Firefox devs ponder ditching Java
Amid a recent finding by researchers about a vulnerability that allows the decryption of sensitive web traffic, developers of Mozillaâs Firefox are considering disabling Java software in the browser. But the developers admitted such a move may disable features in many popular websites when viewed using Firefox, UKâs The Register reported. The developers considered such a drastic move after researchers Thai Duong and Juliano Rizzo needed mere minutes to exploit a vulnerability to recover an encrypted authentication cookie used to access a PayPal user account last week. Dubbed âBrowser Exploit Against SSL/TLS (BEAST)," the attack injects JavaScript into an SSL session to recover secret information that is transmitted repeatedly in a predictable location in the data stream. âI recommend that we blocklist all versions of the Java Plugin ... My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin," Firefox developer Brian Smith wrote in a discussion on Mozillaâs online bug forum. Fellow developer Justin Scott said he asked Jonathan Nightingale, Firefoxâs director of engineering, for help in assessing the âbalance between the horrible user experience this would cause and the severity/prevalence of the security issue." âYeah - this is a hard call. Killing Java means disabling user functionality like facebook video chat, as well as various java-based corporate apps (I feel like Citrix uses Java, for instance?)" Nightingale agreed. Presently, Firefox has a mechanism for âsoft-blocking" Java, allowing users to re-enable the plugin from the browserâs add-ons manager. âBut I suspect that enough users will whitelist, e.g., Facebook that even with those mechanisms (which donât currently exist!) in place, weâd have a lot of users potentially exposed to java weaknesses," Nightingale said. âWhatever decision we make here, I really hope Oracle gets an update of their own out. Itâs the only way to keep their users affirmatively safe," he added. Contrast to Google Developers of Googleâs Chrome browser have taken a different approach to thwart such an attack, The Register said. Last week, it said the developers updated the developer and beta versions of Chrome to split certain messages into fragments to reduce the attackerâs control over the plaintext about to be encrypted. âBy adding unexpected randomness to the encryption process, the new behavior in Chrome is intended to throw BEAST off the scent of the decryption process by feeding it confusing information," the Register report said. But such an update created incompatibilities between Chrome and at least some websites, the Register said. For its part, Microsoft recommended that users apply several workaround fixes while it develops a permanent patch. But Microsoft has yet to outline the approach it plans to take. â TJD, GMA News