Firefox devs ponder ditching Java

Amid a recent finding by researchers about a vulnerability that allows the decryption of sensitive web traffic, developers of Mozilla’s Firefox are considering disabling Java software in the browser. But the developers admitted such a move may disable features in many popular websites when viewed using Firefox, UK’s The Register reported. The developers considered such a drastic move after researchers Thai Duong and Juliano Rizzo needed mere minutes to exploit a vulnerability to recover an encrypted authentication cookie used to access a PayPal user account last week. Dubbed “Browser Exploit Against SSL/TLS (BEAST)," the attack injects JavaScript into an SSL session to recover secret information that is transmitted repeatedly in a predictable location in the data stream. “I recommend that we blocklist all versions of the Java Plugin ... My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin," Firefox developer Brian Smith wrote in a discussion on Mozilla’s online bug forum. Fellow developer Justin Scott said he asked Jonathan Nightingale, Firefox’s director of engineering, for help in assessing the “balance between the horrible user experience this would cause and the severity/prevalence of the security issue." “Yeah - this is a hard call. Killing Java means disabling user functionality like facebook video chat, as well as various java-based corporate apps (I feel like Citrix uses Java, for instance?)" Nightingale agreed. Presently, Firefox has a mechanism for “soft-blocking" Java, allowing users to re-enable the plugin from the browser’s add-ons manager. “But I suspect that enough users will whitelist, e.g., Facebook that even with those mechanisms (which don’t currently exist!) in place, we’d have a lot of users potentially exposed to java weaknesses," Nightingale said. “Whatever decision we make here, I really hope Oracle gets an update of their own out. It’s the only way to keep their users affirmatively safe," he added. Contrast to Google Developers of Google’s Chrome browser have taken a different approach to thwart such an attack, The Register said. Last week, it said the developers updated the developer and beta versions of Chrome to split certain messages into fragments to reduce the attacker’s control over the plaintext about to be encrypted. “By adding unexpected randomness to the encryption process, the new behavior in Chrome is intended to throw BEAST off the scent of the decryption process by feeding it confusing information," the Register report said. But such an update created incompatibilities between Chrome and at least some websites, the Register said. For its part, Microsoft recommended that users apply several workaround fixes while it develops a permanent patch. But Microsoft has yet to outline the approach it plans to take. — TJD, GMA News