Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What's new with Java

Michael Horowitz | Nov. 3, 2014
There are three latest versions of Java. Tweaking Java to disable SSL 3.0. Securing Java. Explaining the security messages when running Java applets. Expiring old versions of Java.

With Java 8 Update 25 installed, a review of Firefox 33 plug-ins shows a dire warning that the "Java Deployment Toolkit version 8.0.250.18 is known to be vulnerable. Use with caution." It is Firefox error messages that should be viewed with caution.

Chrome 38 plug-ins (type chrome://plugins in the address bar) report the Java version as 11.25.2.18. You need go into the details view to see a reference to Java 8 Update 25.

This is just the sort of thing my JavaTester.org website was designed for.

RUNNING APPLETS
Even in the best case, when the installed version of Java is current and the applet is digitally signed, you still get a Java warning before the applet runs (assuming the default "high" security level). I guess Oracle is sick and tired of being the biggest security flaw on the planet.

To illustrate, the question below, "Do you want to run this application" is asked before running Oracle's own, signed applet, that detects the installed version of Java. This prompt is the same in Java 7 and 8.

Running a non-whitelisted unsigned applet at "high" security results in an "Application Blocked by Security Settings" error with Java 7 and the slightly more useful "Application Blocked by Java Security" error with Java 8. To get around this, the website with the unsigned applet needs to be added to the Java "Exception Site list". This is done from the Java Control Panel, on the Security tab (see below). Click on the "Edit site list..." button, then the "Add" button. Website names have to be proceeded with HTTP(S) colon slash slash. If you reference a site both as "something.com" and "www.something.com" then both need to be whitelisted. 

Even after being white-listed, running an unsigned applet generates the question below (on "high" security), which is identical in Java 7 and 8.

For more on the assorted messages Java issues see What should I do when I see a security prompt from Java? 

And, all of this is only part of the story, as there will also be warnings from the browser.

At least from most browsers. In my testing, Opera v12.17 totally ignored Java both in Windows 7 and 8.1. Not only did fail to run applets, it also produced no errors or warnings. VERY HIGH SECURITY IS BROKEN
On the "very high" security level, no unsigned applets are allowed to run. Or rather, that's what Oracle says.

Specifically, as shown below for Java 8, they say "Only Java applications identified by a certificate from a trusted authority are allowed to run, and only if the certificate can be verified as not revoked".

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.