Is Java Insecure ?

Home » CentOS » Is Java Insecure ?
CentOS 10 Comments

Hi Everyone

I am considering learning java. There have been well publicized Java security incidents recently that make me not want to learn it.

However it’s in CentOS and I trust CentOS, are the concerns in the media blown out of proportion ?

-Patrick

10 thoughts on - Is Java Insecure ?

  • The security issues mostly related to running programs with the browser plugings and they seem to be mostly fixed. As far as using it as a server-side or standalone programming language goes it is as good as anything else.

  • 1. In short: Yes, they were blown out of proportion with a high dose of FUD. Read the following analysis specially the last few paragraphs.

    http://timboudreau.com/blog/The_Java_Security_Exploit_in_%28Mostly%29_Plain_English/read

    2.The most widely referred hole had to do with running applets on a browser.

    3. J7u40 and OpenJDK7U40 took care of the major issue: Java previously ran unsigned “applets” automatically. Now it no longer does

    4. Most brosers now feature “click to run” on applets. Effectively creating a dual barrier against running unsigned code (two clicks, one to the browser warning, another for the JRE warning about unsigned code). Drive-by exploits are thus impossible.

    4. Java now offers a “server JRE” without the browser plug-in, starting w J7u21

    http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html#serverjre

    5. Applets are on the way out, most of the action these days is on server-side Java, and on client-side Java, not browser java.

    6. Lots of apps are Java based and have no intention of switching
    (Jitsi, Vuze, etc)

    7. JVM languages are booming (JRuby, Jython, Scala, Clojure, RedHat’s Ceylon)
    http://www.drdobbs.com/jvm/a-long-look-at-jvm-languages/240007765

    8. Java is open source, with Twitter, SAP, RedHat,IBM, Oracle and even Google collaborating with the project. See:

    http://www.redhat.com/summit/2012/pdf/2012-DevDay-OpenJDK-Bhole.pdf

    9. Java8, OpenJDK 8 is coming, w Java9 OpenJDK9 next

    10. Java is more than a language. Its also a runtime environment and level playing field software ecosystem. You can create Java apps with any of the JVM languages without ever writing a single line of Java code.

    11. Raspberry Pi just announced that RasPis will ship with OpenJDK and JRE

    Those are my reasons, if you dont like em, I have others…
    ;)
    FC


    During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario
    – George Orwell

  • I suspect you meant to say…

    5. Applets are on the way out, most of the action these days is on server-side Java, and on client-side JavaSCRIPT, not browser java.

    client side javascript programming is sometimes called AJAX. Note that JavaSCRIPT is not Java, it only looks vaguely similar

  • I’m fully aware that Java != Javascript. I was talking about the differences between client-side, desktop Java apps and browser-based applets.

    There’s plenty of desktop Java based apps including Jitsi
    (www.jitsi.org), Vuze P2P (vuze.com), Art of Illusion (Raytracer), Sweet Home 3D (CAD), muCommander (JWS-enabled NC clone), jEdit, the Netbeans IDE, FreeMind (mind mapper-productivity tool), Frinika (music workstation), JShot (taking screenshots and uploading them to social sites), PowerFolder (cloud storage/sync)

    Or others like the burp LAN scanner or jHome home automation solution http://portswigger.net/burp/
    http://www.eletronlivre.com.br/jhome/

    JavaFX 2.0 and its open source release OpenJFX is client-side desktop Java, and unrelated to applets or browsers.

    FC


    During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario
    – George Orwell

  • Yes, browsers normally execute javascript internally, and there are some toolkits like GWT to write interactive applications where you write mostly server-side java and it generates the browser javascript code for you.

  • First, just in case you’re confused, Java, and Java Script, are two totally different things. Only the names are similar to confuse the innocent. Just like Visual Basic, VBScript, and Virtual Basic for Applications (VBA) are three totally different things with similar names just to confuse the innocent.

    Java Script is as secure as any other reasonably applied scripting language. Java, which runs on a Java Virtual Machine (JVM) is know in the trade as (J)ust (A)nother (V)ulnerability (A)nnouncement. Java should never be enabled in a web browser.

    If your intention is to write Java applications then go for it.


    _
    °v°
    /(_)\
    ^ ^ Mark LaPierre Registered Linux user No #267004
    https://linuxcounter.net/
    ****

  • I think this [removing the plug-in] is truly dreadful reasoning. Either we think that the plugin is safe enough for people to use, or we don’t ship it.”

    Anyway, enough said I think that by now the original poster’s question has been throrougly answered.

    FC
    * (Icedtea-web is the FOSS version of the Java plug-in for OpenJDK, as Sun open sourced Java in 2006 but never the browser plugin, that need was filled by the FOSS community via Icedtea-web)


    During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario
    – George Orwell

LEAVE A COMMENT