Montag, 14. Januar 2013

Java and Browser-Security

A lot of negative trouble around Java was going on during the past days - once again the issue "security" was the reason behind.

Oracle now delivered a security update on version Java 7 which on the one hand solves the problem itself (known: as zero-day-gap) and on the other hand by default increases the default security level of Java in the browser to level "high". This means the user explicitly gets asked before executing Java on his/her local machine within the context of the browser.

Not allowing the automatic execution of Java in the browser is a good move! - The user needs to be asked before any Java code for what purpose ever is executed in the browser context. There must not be any automatic execution of Java without the user explicitly agreeing!

Starting Java in the browser means that some powerful execution runtime is started - having the possibility to by intention or by error access the user's client infrastructure on a quite low level. So the user needs to be warned, and the user needs to check if he/she can build up the corresponding level of trust - or not.

When starting Java from the browser, then the same must happen, what today happens during App-installations e.g. on Android devices: before installing and starting the user sees who's behind the app, so he/she can check if this is someone to trust or not. This is the main information for building up trust! - Of course the user also sees a list of system resources the app needs to access, but this is already a quite too technical layer for most users...

The pattern "explicitly check and trust, then execute" will be something that will be very common in the future client environments - regardless if it's a Java program, an App ...or e.g. even a JavaScript program. JavaScript will have more and more access to local client resources, of course hidden by some sandbox mechanism. But: if the sandbox fails because of errors, then the same level of vulnerability is present than just is/was present with the Java environment.

From my expectations the usage of Java in the client will be more and more comparable to starting an app. Java in the front end is an "app environment", it's not a "page environment". So security always will be an issue when starting an app - but it's now the level of trust between the user and the app provider, and it's not the level of trust between the user and some anonymous platform anymore.

Luckily it seems that JavaFX with its creation of native installation bundles is exactly going this direction!

Keine Kommentare: