# Is Java now safe to install?



## Tabvla (Apr 10, 2006)

I have not used Java on my personal computers for several years due to security concerns.

I now need to install Java for a specific purpose and need to keep it installed for the duration of that purpose which will be at least 5 years.

Is Java now safe to install?

Thanks

T.


----------



## cybertech (Apr 16, 2002)

I would say it is safe as long as you keep it up to date.


----------



## TOGG (Apr 2, 2002)

If you scroll down this page ;http://www.javatester.org/index.htm to the item headed 'January 28, 2016' you will see the authors' view regarding the next steps for Java.

There is also Oracle's own announcement of their intention to 'deprecate' their browser plugin; https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free

On balance, the answer to your question is, probably, 'No' but, if you don't have the choice, you could always ensure that the browser with the Java plugin runs inside something like Sandboxie.


----------



## zx10guy (Mar 30, 2008)

Java has always been plagued by security issues and concerns. What makes things maddening about this situation is if you do upgrade to resolve problems/security issues, you could end up breaking applications that were once working with the older Java version. It's a total mess that there continues to be a backwards compatibility issue with Java.

That's why there has been a push to move applications over to HTML 5.


----------



## flavallee (May 12, 2002)

I've been using Java for years and have never had a problem with it.
The most current version is 8 Update 102.

---------------------------------------------------------------


----------



## zx10guy (Mar 30, 2008)

I know it's anecdotal but I've had a number of issues with upgrading Java breaking an application which wasn't updated to work with the newer Java version: the ASDM software to manage the Cisco ASA firewall and the web interface for a Compellent SC4020 storage array where support stated a specific version of Java they recommended to run with it (which was not the most current version BTW). I've also had customers who have been stuck using older versions of Java due to the firmware version of the equipment they're using.

Also, in many Federal Agencies, there are rules prohibiting anything that operates on Java to be run on their networks.


----------



## Tabvla (Apr 10, 2006)

TOGG said:


> ...... On balance, the answer to your question is, probably, 'No' but, if you don't have the choice, you could always ensure that the browser with the Java plugin runs inside something like Sandboxie.....


The problem is that there does not seem to be a choice. The company is a large international corporation and in order to access and use their services the customer must have a User Account and for reasons that are difficult to understand the IT department decided that it would be a good idea to use Java for the purpose of creating and accessing a User Account. So when the customer goes to create or access their account the first thing that the process checks is whether Java is installed, if not, the process prompts the user to install Java..... and that is where it all stops until Java is installed.

The idea of running in a Sandbox is interesting and would be a good solution providing one knew what applications were accessing Java. One could create and use the User Account in a Sandbox, so this particular process would be covered. But how would a user know if some other software was using Java for certain functionality, without the user being aware that the software was using Java?

On the subject of Sandbox, there are many choices out there. Is this one any good?

https://turbo.net/browsers

T.


----------



## TOGG (Apr 2, 2002)

The point of the things I referred to in my reply seems to be that it is the browser plugins that present the risk to the user, not the Java language, and most browsers may soon be refusing to allow them to be installed.

I have been using Sandboxie for some time and haven't had too many problems, but I am only a 'hobby' user, so I don't know how it would be for a more intensive user. The free version of Sandboxie only allows for the creation of one sandbox while the registered version allows you to have multiple ones. I don't remember now how much registration costs but it wasn't much. I have no experience of any other sandboxing apps.


----------



## zx10guy (Mar 30, 2008)

Tabvla said:


> The problem is that there does not seem to be a choice. The company is a large international corporation and in order to access and use their services the customer must have a User Account and for reasons that are difficult to understand the IT department decided that it would be a good idea to use Java for the purpose of creating and accessing a User Account. So when the customer goes to create or access their account the first thing that the process checks is whether Java is installed, if not, the process prompts the user to install Java..... and that is where it all stops until Java is installed.
> 
> The idea of running in a Sandbox is interesting and would be a good solution providing one knew what applications were accessing Java. One could create and use the User Account in a Sandbox, so this particular process would be covered. But how would a user know if some other software was using Java for certain functionality, without the user being aware that the software was using Java?
> 
> ...


You need to find out what type of authentication system requires the use of Java. I've never heard of one ever using it. Are these users remote users going over some sort of VPN?

What exactly is your role with this company? I assume this is the same non-profit you've referenced in the networking section. Someone needs to define the criteria of what the IT systems provide and the level of security needed. Depending on what these requirements are can lead you down the path of terminal services, thin/zero clients, etc. You really need to focus on bringing in an IT firm to get this all sorted out.


----------



## zx10guy (Mar 30, 2008)

TOGG said:


> The point of the things I referred to in my reply seems to be that it is the browser plugins that present the risk to the user, not the Java language, and most browsers may soon be refusing to allow them to be installed.
> 
> I have been using Sandboxie for some time and haven't had too many problems, but I am only a 'hobby' user, so I don't know how it would be for a more intensive user. The free version of Sandboxie only allows for the creation of one sandbox while the registered version allows you to have multiple ones. I don't remember now how much registration costs but it wasn't much. I have no experience of any other sandboxing apps.


This is incorrect. The concerns are with Java itself. There are applications just like the ones I've mentioned which don't operate under a plug in to the browser but launches the JRE which presents a major security concern to many organizations of which the US Federal Government is one of them. This is why there's so much emphasis on HTML 5 development and transitioning off of Java based software. Dell has poured in considerable effort into launching HTML 5 support on their out band iDRAC software used in their servers. Nutanix has been selling the notion everything is managed through a web GUI that is based off of HTML 5 along with full STIG compliance. Emerson Liebert just released a software upgrade for one of their pivotal unified management appliances which is introducing HTML 5 functionality.

Frankly with all the issues I've experienced along with the known history of security issues with Java in general, having HTML 5 replace all the Java based software out there couldn't happen fast enough.


----------



## Macboatmaster (Jan 15, 2010)

Perhaps it is one of these companies
https://en.wikipedia.org/wiki/List_of_acquisitions_by_Oracle

Oracle - Java

Install it - register - uninstall it and then install it when you need it - presuming that will not be a daily exercise and then uninstall it until you need it again

Its weakness is that the updates are only issued AFTER the security hole has been found.
Although you would be unlucky it may just be exploited on your computer = before the update.


----------



## RT (Aug 20, 2000)

Macboatmaster said:


> Its weakness is that the updates are only issued AFTER the security hole has been found.
> Although you would be unlucky it may just be exploited on your computer = before the update.


I think that's hitting the nail on the head...you always assume an update is safe, until it's shown to be otherwise. Oracle, Microsoft, Adobe etc, update as problems are found. Sometimes by the folks that wrote the code, sometimes from other sources.
It's more than likely that Java (or the lack of) won't impact casual users, but who wants to be among the unlucky? I've only griped once to a website that requires Java for use, but it wasn't a big deal. Your mileage may vary.

I realize my two cents do nothing to further solve Tabvla's concerns, but if my work required or depended on it, I'd use it. Updated.


----------



## Tabvla (Apr 10, 2006)

zx10guy said:


> You need to find out what type of authentication system requires the use of Java. I've never heard of one ever using it. Are these users remote users going over some sort of VPN?
> 
> What exactly is your role with this company? I assume this is the same non-profit you've referenced in the networking section. Someone needs to define the criteria of what the IT systems provide and the level of security needed. Depending on what these requirements are can lead you down the path of terminal services, thin/zero clients, etc. You really need to focus on bringing in an IT firm to get this all sorted out.


No. Your assumption is incorrect. I explained carefully in the Networking Forum that the organisation referred to there was a _small privately funded Charity_. I also mentioned in my Post #7 in this Forum that this question refers to a "...._large international corporation_....".

I have no role in the corporation. Some of my customers use this corporation's products and some critical functionality of some of those products requires the customer to log into the corporation. In order to facilitate that the corporation requires the customer to setup a User Account which in turn requires product authentication and customer authentication to ensure that the user is who they say they are and that they (individual or business) are the registered legal owner of the product.

This entire User Account process is programmed in Java - setup and use thereof. So it is not only a matter of setting up the User Account and then uninstalling Java until you next need to access the account (which was a good suggestion made by Macboatmaster) the reality is that the user would be frequently accessing the account when the product is being used. And this applies not only to one niche-product but will in time apply to probably almost all the products manufactured by this corporation.

These products are expensive - typically in the price bracket from USD20k to USD40k, so one cannot simply dump the product and use something else. And there is absolutely no chance whatsoever that the IT department of this corporation will change the process unless they decide to do so and then they will do it in their own time.

For these customers, installing Java is not an option, it is essential. My job is to advise them what they need to do to stay safe once Java has been installed. That is really the question.

T.


----------



## Macboatmaster (Jan 15, 2010)

I would certainly ensure that your customers using JAVA set security levels, as with JAVA installed, not only of course will they use it on the site of the large international corp. but JAVA content will also run on any site, or email they access
https://java.com/en/download/help/jcp_security.xml


----------



## Tabvla (Apr 10, 2006)

Thanks for the Link - brief read seems to include some really useful info. I will do some homework on this and Post again if I need more info.

T.


----------

