In case you weren’t aware, last week, on Friday October 18, all versions of Java were marked as unsafe in Firefox 24. You can see the details in bug 914690.
When Monday rolled around reports of problems started coming in. Companies unable to use their software. People unable to do their banking. Citizens unable to access government sites. Hundreds of millions of users affected.
It took three days for the decision to be made to remove the block, and since the blocklist is cached, even more for users to see the results.
Looking back, I’m surprised out how lightly this change was taken. Marking Java as unsafe is a major change that affects millions of users; it should have been handled much better. Here are some of the things that were wrong with this decision:
- The decision was made without involving the major stakeholder (Oracle). The change took them completely by surprise.
- The decision was made out of band. There had just been an upgrade to Firefox 24 with no problems. Then all of a sudden Java stopped working.
- The decision was made with no communication. There were some articles a few months ago (none official from Mozilla), but there was no discussion or notification of this specific change. (And please don’t call the platform newsgroup communication.)
- The change was made without proper testing. After it was rolled out, it became pretty clear that there were quite a few cases where users were not being notified about the block. People were also having trouble navigating the UI when it appeared.
The saddest part about this entire change is that the latest version of Java IS click to play! Oracle already has warnings that are better than what Firefox displays.
I understand the need to protect users, but when major decisions like this are made, developers need to think about ALL of the implications. Otherwise, the fallout can be disastrous.