I don't get it. How come the Java applet "sand box" is so full of holes compared to JavaScript? They are both essentially interpreted code running in my browser.
Why do I need Java to access my bank, can't all that be done in JS as well?
Our solution to the uneven support of HTML 5 on various platforms is just to skip the ones that don't support what we want. That is mostly to do with websockets and webgl on MicroSoft browsers. No loss there.
More seriously HTML 5 despite having canvas and webgl and CSS and whatever does not provide a simple way of doing graphics and especially animations as does FLASH does.
Silverlight: No idea about that. Might have made a nice FLASH replacement but if it is an MS only non open standard like JS then who cares about that?
Banks should just be using https, end of story. In fact they should have been insisting, right from the start, on clean unextended browsers, and that includes no javascript.
There is the thing. If I have a "secure" connection to my bank. and I trust my bank not to mess with me, then having JS should not be a problem. After all it should only be able to talk to my bank via that secure connection. They have all my valuable info anyway, JS or not.
If I can't trust my bank not to mess with me then it makes no difference if there is JS in use or not.
Same applies to any other web site.
Question is can you trust whoever is on the other end?
Why do I need Java to access my bank, can't all that be done in JS as well?
Our solution to the uneven support of HTML 5 on various platforms is just to skip the ones that don't support what we want. That is mostly to do with websockets and webgl on MicroSoft browsers. No loss there.
Business partners are the answer to both questions. In the first case they'll want something like video chat with a representative. In the second case they'll demand support for IE on XP. They're impervious to the argument that this is a bad idea.
If I can't trust my bank not to mess with me then it makes no difference if there is JS in use or not.
It's not the banks I don't trust, it's principal of it being okay to leave scripting enabled for all sites. If the banks can't set a good example then who will?
Living overseas forces me to rely on on-line banking. A major U.S. bank certainly wasn't a good option as they just want the most customers with the least amount of personal service.
I ended up going with a Federal chartered saving bank that was created for U.S. military, retired U.S. military, and their dependents. They seem very well committed to providing good service wherever I am on a 24/7 basis. But to keep the banking available, I try to have two computers working at all times. Having dual boot as well means that something is likely to work regardless of how directly a hostile tries to take over my computer. Redundancy is the the real solution... and a bank with a real commitment to their customers (very rare).
BTW, apparently having a dual boot might prevent quite a few rootkit schemes from working. Hackers just try to find the simplest and most open systems.
Use a plan vanilla virtual machine for these things. If it were me, and I don't bank online much for a lot of reasons preferring cash, I would build it with whatever OS you think makes sense, and make it work for the banks and other key online access points you find necessary.
Once it's done, and it works, snapshot it and now you are set.
Boot it to the point where the browser is running nicely and it can log on, maybe even store passwords, whatever. Then snapshot right there. Once you've done that, using it is very simple. Fire it up and it will enter that snapshot state. Refresh the browser and do your thing. Instead of a shut down, just return to that snapshot.
Once in a while, update that snapshot and continue.
The beauty of this is no history is maintained and infections cannot endure. You are still open to an attack that could happen at the time you are doing something, but it's a one off and something easily managed.
I do like the idea of virtual machines to save you when your Windows installation inevitably commits suicide.
But a virtual machine to run an OS, to run a browser, to run a Java VM, to run Java, with a sand box is starting to sound crazy to me.
The VM snap shot thing would drive be nuts as pretty much every time I access my bank it refuses to let me in before I have upgraded Java to the latest release yet again.
Anyway on Linux, or even Windows if they have the multi-user thing sorted out yet, why not just create another user name for yourself. Log in as that user, do banking, log out.
...
But a virtual machine to run an OS, to run a browser, to run a Java VM, to run Java, with a sand box is starting to sound crazy to me.....
Having read through all the replies to this thread, I'm getting worried and depressed. If people like y'all have to go through so many contortions and tricks in order to feel safe-ish using your computers, where does that leave slobs like me? Are we all living under the illusion that on-line banking, etc. is reasonably safe when, in fact, we're all just sitting ducks?
Having read through all the replies to this thread, I'm getting worried and depressed. If people like y'all have to go through so many contortions and tricks in order to feel safe-ish using your computers, where does that leave slobs like me? Are we all living under the illusion that on-line banking, etc. is reasonably safe when, in fact, we're all just sitting ducks?
I use Google Chrome and don't worry that much. Google maintains a blacklist of known malware distributing sites and pops up a interstitial warning page when you attempt to visit one. Frankly any RIA plug in technology will likely have security issues, but they can only be exploited if you visit a site that is distributing it.
Having read through all the replies to this thread, I'm getting worried and depressed. If people like y'all have to go through so many contortions and tricks in order to feel safe-ish using your computers, where does that leave slobs like me? Are we all living under the illusion that on-line banking, etc. is reasonably safe when, in fact, we're all just sitting ducks?
I use Linux and a mac and don't worry much about the Java problems. I'm also careful about where I go and use no script". I you need/want to enable Java in your browser you really should us no script. You'll be shocked at how many web pages use java or javascript coming from another site!!
Yes. The constant update breaks the VM deal, unless you bank a lot. It is a little crazy, but the state of things is kind of crazy. I don't think I go a day without something updating here and there, and I don't go a week without something breaking when updates are turned off.
So my answer has been to compartmentalize things where I can. It's a big, brutal hammer, but I remain reasonably productive. I've got a set of VM's for a lot of different things, with my real OS being fairly vanilla. (windows) I can use Linux for a fair number of things and just might start that this year. Interestingly, Linux queries have gone up since the Win 8 announcements. I'll put a great Linux environment together to show off. (been waiting for that to be attractive)
Re: Multi-user
Yeah, on a real OS, sure! Works great, if you are on a reasonable UNIX!
Happy days, and even happier with Java in userland where it can update all over the place too. For the vast majority of people, it's not so easy. On Windows, there is the switch user command, and there is "runas" which actually kind of works if you tinker with it some.
Frankly, once you get all that sorted out, the idea of a VM starts to make sense, which is what I did. If I were on a UNIX most of the time, I know I would have just setup a user for the purpose of dealing with things --a few of them actually. That was my mode to compartmentalize in the past, along with the odd chroot here and there...
Once I end up on mixed environments, VM's start to work because they are basically the same, and they are portable across whatever I'm stuck on too. To each their own, of course. Just posting up stuff I've done to deal and am always eager to see what others come up with.
I use Linux and a mac and don't worry much about the Java problems. I'm also careful about where I go and use no script". I you need/want to enable Java in your browser you really should us no script. You'll be shocked at how many web pages use java or javascript coming from another site!!
Linux seems to reduce a lot of the threat, and so does using a Mac. But having the right bank may really be the central issue. Wells Fargo, BofA, and Citybank pretty much take on problem en masse and have gotten to be less and less able to serve an individual customer. Last time I visited a Wells Fargo, I thought I was at their head office in downtown San Francisco, and that told me that they moved it to suburb in Southern California.
My previous personal visit talk to the officer in charge of the branch on behalf of my elderly mother was greeted by them having downsized the branch and all problems were dealt with by a red phone and an over-stuffed chair in a corner. Asking to talk to someone in person only seemed to solicit a bums rush from the security guard. It was odd to see that the branch now had a dry cleaner franchise and parcel wrapping service... and NO branch manager. I felt I was experiencing the twilight zone.
I banked with BofA when I first came to Taiwan and they claimed 24/7 service via telephone and/or the internet. The internet always was way behind. In fact, my credit cards were getting late fees because I never got the billings until after payment was due. When I called their 24/7 services, I would get a robotic message to call back on weekdays between office hours.
Face the reality, the banks made a lot of money by installing ATMS and getting rid of tellers. The modern banking system is a huge robot for the most part.
Besides who really wants a relationship with someone that lends you an umbrella and wants it returned whenever the weather is stormy?
It provides an environment for running cross platform code. If you request a service over the Internet that is written in Java, you won't see that request answered without Java.
Re: Banks
Yes, they can be painful. I like small ones and credit unions, both of which compete on not doing so many ugly things. I also use cash quite a bit, because it's robust and reliable. This limits banking to some well defined and regular transactions which are little trouble.
Java is useless for most people. I've never had it on any of my computers and in nearly 10 years I've never missed it. Remember that Java and JavaScript are two different things. JavaScript is everywhere (way over used in my opinion). Most common sites such as Google, YouTube, even Parallax, will not work without it. However, if you use Firefox and install the NoScript add-on, you can be very selective about exactly which scripts are allowed to run. Most of them are not actually necessary. You'd be very surprised at how pervasive Facebook has become. And just for the record, anyone that still uses Internet Explorer deserves what they get.
JavaScript is a strange beast. Seemed to be hacked together by Netscape in a hurry to provide a simple scripting language in WEB pages for the non-programmer.
Derided by "real programmers" for a long time it turns out to be quite a capable language with some very funky features.
As such we see in turn up on the server side running under Google's V8 engine and Node.js.
It has been used in WebOS. It is used in GUI apps made in Qt and so on.
Node.js has surprised me in that when throwing XML and JSON around over websockets it out performs Google's Go language by nearly a factor of 10 even though Go is a compiled language. Node.js also outperforms similar code in C++.
This proves java itself isn't the problem. The entire android os is written in java, (real java, using the virtual machine, not the Smile that runs javascript in yyour browser) and as stated, it doesn't have the problem.
So, that only solidifies the stance that java itself isn't bad.
On another note.
html5 *does* do animation, and *can* play video, play sound, and everything else that most sites use that piece of junk called flash to handle. I honestly can't figure out why adobe hasn't hired an assembly programmer, and optimized flash so it's not such a memory/cpu hog, but apparently, they have no interest in fixing the thing, they just want it used everywhere.
(go figure)
The whole pdf thing didn't work out as they expected, but what I'm completely surprised at is the resounding lack of adobe alternatives. Sure, there's some apps that will read pdf files, and even a few that will write them, but added together with all the other programs that are available, I'm astounded by the lack of actual programs to do so. Pdf is supposed to be an open standard, and it only uses lzw compression/encryption, which is freely available for anyone to use, yet the number of pdf manipulation programs are practically nil. And, still, this doesn't send any signals to the powers that be. Doesn't anyone at adobe get it? Pdf is widely available, but judging from the completely lack of enthusiasm among 3rd party developers, it's not greatly liked, and flash is only used so widely, because most windows users don't know there's anything else.
If you would like to see html5 doing some animation, take a look at apple's html5 demos located at: https://developer.apple.com/library/safari/#documentation/AudioVideo/Conceptual/Using_HTML5_Audio_Video/Introduction/Introduction.html
I've also gotten many many sites to play their videos just fine using html5, just by replacing their javascript code that calls a flash viewer with one that uses an html5 viewer, and after doing so, not only was I able to play the video just fine, but I was also able to use the video manipulation controls (play/pause, rewind/fast forward and so on) which is something that can't be done on osx using voiceover when flash is in use. Not to mention, my cpu usage doesn't go through the roof when replacing a flash player with an html5 one. I'd hope people were smart enough to realize flash is useless, but so far, it hasn't happened.
It provides an environment for running cross platform code. If you request a service over the Internet that is written in Java, you won't see that request answered without Java.
So what are some examples or things requested in java that I am not getting? Not having java installed, I don't know what services are not there. Except the security problems, and I leave these "services" to Microsoft, as they are already bundled in the OS.
Braino,
It matters not if you have Java installed in your browser or otherwise.
If you request a page that page may well be generated on the server by Java. It could as well be PHP or Python or Perl or whatever. Even C or Forth. You don't need to know or care.
Totally. On the client side you may experience a page that doesn't display everything or that fails to offer some service. The same may be true with applications that require a JVM to operate correctly. If you aren't experiencing these things, you've no worries.
I personally interact with a lot of JAVA apps on client and server side. This thing is kind of a PITA due to that.
Java itself is not a problem. By that I mean Java the language as defined by it's syntax and semantics. Why would it be more of a problem than JavaScript or Python or Perl or a billion other languages?
What may be a problem is the vast array of class libraries that come with it and the JVM or environment it runs in and the capabilities they give the language to do damage. Clearly these are very different between a JRE or browser plugin supplied by Oracle and the Android environment.
It's a similar difference to say C applications running on a multi-user machine with virtual/protected memory, like Linux, vs running on a shared memory machine like RiscOS or Amiga. Same language, different environment.
Sure HTML 5 can do animation, you mention video for example. And it has canvas and webgl. However making complex 2D animations is much harder and/or slower than using FLASH.
Imagine you have some complex 2D scene to be animated according to data streamed in over a websocket. You can do it in webgl but it is a lot harder than using the FLASH API. You can do it in canvas but it's damn slow.
I have only recently started to play with this but I have yet to find a satisfactory solution in HTML5. Perhaps you have some suggestions.
Whatever you think about JavaScript as a language I would not be so quick to say "...Smile that runs javascript in your browser" Googles V8 JS engine performs very well. It also performs very well when running JS on the server under node.js. I am totally amazed that it performs on a par with C++ when throwing XML around and out performs Google's, compiled to native code, Go when throwing JSON around. Java can't match it.
JavaScript is much maligned by "real programmers" but it is at least up there with Python, Perl etc. It has a lot going for it.
I should explain I guess why I made the comment about javascript.
Javascript by itself isn't a bad thing, in fact, when handled correctly, a site using javascript can be hugely successful, and can be even more user-friendly than one using plain html.
However, in 75% of cases, when folks use javascript to do something on a site, they use it to replace perfectly usable html code, either because they don't know the html code, or they think it's a cool thing to do, even if it makes the page less usable. Too many times, I've seen pages that should be perfectly usable, but aren't because some wiseguy decided it'd be cool to replace a perfectly servicable html structure with something coded in javascript, and the js equivalent is less than useless when it comes to doing what the html structure did. But, because it looks cool, or because the webmaster knows nothing else, or because they're trying to show off their skills, the page winds up being only marginally usable, and that's a damned shame, because in their ignorance, they ruin a perfectly good page.
But, on the other hand, I've seen pages where the javascript was handled very well, and it not only made the page more useful, but it did so with no impact on usability, in fact, it actually enhanced the page, offering capabilities that can't be done with html alone. Those are what I consider to be good uses of javascript, and there are definitely cases where pages couldn't do their job at all w/o javascript (or something like it) and in those cases, the use of js is perfectly acceptable. It's the folks that replace perfectly accessible html code with js garbage that doesn't do a fraction of the structure it's replacing. I.E. tables. How many times have you seen a perfectly good html table structure replaced with javascript code that simply indents the columns, making them appear table-like, but it's obvious that a table it isn't.
Real html tables are easy to build, easy to navigate (I.E. across rows, or down columns) while these js substitutes are really nothing more than straight text that looks nice, but lacks the actual structure of a real table, so screen readers can't tell it's supposed to be a table, and in those cases, navigating via rows or columns is impossible.
I find forms to be similar.
html allows for forms, and those forms are generally usable with no trouble by screen readers. When javascript is dropped in the mix, often times, the screen reader fails to note there's a button to be pressed, or worse, knows there's a button, but has no idea what the button is, so now I have to guess which one is the cancel, and which one is the submit button, something which isn't needed with real html forms.
Sure, partly this is due to the screen reader's knowing in advance the html structures, but partly, it's because when you build your own using js, there's no need to put text labels in places html requires it, so now there's nothing the screen reader can tie back to as a reference point, to let us know what the heck we're clicking on.
And, of course, there's always the text fields as buttons mentioned in the thread about Jeff's new store, those become a problem sometimes too, because there's no indication whatsoever that those fields are clickable, something an html button clearly identifies, but a javascript field doesn't make nearly as clear.
So, now that I've bored everyone with my rant, I'll shutup now, and go back to not liking webmasters tht use javascript when it's unnecessary.
I don't have java installed on any of my machines.
Aside form the security threat, what am I missing? What benefit does java provide?
The problem isn't with with Java per say. The problem is with Java in a web browser. I use a
number of Java apps and they pose no risk. I installed the "noscript" plugin. It blocks java, javascript,
etc in web pages. If you go to a webpage with java scripts ( java and javascript) it gets blocked and you're
presented information about every one and you can check where it's coming from and get information about
it. At that point you can decide if you want to allow it all the time, that once or never.
Braino,
It matters not if you have Java installed in your browser or otherwise.
If you request a page that page may well be generated on the server by Java. It could as well be PHP or Python or Perl or whatever. Even C or Forth. You don't need to know or care.
If its a page generated by something, then you mean whats generated is HTML, and whatever created it no longer in the picture. In this case, whatever it was is not running on my machine, and any risks are related to the html page that was generated. Is this correct?
In the context of this security issue, there is talk about removing and uninstalling java from the client side, my side. My question is about the benefits of having the java stuff installed on the client side.
So is the issue about java running on the server side? A client request can make the server execute code that gives control to any client?
Yes, quite so. In theory the server can be running Java which generates HTML which gets downloaded to your browser and displayed. There should be no risks in plain old HTML by now, if there ever were.
Complication comes of course when that page is not just HTML but requires a Java plugin to run some Java that gets downloaded to your browser.
I think the vulnerabilities under discussion are all to do with running Java in that plugin in your browser.
Next up is the fact that you can run Java just like any other program on your PC, no browser required. Well that should not have any more security implications than running anything else on your PC. Of course you aren't just running any old code you found on your machine are you?
Finally I guess there are client requests that can compromise servers running Java. Same as any language. Maybe you don't get control exactly but perhaps you can get to download stuff you should not or deface websites and databases etc ect etc.
So back to the article, if I don't have java installed on the box, I'm good, since I don't need it, and won't unless I actively choose to install it for some particular site.
For the scripts, if I am running Firefox, and have NoScript pluggin installed
Comments
I don't get it. How come the Java applet "sand box" is so full of holes compared to JavaScript? They are both essentially interpreted code running in my browser.
Why do I need Java to access my bank, can't all that be done in JS as well?
Our solution to the uneven support of HTML 5 on various platforms is just to skip the ones that don't support what we want. That is mostly to do with websockets and webgl on MicroSoft browsers. No loss there.
More seriously HTML 5 despite having canvas and webgl and CSS and whatever does not provide a simple way of doing graphics and especially animations as does FLASH does.
Silverlight: No idea about that. Might have made a nice FLASH replacement but if it is an MS only non open standard like JS then who cares about that?
These days it's more just spyware tracking what you are up to, pilfering through your histories and the likes.
If I can't trust my bank not to mess with me then it makes no difference if there is JS in use or not.
Same applies to any other web site.
Question is can you trust whoever is on the other end?
Business partners are the answer to both questions. In the first case they'll want something like video chat with a representative. In the second case they'll demand support for IE on XP. They're impervious to the argument that this is a bad idea.
It's not the banks I don't trust, it's principal of it being okay to leave scripting enabled for all sites. If the banks can't set a good example then who will?
I ended up going with a Federal chartered saving bank that was created for U.S. military, retired U.S. military, and their dependents. They seem very well committed to providing good service wherever I am on a 24/7 basis. But to keep the banking available, I try to have two computers working at all times. Having dual boot as well means that something is likely to work regardless of how directly a hostile tries to take over my computer. Redundancy is the the real solution... and a bank with a real commitment to their customers (very rare).
BTW, apparently having a dual boot might prevent quite a few rootkit schemes from working. Hackers just try to find the simplest and most open systems.
Once it's done, and it works, snapshot it and now you are set.
Boot it to the point where the browser is running nicely and it can log on, maybe even store passwords, whatever. Then snapshot right there. Once you've done that, using it is very simple. Fire it up and it will enter that snapshot state. Refresh the browser and do your thing. Instead of a shut down, just return to that snapshot.
Once in a while, update that snapshot and continue.
The beauty of this is no history is maintained and infections cannot endure. You are still open to an attack that could happen at the time you are doing something, but it's a one off and something easily managed.
But a virtual machine to run an OS, to run a browser, to run a Java VM, to run Java, with a sand box is starting to sound crazy to me.
The VM snap shot thing would drive be nuts as pretty much every time I access my bank it refuses to let me in before I have upgraded Java to the latest release yet again.
Anyway on Linux, or even Windows if they have the multi-user thing sorted out yet, why not just create another user name for yourself. Log in as that user, do banking, log out.
Having read through all the replies to this thread, I'm getting worried and depressed. If people like y'all have to go through so many contortions and tricks in order to feel safe-ish using your computers, where does that leave slobs like me? Are we all living under the illusion that on-line banking, etc. is reasonably safe when, in fact, we're all just sitting ducks?
I use Google Chrome and don't worry that much. Google maintains a blacklist of known malware distributing sites and pops up a interstitial warning page when you attempt to visit one. Frankly any RIA plug in technology will likely have security issues, but they can only be exploited if you visit a site that is distributing it.
I use Linux and a mac and don't worry much about the Java problems. I'm also careful about where I go and use no script". I you need/want to enable Java in your browser you really should us no script. You'll be shocked at how many web pages use java or javascript coming from another site!!
Yes. The constant update breaks the VM deal, unless you bank a lot. It is a little crazy, but the state of things is kind of crazy. I don't think I go a day without something updating here and there, and I don't go a week without something breaking when updates are turned off.
So my answer has been to compartmentalize things where I can. It's a big, brutal hammer, but I remain reasonably productive. I've got a set of VM's for a lot of different things, with my real OS being fairly vanilla. (windows) I can use Linux for a fair number of things and just might start that this year. Interestingly, Linux queries have gone up since the Win 8 announcements. I'll put a great Linux environment together to show off. (been waiting for that to be attractive)
Re: Multi-user
Yeah, on a real OS, sure! Works great, if you are on a reasonable UNIX!
bash
xhost +
sudo su bank
browser http://www.thatjavabank.com
Happy days, and even happier with Java in userland where it can update all over the place too. For the vast majority of people, it's not so easy. On Windows, there is the switch user command, and there is "runas" which actually kind of works if you tinker with it some.
Frankly, once you get all that sorted out, the idea of a VM starts to make sense, which is what I did. If I were on a UNIX most of the time, I know I would have just setup a user for the purpose of dealing with things --a few of them actually. That was my mode to compartmentalize in the past, along with the odd chroot here and there...
Once I end up on mixed environments, VM's start to work because they are basically the same, and they are portable across whatever I'm stuck on too. To each their own, of course. Just posting up stuff I've done to deal and am always eager to see what others come up with.
Linux seems to reduce a lot of the threat, and so does using a Mac. But having the right bank may really be the central issue. Wells Fargo, BofA, and Citybank pretty much take on problem en masse and have gotten to be less and less able to serve an individual customer. Last time I visited a Wells Fargo, I thought I was at their head office in downtown San Francisco, and that told me that they moved it to suburb in Southern California.
My previous personal visit talk to the officer in charge of the branch on behalf of my elderly mother was greeted by them having downsized the branch and all problems were dealt with by a red phone and an over-stuffed chair in a corner. Asking to talk to someone in person only seemed to solicit a bums rush from the security guard. It was odd to see that the branch now had a dry cleaner franchise and parcel wrapping service... and NO branch manager. I felt I was experiencing the twilight zone.
I banked with BofA when I first came to Taiwan and they claimed 24/7 service via telephone and/or the internet. The internet always was way behind. In fact, my credit cards were getting late fees because I never got the billings until after payment was due. When I called their 24/7 services, I would get a robotic message to call back on weekdays between office hours.
Face the reality, the banks made a lot of money by installing ATMS and getting rid of tellers. The modern banking system is a huge robot for the most part.
Besides who really wants a relationship with someone that lends you an umbrella and wants it returned whenever the weather is stormy?
Aside form the security threat, what am I missing? What benefit does java provide?
Re: Banks
Yes, they can be painful. I like small ones and credit unions, both of which compete on not doing so many ugly things. I also use cash quite a bit, because it's robust and reliable. This limits banking to some well defined and regular transactions which are little trouble.
Derided by "real programmers" for a long time it turns out to be quite a capable language with some very funky features.
As such we see in turn up on the server side running under Google's V8 engine and Node.js.
It has been used in WebOS. It is used in GUI apps made in Qt and so on.
Node.js has surprised me in that when throwing XML and JSON around over websockets it out performs Google's Go language by nearly a factor of 10 even though Go is a compiled language. Node.js also outperforms similar code in C++.
So, that only solidifies the stance that java itself isn't bad.
On another note.
html5 *does* do animation, and *can* play video, play sound, and everything else that most sites use that piece of junk called flash to handle. I honestly can't figure out why adobe hasn't hired an assembly programmer, and optimized flash so it's not such a memory/cpu hog, but apparently, they have no interest in fixing the thing, they just want it used everywhere.
(go figure)
The whole pdf thing didn't work out as they expected, but what I'm completely surprised at is the resounding lack of adobe alternatives. Sure, there's some apps that will read pdf files, and even a few that will write them, but added together with all the other programs that are available, I'm astounded by the lack of actual programs to do so. Pdf is supposed to be an open standard, and it only uses lzw compression/encryption, which is freely available for anyone to use, yet the number of pdf manipulation programs are practically nil. And, still, this doesn't send any signals to the powers that be. Doesn't anyone at adobe get it? Pdf is widely available, but judging from the completely lack of enthusiasm among 3rd party developers, it's not greatly liked, and flash is only used so widely, because most windows users don't know there's anything else.
If you would like to see html5 doing some animation, take a look at apple's html5 demos located at:
https://developer.apple.com/library/safari/#documentation/AudioVideo/Conceptual/Using_HTML5_Audio_Video/Introduction/Introduction.html
I've also gotten many many sites to play their videos just fine using html5, just by replacing their javascript code that calls a flash viewer with one that uses an html5 viewer, and after doing so, not only was I able to play the video just fine, but I was also able to use the video manipulation controls (play/pause, rewind/fast forward and so on) which is something that can't be done on osx using voiceover when flash is in use. Not to mention, my cpu usage doesn't go through the roof when replacing a flash player with an html5 one. I'd hope people were smart enough to realize flash is useless, but so far, it hasn't happened.
So what are some examples or things requested in java that I am not getting? Not having java installed, I don't know what services are not there. Except the security problems, and I leave these "services" to Microsoft, as they are already bundled in the OS.
It matters not if you have Java installed in your browser or otherwise.
If you request a page that page may well be generated on the server by Java. It could as well be PHP or Python or Perl or whatever. Even C or Forth. You don't need to know or care.
I personally interact with a lot of JAVA apps on client and server side. This thing is kind of a PITA due to that.
You have a lot of interesting points there.
Java itself is not a problem. By that I mean Java the language as defined by it's syntax and semantics. Why would it be more of a problem than JavaScript or Python or Perl or a billion other languages?
What may be a problem is the vast array of class libraries that come with it and the JVM or environment it runs in and the capabilities they give the language to do damage. Clearly these are very different between a JRE or browser plugin supplied by Oracle and the Android environment.
It's a similar difference to say C applications running on a multi-user machine with virtual/protected memory, like Linux, vs running on a shared memory machine like RiscOS or Amiga. Same language, different environment.
Sure HTML 5 can do animation, you mention video for example. And it has canvas and webgl. However making complex 2D animations is much harder and/or slower than using FLASH.
Imagine you have some complex 2D scene to be animated according to data streamed in over a websocket. You can do it in webgl but it is a lot harder than using the FLASH API. You can do it in canvas but it's damn slow.
I have only recently started to play with this but I have yet to find a satisfactory solution in HTML5. Perhaps you have some suggestions.
Whatever you think about JavaScript as a language I would not be so quick to say "...Smile that runs javascript in your browser" Googles V8 JS engine performs very well. It also performs very well when running JS on the server under node.js. I am totally amazed that it performs on a par with C++ when throwing XML around and out performs Google's, compiled to native code, Go when throwing JSON around. Java can't match it.
JavaScript is much maligned by "real programmers" but it is at least up there with Python, Perl etc. It has a lot going for it.
Javascript by itself isn't a bad thing, in fact, when handled correctly, a site using javascript can be hugely successful, and can be even more user-friendly than one using plain html.
However, in 75% of cases, when folks use javascript to do something on a site, they use it to replace perfectly usable html code, either because they don't know the html code, or they think it's a cool thing to do, even if it makes the page less usable. Too many times, I've seen pages that should be perfectly usable, but aren't because some wiseguy decided it'd be cool to replace a perfectly servicable html structure with something coded in javascript, and the js equivalent is less than useless when it comes to doing what the html structure did. But, because it looks cool, or because the webmaster knows nothing else, or because they're trying to show off their skills, the page winds up being only marginally usable, and that's a damned shame, because in their ignorance, they ruin a perfectly good page.
But, on the other hand, I've seen pages where the javascript was handled very well, and it not only made the page more useful, but it did so with no impact on usability, in fact, it actually enhanced the page, offering capabilities that can't be done with html alone. Those are what I consider to be good uses of javascript, and there are definitely cases where pages couldn't do their job at all w/o javascript (or something like it) and in those cases, the use of js is perfectly acceptable. It's the folks that replace perfectly accessible html code with js garbage that doesn't do a fraction of the structure it's replacing. I.E. tables. How many times have you seen a perfectly good html table structure replaced with javascript code that simply indents the columns, making them appear table-like, but it's obvious that a table it isn't.
Real html tables are easy to build, easy to navigate (I.E. across rows, or down columns) while these js substitutes are really nothing more than straight text that looks nice, but lacks the actual structure of a real table, so screen readers can't tell it's supposed to be a table, and in those cases, navigating via rows or columns is impossible.
I find forms to be similar.
html allows for forms, and those forms are generally usable with no trouble by screen readers. When javascript is dropped in the mix, often times, the screen reader fails to note there's a button to be pressed, or worse, knows there's a button, but has no idea what the button is, so now I have to guess which one is the cancel, and which one is the submit button, something which isn't needed with real html forms.
Sure, partly this is due to the screen reader's knowing in advance the html structures, but partly, it's because when you build your own using js, there's no need to put text labels in places html requires it, so now there's nothing the screen reader can tie back to as a reference point, to let us know what the heck we're clicking on.
And, of course, there's always the text fields as buttons mentioned in the thread about Jeff's new store, those become a problem sometimes too, because there's no indication whatsoever that those fields are clickable, something an html button clearly identifies, but a javascript field doesn't make nearly as clear.
So, now that I've bored everyone with my rant, I'll shutup now, and go back to not liking webmasters tht use javascript when it's unnecessary.
The problem isn't with with Java per say. The problem is with Java in a web browser. I use a
number of Java apps and they pose no risk. I installed the "noscript" plugin. It blocks java, javascript,
etc in web pages. If you go to a webpage with java scripts ( java and javascript) it gets blocked and you're
presented information about every one and you can check where it's coming from and get information about
it. At that point you can decide if you want to allow it all the time, that once or never.
As the article states, Java is ancient history.
By the way, not trying to be a jerk but it's "per se", just so you know.
If its a page generated by something, then you mean whats generated is HTML, and whatever created it no longer in the picture. In this case, whatever it was is not running on my machine, and any risks are related to the html page that was generated. Is this correct?
In the context of this security issue, there is talk about removing and uninstalling java from the client side, my side. My question is about the benefits of having the java stuff installed on the client side.
So is the issue about java running on the server side? A client request can make the server execute code that gives control to any client?
Yes, quite so. In theory the server can be running Java which generates HTML which gets downloaded to your browser and displayed. There should be no risks in plain old HTML by now, if there ever were.
Complication comes of course when that page is not just HTML but requires a Java plugin to run some Java that gets downloaded to your browser.
I think the vulnerabilities under discussion are all to do with running Java in that plugin in your browser.
Next up is the fact that you can run Java just like any other program on your PC, no browser required. Well that should not have any more security implications than running anything else on your PC. Of course you aren't just running any old code you found on your machine are you?
Finally I guess there are client requests that can compromise servers running Java. Same as any language. Maybe you don't get control exactly but perhaps you can get to download stuff you should not or deface websites and databases etc ect etc.
For the scripts, if I am running Firefox, and have NoScript pluggin installed
https://addons.mozilla.org/en-us/firefox/addon/noscript/
I can by default block all scripts, and only enable scripts for sites I know and can trust.
So the article basically says "don't leave your browser to freely run any old script". Which pretty much means don't use internet explorer.
Nothing new here, I guess.