Java, Flash, and the Choice of Usability Over Security

Monday, September 10, 2012

Le Grecs

32137b352537f11c1efe063869f00e0e

So I happened to be switching to a new computer two weekends ago. Going into it I was dead set on not installing Flash and Java.

And I was all good until @alexhutton posted a link to a video about the Beetles "happy birthday" song and I just had to check it out.

So I clicked on the link and headed over to YouTube. Unfortunately, the video didn't work and it displayed a message indicating that I needed a plugin. I thought maybe perhaps I had to enable JavaScript for YouTube via NoScript since I still hadn't configured that yet.

The page reloaded and the video still refused to play. I could have fiddled around around YouTube and somehow managed to navigate to the HTML 5 version but I was too lazy.

Over to Adobe.com I headed and in no time I was enjoying my Beetles song (followed by an unplanned hour of pointless YouTube surfing).

The next snag in my plan arose when I was unable to access one of the corporate networks I regularly use. They have the typical web portal interface that you log into and with the simple press of a button the VPN starts.

Unfortunately, the button didn't work this time as the VPN client is written in Java. The web portal kindly offered to install Java for me but I declined as I'd rather install it myself so I know I have the most recent update.

So over to Java.com and a few minutes later and I was ready to go again. To my dismay after logging in I still received the same error message. This time I conceded and accepted their offer to install Java.

The odd thing was that the installer seemed to go through the entire setup process... yet again. Anyway, after they installed the "correct" version the VPN finally worked.

As you can tell my goal of not installing Flash and Java didn't last more than a few hours. And yet as infosec professionals, following the "disable unnecessary services" philosophy, we often advise people to avoid installing these types of applications for security reasons.

Of course by taking high road users loose the convenience of easily watching YouTube videos or logging into their corporate VPNs. I'd prefer to see websites not use Flash and more and more this is happening (except for a few restaurant sites... hopefully, even they will abandon Flash soon).

Java, on the other hand, is a bit more complex. With the recent rise of clientless VPNs and conferencing software (e.g., Goto Meeting and WebEx), client-side Java use actually seems to be on the rise.

Still, I'd prefer to see these products and services offer native apps, even if just for performance reasons. I know creating separate applications for each OS is a pain but it would be nice if these services at least provided native Windows and Mac versions and then only used Java as a backup.

I think Apple has taken a pretty good approach with Java. The latest version of Mac OS X automatically disables Java if it hasn't been used after a period of time. And when you need Java for that WebEx session, the OS will happy ask if you want to temporarily enable it.

How long have you been able to live without Flash and Java on your primary computer? Let us know in the comments below. Today's post pic is from JavaSimples.com.br. See ya!

Cross-posted from NovaInfosec.com

Possibly Related Articles:
5317
Webappsec->General
Information Security
Flash Java Software Security Awareness Vulnerabilities Web Application Security Operating Systems Information Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.