I’m sure that’s an analogy about biting a nose off, something to do with a face…
Firefox makers, the Mozilla Foundation have said they are considering releasing an update that would make their browser incapable of handling Java, in an effort to prevent further bugs and security holes found in the platform. While this would make the browser unable to render millions of websites and their content, the security issues that have recently been revealed are quite devastating. Researchers Thai Duong and Juliano Rizzo were able, within 2 minutes, to utilise a java bug to decrypt SSL encrypted data to access a user’s Paypal password.
BEAST is the name of the issue, short for Browser Exploit Against SSL/TLS and it’s causing web based security experts quite a few headaches.
While you would hope that Mozilla would have some plans to fix this problem other than an outright blocking, you’d unfortunately be mistaken.
“I recommend that we blocklist all versions of the Java Plugin,” Firefox developer Brian Smith wrote on Mozilla’s online bug forum. “My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.”
Another developer has also weighed in, suggesting what a problem this would be for many people attempting to access java based websites and content.
“In the interest of keeping this bug updated with the latest status, this morning I asked Johnath for some help in understanding the balance between the horrible user experience this would cause and the severity/prevalence of the security issue and am waiting to hear back. We also discussed this in the Products team meeting today and definitely need better understanding of that before putting the block in place.”
One option being discussed is for people to whitelist certain websites that they’re ok with Java being displayed on. The problem with that, developers have said, is that sites like Facebook – which many would quickle validate – often contain many java applications that could be used with the BEAST injection system to steal user data.
While browser makers work to curb this issue and figure out a method of protecting their users, Oracle, the makers of Java, need to hurry out an update of their own to fix this security hole.