The Java Debacle

In case you weren’t aware, last week, on Friday October 18, all versions of Java were marked as unsafe in Firefox 24. You can see the details in bug 914690.

When Monday rolled around reports of problems started coming in. Companies unable to use their software. People unable to do their banking. Citizens unable to access government sites. Hundreds of millions of users affected.

It took three days for the decision to be made to remove the block, and since the blocklist is cached, even more for users to see the results.

Looking back, I’m surprised out how lightly this change was taken. Marking Java as unsafe is a major change that affects millions of users; it should have been handled much better. Here are some of the things that were wrong with this decision:

  • The decision was made without involving the major stakeholder (Oracle). The change took them completely by surprise.
  • The decision was made out of band. There had just been an upgrade to Firefox 24 with no problems. Then all of a sudden Java stopped working.
  • The decision was made with no communication. There were some articles a few months ago (none official from Mozilla), but there was no discussion or notification of this specific change. (And please don’t call the platform newsgroup communication.)
  • The change was made without proper testing. After it was rolled out, it became pretty clear that there were quite a few cases where users were not being notified about the block. People were also having trouble navigating the UI when it appeared.
    • The saddest part about this entire change is that the latest version of Java IS click to play! Oracle already has warnings that are better than what Firefox displays.

      I understand the need to protect users, but when major decisions like this are made, developers need to think about ALL of the implications. Otherwise, the fallout can be disastrous.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

17 thoughts on “The Java Debacle

  1. The debacle is all Oracle’s and Java’s, not Mozilla’s. AFAIK Mozilla is not the first browser vendor to make this decision. Java has no place in browsers. It’s about time developers started realizing that. We killed Flash, let’s kill Java in browsers as well.

    • I am sorry @pd, What I run on my machine is my responsibility. I have never granted Mozilla the power to by my cyber nanny. Mozilla like to trash talk so much the closed platform stores on how the can control what can be run and what not, but they find perfectly normal to dictate what can I run inside my browser. I have being very careful to implement the new Java ruleset.xml [1] file (that needs to be signed by my own private key) in order to grant access to our Java intranet application, but no Mozilla people think they have the right to do everything they want with their updates

      [1] http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/deployment_rules.html

    • pd, this kind of self-righteous grandstanding is very juvenile and unprofessional. Java has a very well-established place in browsers. If you don’t want to install it, then don’t. That would be fine. Don’t try to tell others what they may or may not install on their computers.

      • Brian, while I agree that this change was bad, you have to realize that the vast majority of people did *not* install Java, but got it pre-installed on their machines. These installations are completely unmaintained, often extremely outdated, and one of the main infection vectors for real users, according to a long line of statistics.

        Saying that using Java is a deliberate choice is simply not true for most users. Nor that it’s well-managed. (Still, I agree with Mike’s post entirely.)

    • Much as I’d like to see that happen, you can’t just switch it off without warning. There’s a lot of existing code out there – 10 to 12 years ago, applets were about the only reasonable option for doing rich UI in browsers, since HTML and Javascript certainly weren’t up to it at the time. And while developers might not be creating new applet UIs, the existing ones aren’t going away any time soon. For my part, I work on an enterprise system that contains somewhere in the hundreds of distinct applets – and while newer versions of that system have reduced that significantly, it’s still in the dozens, and in any case, many of our clients are still on older versions.

  2. I agree, these kind of changes are a big problem for people who use Firefox in a corporate environment. My personal observation is that most of my colleagues now use IE at work again after years of using Firefox. When you take into account that IE is often the last thing corporate IT depts will upgrade, these changes can end up pushing the end user to less secure older versions of browsers that are most often not Firefox. So we also lose market share!

    Yes, the Java plugin is bad for the internet in the long term, but these changes must be made carefully. Just because its not Mozilla’s fault, doesn’t mean its not Mozilla’s problem.

  3. I tend to agree with Mike. As a general rule I would love to see plugins decline and become obsolete. But I think that has to be a slow, gradual process whereby individuals and organisations gradually choose to cease to use plugins over months and years rather than days and weeks. And I think that approach is working already; people are seeing plugins as outdated and unfashionable, which is having a degrading effect on their use over time.

    I think Mozilla would do better to continue making small incremental steps at pushing plugins into the background; steps that go with the flow and progress of plugin decline. Much better than angering people and attracting negative attention.

  4. You can’t involve Oracle in these sorts of decisions because getting in touch with Oracle and getting them to discuss Java issues is effectively impossible. I remember a few security events where we couldn’t even get anyone from Oracle to return calls or tell us their plans when we finally did reach them.

    As far as Java already being click to play through Oracle, well, by the time you get that far, if you’re running a pwnable version, you’ve already been owned. The plugin shouldn’t even instantiate without user intervention, which was at Mozilla was trying to do.

  5. While I completely agree with all the points your making I totally love Mozilla for being a company that will made some pretty radical choices and just plough on ahead with it.

    The more people and stakeholders you include the less innovative your choices are going to be. The other side of the coin is that you are risking making giant mistakes…

  6. While I want to see Java (and Flash) disappear from the web ASAP, it does sound like this was very poorly handled. Why didn’t this ride the release train starting at nightly like everything else? For that matter, one release prior should have been dedicated to warning users on pages that use Java that it would soon become opt-in/click-to-play (whatever you want to call it) and point to a doc that further explained the situation. ESR releases should also have been treated very differently, perhaps leaving it off the blocklist for another year or even 2.

  7. Exactly which drives me away from Mozilla. The one end does not know what the other one is doing, creating a future Browser as similiar to Chromium as possible in look and Customization restrictions, crippling click to play, rapid releases and so much more.

    This one was just the last pull which has made me switch over to Chromium. Sorry, This and the previous other mentioned points are just showing that Mozilla can not be taken seriously anymore. Banned Firefox on all my 50 office machines and replaced them with Chromium.

    Nothing more to add, i am disappointed that Mozilla has lost it’s track since beginning of Version 4! That drives us guys away. Not only powerusers, but also companies which previously have been using Firefox on their machines! Just a big point to think about for you pal!

  8. Not many Firefox releases ago a similar
    “how it was handled” Mozilla sociology bug
    occured that was release related, not later.

    Before this discussion gets lost in the “noise”,
    perhaps this bug needs to be filed in Bugzilla.
    Apparently, that was not done last time,
    so it did not get fixed, and so it happened
    again, of course…

    Thank you,
    Eddie Maddox

  9. Yeah, this has been an absolute fiasco, as far as communication and consultation is concerned. From the outside, it’s hard to see what kind of process lead to this, but it *feels* like this just came from out of nowhere. I follow development on Planet Mozilla fairly closely, but I’ve seen almost nothing discussing this issue, either before or afterwords. Java simply stopped working on us, without any warning – first time I’ve ever been grateful that our clients use Internet Explorer rather than Firefox. 🙁

    And yeah, developer communication on that bugzilla is just awful. Initial responses mostly amount to “we’re doing it for your own good”, and “if you have a problem with this, here’s how you can work around it”, and even by the time they reverted the blacklist, there’s no apparent recognitition as to why everyone was so upset at them. Sounds like the block will be returning, just with a changed UI. Which is absolute pain for those of us who are already doing everything we can to try to make our applets satisfy Oracle’s own over-aggressive security rules and popup warnings…

    • In fact, Mike – I think you’re the only person on Planet Mozilla to have mentioned this debacle. Glancing back over my feed reader history, there’s this post and your previous one, and nothing else from anyone associated with Mozilla. What on earth is going on in Mozilla, that a screwup like this is being met with near total silence?

  10. Mozilla should realize that this effectively broke the ESR promise. There was no way these problems could have been forseen by better testing on our side. They pulled a trigger, and the program unpredictably changed both its features, and the user interface. On friday it worked, on monday it failed, although this time we really hadn’t changed anything.

    We know that even changes made with best intentions can have catastrophic side effects, this is the reason why we use ESR. This should never happen in an ESR version, that is guaranteed to get only security fixes, no feature changes. I don’t care what happens in RR. People who use this, and have auto-update enabled, must expect surprises, positive and negative ones. But in cases where a broken software can stop important work, we absolutely hate it when surprises pop up out of nowhere.

    It appears as if Mozilla has no central instance that is responsible for important decisions, instead every group seems to be free to fiddle around with its modules, and do with them whatever they like. Probably many even don’t know that version 24ESR is supposed to remain stable.

    Please next time give us *early* warning and test cases before activating this again. This would also have revealed that whitelisting was broken.

  11. Unfortunately it’s the same thing Apple did a while back with their OS using XProtect. It locked out the Cisco VPN clients too 🙁

    I’m glad that Mozilla changed their mind!

    Darren