Chrome now blocks applets by default

Riven · April 9, 2011, 10:23pm

Oops. I thought “dua...@gmail.com” was ra4king. My apologies.

ra4king · April 9, 2011, 11:02pm

@Riven
It’s all good ;D
Btw, I’m ra4king everywhere on the internet

@Addictman
But Java is not Google’s to control. Google can’t take heat for security issues on behalf of Java so I really see no point to block autorun for all version of Java. They should only block older versions because it is getting quite annoying allowing every single site I go to.

Addictman · April 9, 2011, 11:23pm

I understand what you mean, and as I said, I personally don’t like it. But Java’s installed on so many computers around the world, and so few of those computers actually use java actively. Let’s face it, the members of this forum aren’t exactly the average user when it comes to Java. So, if/when a new huge gaping security hole emerges in the current java version, what’s the safest thing to do? Ignore it, and wait for Oracle to fix it, and risk the vast majority of users around the world that have java installed but don’t know what it is, to go into a tantrum over Google because they erroneously think Chrome’s the culprit? Or, force those that actually use java services to “click once”.

In a perfect world; screw google. In the real world: screw applets.

ra4king · April 9, 2011, 11:27pm

Agh screw the real world >:(

But yes, that unfortunately makes sense

BoBear2681 · April 10, 2011, 5:37am

At the risk of having an unpopular opinion in this forum, I really don’t mind this. They’re essentially embedding functionality similar to (parts of) NoScript into the browser. Of course, I do see the concern as a Java developer about user perception.

Folks often say that users will usually click “Yes” to any dialog asking them anything, without even reading or understanding it, to try to get software working on their computers. Might that happen in this scenario as well - “Oh, I have to click OK here to use my banking site, whatever”?

Nate · April 10, 2011, 6:40am

Built in FlashBlock (the Firefox plugin) for Java. Cool.

Scarzzurs · April 10, 2011, 7:43am

It seems a bit overprotective, but on the other hand companies like Apple have been practising stuff like this for years…

I must also admit that after surfing sites that are filled with applets, I have at some point actually wanted a feature like this.
I have a plugin like that for delaying Flash loading called FlashBlock. However as with FlashBlock I as the user made the decision, not the author of the browser…

In regards to security, I’m not sure how much difference it will do.
People will still click the “Allow virus to install” button.
Only the 10% that doesn’t will be a tiny bit more protected (future Java patches should fix it anyways).

Hmm, I wonder how big the chances of a removal of this feature is, if Java security goes up…

Scarzzurs

delt0r · April 10, 2011, 10:36am

I do and always have had java blocked by default. Same with java script and flash. I want to surf and read the web, not have the web intrude on me. I enable these “run client side” features only for specific pages or cases.

Quite frankly not only do i understand where google is coming from. I think its a good idea.

DzzD · April 10, 2011, 10:52am

a problem is also that if the user is asked once (by Chrome), logicaly user have been prevent and than the Applet should then be given full access without the need to be signed (stupid to ask twice), this completly make the sandbox of java Applet useless/obsolete.

If Applet is considered as unsafe it should not need to be signed anymore, continu to ask for a secure certificat to gain full access will mean unsigned Applet are considered secure

kappa · April 10, 2011, 11:09am

oh well, another nail in the JavaFX 2.0 coffin.

Alan_W · April 10, 2011, 12:01pm

While this may give an additional layer of security against unpatched privilege escalation bugs, I believe that many of the java attacks are using self-signed and and relying on the user clicking through the warning without considering the risk. So now signed code will get two separate warnings (which will probably get clicked through) and unsigned code will get a single warning (even though the risk is fairly low provided the latest JRE is installed). Can’t say I’m impressed. It would be better to configure Java not to accept self-signing by default and have the browser insist that the latest JRE is installed.

I guess part of the problem is the length of time Oracle is taking to address security issues. If a new security escalation bug is discovered, there is too large a window of opportunity in which it can be exploited. The Oracle-Google lawsuit might also be resulting in a bit of tit-for-tat.

Addictman · April 10, 2011, 12:10pm

Yeah, google is looking out for google, not Java. Perfectly understandable.

JL235 · April 10, 2011, 3:45pm

It seems like Java is replacing Flash as the plugin to hate.

Riven · April 10, 2011, 4:14pm

I still don’t see how CA-signed is more trustworthy than self-signed. The difference is that you have to pay for one. The checks these CAs perform are laughable. I once got a code-sign certificate for a companyname the business I registered it for didn’t own.

Matzon · April 10, 2011, 5:05pm

technically, that’s the browser / javas fault. They shouldn’t trust “laughable” CAs.

gouessej · April 11, 2011, 8:46am

It is not fair. Flash is proprietary, even within a sandbox it can be dangerous. This change in Chrome is in favour of Flash. It is too much. I will go on advising people to switch to Mozilla Firefox 4. I spent some time in fixing another “bug” in Chrome but Google preferred using another fix because it wanted to keep the dangerous file warning. Google prefers driving Java more scary in its web browser, it is intentional both for applets and Java Web Start.

P.S: The answers of Google guys are quite silly. They underestimate the use of Java.

hishadow · April 11, 2011, 12:13pm

I have about 6-7 months left of my Applet-based project. I wonder if it will even run by the time I’m finished?

As long as plugins are up-to-date they should be allowed to run. Give a warning if not, suggest upgrade, or block if its too old. Java is just as established as Flash, and there’s no reason to discriminate because of security issues. Flash is just as riddled with security flaws as Java. Concerning signed applets, I think there’s ground for extra security warnings.The best thing would be for Oracle to a major redesign of the warning system though.

kappa · April 28, 2011, 1:24pm

yay, chrome 11 is now released to the masses, with the above change.

Google state the following as their official reason for the change:

[quote]Plug-ins help browsers process special types of web content, like Flash or Windows Media files. Some plug-ins, such as Flash, are used by many websites on the Internet. Other plug-ins are only used by a small number of sites. Since plug-ins can occasionally be a security risk, Google Chrome now blocks plug-ins that are not widely used. When this happens, you will see a message such as the following:

“The Java plug-in needs your permission to run.”

You should only run the plug-in if you trust the website you are visiting (for example, your banking website might legitimately use a Java applet).

To let the plug-in run on the site, follow these steps:

To run the plug-in just this once, click Run this time in the message. The plug-in will run, but if you re-visit the site, you’ll be asked for permission to run the plug-in again.
To always allow the current site to run the plug-in, click Always run on this site. Subsequent visits to the site will run the plug-in without asking again.

If you don’t want Google Chrome to ask your permission before running lesser-used plug-ins, use the command line flag --always-authorize-plugins.
[/quote]

kevglass · April 28, 2011, 1:30pm

Wonder if 2 million users for one game counts as “widely used” ?

Kev

woogley · April 28, 2011, 1:56pm

2 million users paid out of 7 million accounts