Firefox 26 Blocks Java
Mozilla Firefox 26 now blocks all Java plug-ins by default due to security concerns but allows users to run such plug-ins if they want to.
Mozilla considered blacklisting Java in its browser for security concerns back in 2011, but no decision was made at that moment. All this year Mozilla has been developing and testing a Click-to-Play (CtP) feature that would allow users to select which plug-ins they want to be enabled. But the process has not run smoothly and has affected websites and users relying on Java.
In September, Mozilla decided to mark all Java versions as unsafe, feature implemented in Firefox 24, but many users did not understand what happened to their applications and websites that were no longer working, they did not figure out there was a CtP feature that would let them enable Java, then some of the plug-ins were invisible and CtP was not addressing them, and in some cases the CtP UI was not even visible. Many bank users seemed to be affected, at least in some countries:
Knud Berggreen: Java Plugin 7 update 45 should not be blocked! It affects all citizens of Denmark, as the national login is blocked.
etoxsg: In Norway only a few online banks let you use their services without a java plugin installed I would say that 90% of all households in Norway, Sweden and Denmark need a Java plug-in just for banking. So when you suddenly decided to block ALL Java without prior notice, I had to do 8 house calls and field 15 phone-calls from friends, neighbors and family.
A couple of other reactions from the community:
Tomasz: Sorry for an explicit message, but, as a user: who took such an ultra-irresponsible decision to block java on FF?!
It made me unable to log in to my online trading account because of this. The app used by my bank only displays 'required java version >1.5" in a message box, with no trace of any security issues. It simply doesn't work.
ipatrol: Have you all suddenly gone insane? Java is one of the three core technologies behind dynamic content! You start pulling out a sledgehammer to go smash a few bugs and you all talk calmly about it as if it were some minor UI tweak?
Roger, a Java SE Engineering Manager, commented on this issue:
We are seeing a significant number of people report on java.com that FF indicates that Java 7u45 is vulnerable. Many are saying that their solution is to use IE. Searches for related terms are though the roof. Not sure if this was the intended end user solution when the FF team implemented this. The confusion about the messaging and how to allow Java to run appears to be a usability issue. Are there any stats on how this new block is affecting FF users behavior?
Mozilla decided to revert the blocks at that time, but the measure was temporary until CtP would be fixed. At the end of October, Mozilla announced a beta version of Firefox that would block all plug-ins except Flash, citing again security concerns.
Finally, at the end of the year, Firefox 26 now is blocking all Java plug-ins on all websites by default. It remains to see if the CtP user interface is useful enough to let people know how to enable Java when they need to.
After Windows and Flash took the blame for security holes in users’ computers for years, now it is Java’s turn to feel some of the heat. Oracle did not seem to pay much attention to this issue in the past but that changed considering the 127 security fixes update released in October under the Critical Patch Update program which is supposed to provide security updates at least quarterly.
Flash vs. Java
Thomas Vestergaard Trolle
The one plugin not affected by this change is Flash, which will remain enabled by default. Flash content is so common on the Web, and many websites use “hidden” Flash instances that the user does not see and cannot click on: making Flash click-to-play would be confusing for most users.
How much of this does not apply to Java?
Oh, that's right - Flash gets preferential treatment due to a close relationship with Adobe:
Our security and plugin teams work closely with Adobe to make sure that Firefox users are protected from instability or security issues in the Flash plugin.
Apart from the hypocrisy, I think making plug-ins CtP is a good way to advance the standards-based Web, although this will might limit new adoption of FF from competing browsers.