Mozilla is considering switching off Java in Firefox

Mozilla is considering switching off Java in Firefox

As a possible interim solution for the reported SSL / TLS vulnerabilities discuss the Firefox developers, the Java plug-in to disable Oracle's browser. The Java Plug-in makes the exploitation of the past weeks Duong Rizzo and weaknesses demonstrated that is possible. They showed how cookies could be reconstructed from any website, despite an encrypted connection.

For their Chosen-plaintext attack on the TLS mostly used cipher-block chaining (CBC) mode must Rizzo and Duong namely the Same Origin Policy (SOP) bypassed the browser to also communicate with servers can not from the domain comes, comes from the example, the Java applet.

The SOP is designed to prevent precisely this, but apparently there is a previously unknown bug in Java, which can be accomplished that. Would be seen, according to the Firefox developers Oracle now actually on the train, the first problem to solve in Java. But who have not responded so far, so is under consideration, with a Firefox update all Java plug-ins off for security reasons. That would lead some users to malfunction. Firefox chief Johnathan Nightingale calls the Facebook video chat as well as various corporate applications.

Google has implemented a different solution in the Chrome developer version: To impede the attacker control over the infiltrate plain text, divided packages, each preceded by an empty packet. This has led previous reports have said that only a few sites to problems. When Google incorporated the workaround in the stable version does, but it is not known.

Microsoft has a solution recommended switching from TLS to TLS 1.0 1.1, however, that the server must support - and yet few do. Moreover, according to some Firefox developers, the problem is not solved really, because Java uses its own TLS stack - and the only support the vulnerable TLS version 1.0.