I apologize in advance for being long winded.
I don’t know how many of you have heard about the KoobFace that was recently created for Macintosh (October 2010). It uses Java to do the install. I have news for you. That Java code also runs on Linux and Windows as long as Java is installed and plugged into your browser. I assumed I did not have Java on OpenSuse 11.3 because it never showed up as an option to turn off in Firefox prefs. I said nothing to get Java with the 11.3 install. OTOH, I had to install whois. If Firefox had a preferences control for Java I would have turned it off until it is needed. Imagine my surprise to be asked by multiup.org once I turned off ABP and my PAC filter because the rule I was testing “advertising.” blocked it to be staring at a request to install and run a Java app! It is the first one I have observed since installing OpenSuse 11.3 over six months ago. In fairness JRE did request my permission to run it and when I did ask for more information it told me the app was signed by a dubious and untrusted source. RUN DISALLOWED! Would some normal computer user know to do that and continue to disallow it until they knew more? I have more news for you - some Macintosh owners said yes to both the JRE query and then to the OS sudo query for Java KoobFace and were successfully infected. Java has more risk than people believe. Once hackers start to use Java you have a dandy multi-platform infection agent. Fortunately, I can’t even get the binaries for my utility programs compiled on OpenSuse 11.3 to work on Ubuntu 10.04. I had to recompile the programs on Ubuntu 10.04. Until the hackers figure out one size doesn’t fit all for Linux you have an extra edge of protection if you are a Linux user.
Despite all of the whines I read in the forum abut Java not working, I do NOT want Java installed by default unless I have more control over it than just an interactive query. I consider the risk of whois much less than the risk for Java. Unless there is more control for Java in the browsers you may be better off without Java. Generally speaking, from a security standpoint JRE should never be enabled until you need it. Here is what I have using rpm (I used software control only to be staring at nothing familiar - thus why I used rpm):
$ rpm -qa | grep -i java
java-1_6_0-openjdk-1.6.0.0_b20.1.9.1-0.2.2.i586
timezone-java-2010l-0.2.1.noarch
java-1_6_0-openjdk-plugin-1.6.0.0_b20.1.9.1-0.2.2.i586
Question 1.
Will control over when to be able to use Java ever be put back into Firefox? If not then I really don’t want Java at all. I don’t have the JRE plugged into any of the browsers on Ubuntu or the two versions of Windows that I have and have never missed it. There is another factor at play here. I produce filters to filter out bad stuff and I REALLY do not want Java enabled most or all of the time. I put up with flash because you always need it. In fact, when I am informed I have X viruses in my “Documents and Settings” folder on Linux you KNOW what you are looking at - a flash run. The host that did it is black-listed instantly. What ever it is leading to, no Windows user wants.
Question 2:
If number one cannot be done, would removing the openjdk-plugin package severely damage things or break something? Is that all that needs to be removed or do all three or even more things need to be removed? Unless I can control when I am seeing that JRE prompt I would rather not even see it. I might be tired or sick on next one I see 6+ months from now and stupidly click on “yes, run it!” Novice users would be perplexed by those pop-up requests to run because it did not say it was a Java app. I am concerned about removing Java though. All of the stuff showing up in OpenSuse’s Software panel leads me to believe that if I remove Java I may break something.
The main use I see for Java is companies internal house apps. On the Internet, my advice is to not let any distrusted Java app to run until you do some VERY THOROUGH checking. Has anybody actually observed a trusted (legitimately signed) Java app at all? I haven’t.