Topic: Disable JAVA for safer browsing

[George]

Do you remember I mentioned that I generally use my Google Chrome browser with Java disabled?

I then enable Java just for sites I trust (well to a degree) such as Toolstation.com, which simply won't work without Java. Does anyone else here use Toolstation? I much prefer it over Screwfix.

Anyway, a US authority has now recommended that most people should disable Java because it's a distinct security risk.

See:
http://www.computerworld.com/s/article/9235615/US_CERT_tells_users_to_disable_Java_in_browsers_after_exploit

[RubyDoo]

Oh dear.

Apparently  a US authority once suggested that there was no threat caused by the war in Europe. Doh!
I would hope that anybody on this site would have the 'savvy' to at least have minimal protection.. In this day and age, if you do not then you deserve what you get. That may sound harsh but everybody gets bombarded even by default to the need for minimum requirements. Ignore at your own peril.

George . This post is patronising at best, insulting at worst.  I will leave it at that in the hope that YOUR own ignorance is driven by a genuine desire to do the right thing.

[Peripatetic Phil]

I disabled Java and had no difficulty navigating the Toolstation web site at all; with JavaScript disabled, on the other hand, the site is completely dysfunctional.  In fact, it tells you that if you visit it with JavaScript disabled : "You need JavaScript turned on to use Toolstation.com!  Please enable JavaScript in order to shop at Toolstation.com."  Is there any possibility that you are confusing the two, George ?

P.S. The Java vulnerability is quite significant : http://reviews.cnet.com/8301-13727_7-57563567-263/new-malware-exploiting-java-7-in-windows-and-unix-systems/

I have now disabled Java (not JavaScript) in all my VMs, as well as in the host system.  Thank you for drawing this to our attention.

** Phil.

[George]

Oh dear.
Apparently  a US authority once suggested that there was no threat caused by the war in Europe. Doh!
I would hope that anybody on this site would have the 'savvy' to at least have minimal protection.. In this day and age, if you do not then you deserve what you get. That may sound harsh but everybody gets bombarded even by default to the need for minimum requirements. Ignore at your own peril.
George . This post is patronising at best, insulting at worst.  I will leave it at that in the hope that YOUR own ignorance is driven by a genuine desire to do the right thing.

As incredible as it seems, perhaps we have the start of another argument here. How on earth could my post about Java prompt this type of response from Ruby, calling me ignorant? Looking for trouble, or what? I sincerely hoped the information about Java might interest some members. I didn't dream anyone would treat it so negatively.

For anyone interested in reading more, here it is direct from the source of the advice, in effect. It makes sense to me:

http://www.us-cert.gov/cas/techalerts/TA13-010A.html

[rallim]

I always keep my laptop updated with security updates. I have a few security programs for protection and I have java disabled and has been for quite a while. Good information George and thanks for highlighting this.

[Peripatetic Phil]

Many thanks for flagging up this distinction, which I didn't realise. It seems I disabled JavaScript, and probably still have Java running! So I might be ignorant, after all, but due to confusion over JavaScript vs Java rather than anything Ruby mentioned. Is it easy to diable Java? Perhaps I should look back to the article I referred to.

Easy, but the method varies with browser :

For Seamonkey : Tools / Add-ons Manager / Plugins / Disable anything specific to Java
IE9 : Tools / Internet options / Security / Custom level / Scripting of Java applets / Disable

And don't you think it's also a good idea to have JavaScript disabled, even if it's completely different?

Not really : I run with JavaScript enabled in all my VMs (Productions, Secure, Sandbox, VPN, ...) as well as in the physical host, and disable it only when I need (e.g.,) right-click functionality that JS is deliberately over-riding (e.g., "Sorry, images cannot be saved" !) or when I cannot be sure that a pop-up is not malicious and need to be able to (a) stop it replicating, and (b) kill it.

It may be worth explaining to those who regard IT solely as a tool that Java (from Sun, via Oracle) and JavaScript (from Netscape, via ECMA and your favourite browser vendor) are two totally different beasts : the only thing they have in common is the first four letters, which were deliberately picked by Netscape when they wanted to re-brand their "LiveScript" technology. They picked the letters "J a v a" because, by then, Java was a cross-platform reality and they wanted to jump on Java's bandwagon.

JavaScript is an interpreted language that runs natively in your browser, and also in Adobe Acrobat; Java is a compiled language that requires a plug-in in order to run within a browser.  Both run in so-called "Sandboxes", but JavaScript is inherently more secure.

** Phil.

[George]

I disabled Java and had no difficulty navigating the Toolstation web site at all..."You need JavaScript turned on to use Toolstation.com!  Please enable JavaScript in order to shop at Toolstation.com."  Is there any possibility that you are confusing the two, George ?

Many thanks for flagging up this distinction, which I didn't realise. It seems I disabled JavaScript, and probably still have Java running! So I might be ignorant, after all, but due to confusion over JavaScript vs Java rather than anything Ruby mentioned.


I've now removed Java (v9) completely, via Control Panel.

And don't you think it's also a good idea to have JavaScript disabled, even if it's completely different?

[Peripatetic Phil]

I've now removed Java (v9) completely, via Control Panel.  And don't you think it's also a good idea to have JavaScript disabled, even if it's completely different?

No, please see above George : I replied while you were composing this, so my reply precedes your message.

** Phil.

[ELW]

Most people keep javascript enabled George, a huge amount of web content relies on it & it's used in many different ways now.
I've never updated from Java 6. The threat from Java applets (remote Java code) is in short the Java languages capability to access your machine's file system, which is obviously not good

It's irrelevant to this post but javascript runs server side also 

Well spotted anyway

ELW

[Peripatetic Phil]

It's irrelevant to this post but javascript runs server side also 

Not sure what you mean by that last observation, ELW.  JavaScript /can/ be run server-side (within the context of, e.g., ASP.NET) but in general users will be unaware of which server-side technology is being run, and in any rate cannot disable it from their machine.  For normal users and normal situations, JavaScript is run client-side (i.e., within the browser) and can be disabled using (e.g.,) PrefBar, Tools/Options or Edit/Preferences.

** Phil.