5900X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 2TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 39 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 900Mb/900Mb (CityFibre FttP)

    Re: Java RE to be deprecated

    Quote Originally Posted by malfunction View Post
    It's just the plug in - the post quite clearly states that java web start is staying around (which requires / launches the JRE). I haven't seen anything use the java plug in for ages.
    Interesting, is web start in any way more secure than the old java plugin which has been the cause of so many drive-by infections over the years?

  4. #4
    bored out of my tiny mind malfunction's Avatar
    Join Date
    Jul 2003
    Location
    Lurking
    Posts
    3,923
    Thanks
    191
    Thanked
    187 times in 163 posts
    • malfunction's system
      • Motherboard:
      • Gigabyte G1.Sniper (with daft heatsinks and annoying Killer NIC)
      • CPU:
      • Xeon X5670 (6 core LGA 1366) @ 4.4GHz
      • Memory:
      • 48GB DDR3 1600 (6 * 8GB)
      • Storage:
      • 1TB 840 Evo + 1TB 850 Evo
      • Graphics card(s):
      • 290X
      • PSU:
      • Antec True Power New 750W
      • Case:
      • Cooltek W2
      • Operating System:
      • Windows 10
      • Monitor(s):
      • Dell U2715H

    Re: Java RE to be deprecated

    Web start is what it sounds like - you download a descriptor file ("myapp.jnlp") that is associated with java web start which launches the code directly - there's nothing 'hosted' in the browser itself and if you wanted to you could just save the webstart file and invoke it directly without even launching a web browser (and I often do for some of the products / systems I work with).

    To be honest it's not something that's used in the consumer space as far as I'm aware - the only time I see it is to launch some kind of UI for an enterprise product, e.g. an admin or design UI, though a lot of that is going away and being replaced with 'normal' web based stuff too. Java based admin and design type UIs aren't going away (entirely) any time soon as far as I can see (not in the enterprise space) but a lot are either installed locally or use web start to download from a server. Locally installed UIs basically can have 'full permissions' (depending upon how the app was bundled / set up) and web start apps are sandboxed (by default). Probably more detail than you want:

    https://docs.oracle.com/javase/7/doc...guides/javaws/
    Last edited by malfunction; 29-01-2016 at 01:34 PM.

  5. #5
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,978
    Thanks
    778
    Thanked
    1,586 times in 1,341 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 5900X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 2TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 39 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 900Mb/900Mb (CityFibre FttP)

    Re: Java RE to be deprecated

    Thanks, I will try and read that later.

    But fundamentally, if visiting a web site can trigger the download and execution of a jar file, then that gives the same sandbox escape chances that made me turn off the java plugin

  6. #6
    bored out of my tiny mind malfunction's Avatar
    Join Date
    Jul 2003
    Location
    Lurking
    Posts
    3,923
    Thanks
    191
    Thanked
    187 times in 163 posts
    • malfunction's system
      • Motherboard:
      • Gigabyte G1.Sniper (with daft heatsinks and annoying Killer NIC)
      • CPU:
      • Xeon X5670 (6 core LGA 1366) @ 4.4GHz
      • Memory:
      • 48GB DDR3 1600 (6 * 8GB)
      • Storage:
      • 1TB 840 Evo + 1TB 850 Evo
      • Graphics card(s):
      • 290X
      • PSU:
      • Antec True Power New 750W
      • Case:
      • Cooltek W2
      • Operating System:
      • Windows 10
      • Monitor(s):
      • Dell U2715H

    Re: Java RE to be deprecated

    It's the same concern as any code you download and run from the web to be honest - regardless of whether or not it's run via a plugin or is Java based. The difference is how secure you think things are and how ubiquitous and automated things are - e.g. a plug-in that auto runs means you have very little chance to prevent being exposed to malicious attacks on the web. With Java web start (in its current incarnation at least):

    - You will be asked if you want to run the code the first time you launch it (and will also be prompted to upgrade Java if you aren't on the latest version)

    - The code will be signed (if not it will refuse to run it unless you explicitly configure it to run - and even that option is going away / has gone away with Java 8+ if memory serves), and you get a chance to inspect the signing cert(s) (though the value of this to a non-techy user is questionable).

    - The code will very likely be sand boxed in some way or form that's supposed to block access to local files, network, etc (if Java web start launched code wants that level of access it will generate a separate pop up box asking you to approve the open permissions).

    Compare that to downloading a pre-compiled windows executable from somewhere on the net on current versions of windows - it's roughly the same thing. The only real improvement on that is store and / or run time permissions / roles similar to the way Android, etc does things (not just "do you trust it" but "this code wants access to X, Y and Z - do you trust it").

  7. Received thanks from:

    DanceswithUnix (29-01-2016)

  8. #7
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,978
    Thanks
    778
    Thanked
    1,586 times in 1,341 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 5900X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 2TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 39 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 900Mb/900Mb (CityFibre FttP)

    Re: Java RE to be deprecated

    OK that sounds much better. The scary part with the old plugin was the total reliance on the sandboxing being enough which time and time again it was shown not to be. If you get a "no I don't want to run this" option when you didn't expect something on the page to be executing, that sounds good enough. Possibly still something I would want to turn off though so nothing on the page ever gets even a chance to execute

  9. #8
    bored out of my tiny mind malfunction's Avatar
    Join Date
    Jul 2003
    Location
    Lurking
    Posts
    3,923
    Thanks
    191
    Thanked
    187 times in 163 posts
    • malfunction's system
      • Motherboard:
      • Gigabyte G1.Sniper (with daft heatsinks and annoying Killer NIC)
      • CPU:
      • Xeon X5670 (6 core LGA 1366) @ 4.4GHz
      • Memory:
      • 48GB DDR3 1600 (6 * 8GB)
      • Storage:
      • 1TB 840 Evo + 1TB 850 Evo
      • Graphics card(s):
      • 290X
      • PSU:
      • Antec True Power New 750W
      • Case:
      • Cooltek W2
      • Operating System:
      • Windows 10
      • Monitor(s):
      • Dell U2715H

    Re: Java RE to be deprecated

    If you want to check it out try the link here ("Try it now: Run Notepad"):

    http://docs.oracle.com/javase/tutori...t/running.html

    The first time you run it you'll get a pop up asking if you want to run the code or not:



    "More Information" takes you here:



    And "View Certificate Details" takes you here:



    ...though as before, I'm not sure how useful this is unless you really know what you're looking at.

    After the first time it will run without the pop-up (just for that app, not all java web start apps). If you want to delete the app you have to go via the control panel java applet (something I'm not particularly keen on), view the local cache and delete the java app from there (you can also launch it from there too).
    Last edited by malfunction; 29-01-2016 at 05:07 PM.

  10. Received thanks from:

    DanceswithUnix (29-01-2016)

  11. #9
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    12,978
    Thanks
    778
    Thanked
    1,586 times in 1,341 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 5900X
      • Memory:
      • 32GB 3200MHz ECC
      • Storage:
      • 2TB Linux, 2TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 39 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Iiyama 27" 1440p
      • Internet:
      • Zen 900Mb/900Mb (CityFibre FttP)

    Re: Java RE to be deprecated

    Fascinating, my Firefox browser has no idea what to do with that Notepad file and feeding it to Java isn't listed as an option. I guess turning off the Java plugin disables this too. Well, I haven't missed it before, but if I ever see one of those files I will know what to do

  12. #10
    Registered+
    Join Date
    Feb 2016
    Posts
    5
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: Java RE to be deprecated

    Yeah, already uninstalled this garbage. I'm glad they also deprecated the flash plug in. HTML5 FTW!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •