This discussion is archived
1 2 3 Previous Next 40 Replies Latest reply: Feb 14, 2013 12:16 PM by 801338 RSS

can java app programmer make secure app?

801338 Newbie
Currently Being Moderated
I am the author of the Interactive Color Wheel. It (in various versions) has been on the web since 1998, and has been very popular. With the recent hysteria about Java security, I have observed hits fall off dramatically. While it is not commercial and I'm not losing money, the drop-off still concerns me.

So the question is, until such time as Oracle fixes it, what can I as an app programmer do to alleviate the problem?

It seems quite ironic that the java app "sandbox", which was supposed to ensure security, seems to be the very source of the current problem. As far as I know, my app:

* uses the screen
* accesses the mouse and keyboard
* accesses resources within its own JAR

It does not:

* access the web
* write/read cookies (or do anything else on the file system)

With these limitations, is my app even dangerous?
  • 1. Re: can java app programmer make secure app?
    gimbal2 Guru
    Currently Being Moderated
    The danger is basically in running the application in a browser, which usually boils down to it being an applet. The security holes are in the browser sandbox, not in the Java runtime directly. What your application does has little to do with it, its what other people do to exploit the holes, and the way people manage their own software installation.

    And the worst of all - its the way news websites seem to push this as some sort of uber threat. I'm sorry to say that is the thing impacting you the most. Not much that can be done about it, there will always be poor journalism I'm afraid.
  • 2. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    Thanks, Gimbal. It just occurred to me that I may be misunderstanding the situation. Can someone else somehow break into my existing sandbox and cause harm to something else? Or is it that, if I were a jerk, I could intentionally write an app to circumvent the sandbox limitations and cause that harm myself?

    If it is the latter, the security warnings apply to any program one downloads from the web, not just Java apps. And I would be quite angry at the ignorant rabble rousers implicitly calling me a jerk. If the Interactive Color Wheel were a money-making venture, I would be very tempted to sue.

    -- Rich
  • 3. Re: can java app programmer make secure app?
    EJP Guru
    Currently Being Moderated
    It's the second, the 'if I were a jerk' part.
  • 4. Re: can java app programmer make secure app?
    Kayaman Guru
    Currently Being Moderated
    RichF wrote:
    If it is the latter, the security warnings apply to any program one downloads from the web, not just Java apps.
    An application is different from a browser plugin. Java Applets or Flash are run automatically, a harmful program such as a virus needs to be downloaded and executed intentionally.
    If the Interactive Color Wheel were a money-making venture, I would be very tempted to sue.
    You must be American. Who would you sue, and why on earth would you think you have a case?
  • 5. Re: can java app programmer make secure app?
    jwenting Journeyer
    Currently Being Moderated
    never mind that there's already a hotfix out (and I believe 7u11 which was recently released is the permanent fix).
    Of course Americans are always looking for excuses to file lawsuits to defame others and get rich quick (tm)(r)(c) in the process, never realising the only people ever ending up rich as a result are their lawyers.
  • 6. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    Thank you, FJP.

    Let's drop the lawsuit thing. I didn't mean to derail my own thread.

    The reason it makes me angry is, like a lot of authors,I've got many years of work into a project. People in general are being told, "Don't use it, disable Java". ... or "Remove Java". ... or, most ridiculously, "Remove Java forever".

    My site has over 200 pages of unique, ad-free content. It is absurd to assume that I would ruin my reputation and own sense of self-worth by writing a harmful app on a page that was once getting over 300 hits/day.

    The current hot-fix simply caused my browsers to not run Java apps directly. Instead, they display a security warning, and the user has to click it to run the app. For once, IE came out on top, asking me one time if I trusted the app. FF and Chrome, however, re-disable each time the page loads. I posted here to find out if there was anything I could do.
  • 7. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    I have to ask the obvious question. If the Java 7 JRT is safe, and the Java 6 Plug-In is safe, why can't Oracle package them together as a quick fix? If something needed to be disabled in Java 7, at least pre-existing apps would run in the meantime, right?
  • 8. Re: can java app programmer make secure app?
    EJP Guru
    Currently Being Moderated
    I don't understand the question. Why would Oracle want to package two releases of Java together? For any reason? It doesn't solve anything. People still have to install it, just as they have to install the Java 7 hot fix alone. I don't get why you think putting them together constitutes a solution.

    I don't understand your previous post either, unless it is just a rant against the world in general. Nobody here has suggested any such thing.
  • 9. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    I'm ignorant concerning the plug-in magic that gives a Java applet a sandbox to run in which protects the rest of the computer (and the world!) from devious programmers. How I view it is the Java Run Time (JRT) does not need a browser plug-in, but the plug-in needs the JRT. That would make them two separate things. If the plug-in for Java 6 releases was safe, why cannot it be packaged with the Java 7 JRT?

    - - - - - - - - - -
    Yes it was a rant -- not really at the whole world, but the journalists and supposed experts they interviewed. And certainly not directed at anyone here! I did not even know there was a problem until I allowed the JRT to upgrade last week, and my app would not run normally any more. At first I blew it off as "the installation screwed up". So I de-installed and re-installed the upgrade several times, and the security block did not go away.

    So I was frustrated but not yet angry. Then during the weekend I got serous about tracing down the problem, and discovered there really was a security issue. From my first question, you can see I still did not understand, thinking that devious internet Voodoo could make my app insecure. If that were the case, how would I block the Voodoo?

    Then I learned here that my applet was not in fact insecure. The press and "experts" were just telling people it (Java in general) was. I don't know what you have read, but there are some ridiculous claims being made. Not just disable Java for the time being (which the browsers are doing automatically now), but that it is inherently unsafe. Completely uninstall it and never re-install. Or the problem is so bad, it will take Oracle two years to fix. I know as a programmer those extreme claims are foolish, and I allowed that to affect me emotionally. I apologize.
  • 10. Re: can java app programmer make secure app?
    Kayaman Guru
    Currently Being Moderated
    Applets are frankly a bit of a dead technology, so I understand why Oracle isn't running around in circles trying to fix the Java Plugin. It's quite a shame that Oracle bought Sun, but we can't help that, now can we.
    The majority of Java usage happens on the server side, and almost none of the security issues affect that.
    I can understand your frustration, but it won't do any good.
  • 11. Re: can java app programmer make secure app?
    jwenting Journeyer
    Currently Being Moderated
    they in fact did run and fixed it with an unscheduled release of Java 7, which is 7u11 that was released out of sequence...
    Java 6 never was vulnerable to the problem at hand so needs no fix.

    The "don't use Java" screaming from DHS is political, if and when Oracle pay enough into the right politicians' campaign coffers they'll get an official endorsement...
  • 12. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    jwenting, Being fixed is good news. This weekend, though, Oracle's head of Java security held a [url http://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better]phone conference. He talked about how Oracle was taking security very seriously, and that current issues would be resolved quickly. It was future tense, so I did not see it as announcing a fix.

    Also, Firefox and Chrome still refuse to run Java applets directly. Every time a page with an applet is loaded, they show a security-block panel which must be clicked before the applet runs. Internet Explorer, though, does run applets normally, with no warning. It may have asked me one time if I wanted to run them, but I forget the details.

    My Java Console reports:

    * Using JRE version 1.7.0_11-b21 Java HotSpot(TM) Client VM

    Is that the same as "7u11"? I (re)downloaded and installed it two days ago. I just ran the "Do I have Java" thing at http://java.com and it reports I have the recommended version of Java. (Well, after allowing its applet to run, sigh...)
  • 13. Re: can java app programmer make secure app?
    maheshguruswamy Journeyer
    Currently Being Moderated
    RichF wrote:
    jwenting, Being fixed is good news. This weekend, though, Oracle's head of Java security held a [url http://www.computerworld.com/s/article/9236230/Oracle_s_Java_security_head_We_will_fix_Java_communicate_better]phone conference. He talked about how Oracle was taking security very seriously, and that current issues would be resolved quickly. It was future tense, so I did not see it as announcing a fix.
    Also, Firefox and Chrome still refuse to run Java applets directly. Every time a page with an applet is loaded, they show a security-block panel which must be clicked before the applet runs. Internet Explorer, though, does run applets normally, with no warning. It may have asked me one time if I wanted to run them, but I forget the details.

    My Java Console reports:

    * Using JRE version 1.7.0_11-b21 Java HotSpot(TM) Client VM

    Is that the same as "7u11"? I (re)downloaded and installed it two days ago. I just ran the "Do I have Java" thing at http://java.com and it reports I have the recommended version of Java. (Well, after allowing its applet to run, sigh...) Don't take it the wrong way. I think applets (and browser plug-ins in general) are on their way out. Dump applets and redesign that page will plain HTML/Javascript. Your application can now run pretty much everywhere without any plug-ins.
  • 14. Re: can java app programmer make secure app?
    801338 Newbie
    Currently Being Moderated
    Mahesh, thank you for the reply. It seems strange advice to receive on an official Java programming forum, though. ;)

    I have not programmed with JavaScript, except to convert one script into a Java class. It did not strike me as a full programming language. Maybe I just misunderstand it or am behind the times. Specifically, would you want to convert the [url http://r0k.us/graphics/SIHwheel.html]Interactive Color Wheel to a JavaScript equivalent? In addition to the color wheel pane itself, there is the menu, the scrolling color list which can be reloaded and have many thousands of entries, the handling of several different color lists themselves, sorting the selected one in multiple ways, etc. It sure sounds like something one would want a full language for...

    Oh, I can't forget Spot, the Magic Color Dog! :)

    That said, I am considering doing a stripped-down thingy in JavaScript. Differentiating it from pre-existing JavaScript color wheels might be problematic, though.
1 2 3 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points