Java, Flash, and the Choice of Usability Over Security

So I happened to be switching to a new computer this past weekend. Going into it I was dead set on not installing Flash and Java. And I was all good until @alexhutton posted a link to a video about the Beetles “happy birthday” song and I just had to check it out. So I clicked on the link and headed over to YouTube. Unfortunately, the video didn’t work and it displayed a message indicating that I needed a plugin. I thought maybe perhaps I had to enable JavaScript for YouTube via NoScript since I still hadn’t configured that yet. The page reloaded and the video still refused to play. I could have fiddled around around YouTube and somehow managed to navigate to the HTML 5 version but I was too lazy. Over to Adobe.com I headed and in no time I was enjoying my Beetles song (followed by an unplanned hour of pointless YouTube surfing).

The next snag in my plan arose when I was unable to access one of the corporate networks I regularly use. They have the typical web portal interface that you log into and with the simple press of a button the VPN starts. Unfortunately, the button didn’t work this time as the VPN client is written in Java. The web portal kindly offered to install Java for me but I declined as I’d rather install it myself so I know I have the most recent update. So over to Java.com and a few minutes later and I was ready to go again. To my dismay after logging in I still received the same error message. This time I conceded and accepted their offer to install Java. The odd thing was that the installer seemed to go through the entire setup process … yet again. Anyway, after they installed the “correct” version the VPN finally worked.

As you can tell my goal of not installing Flash and Java didn’t last more than a few hours. And yet as infosec professionals, following the “disable unnecessary services” philosophy, we often advise people to avoid installing these types of applications for security reasons. Of course by taking high road users loose the convenience of easily watching YouTube videos or logging into their corporate VPNs. I’d prefer to see websites not use Flash and more and more this is happening (except for a few restaurant sites … hopefully, even they will abandon Flash soon). Java, on the other hand, is a bit more complex. With the recent rise of clientless VPNs and conferencing software (e.g., Goto Meeting and WebEx), client-side Java use actually seems to be on the rise. Still, I’d prefer to see these products and services offer native apps, even if just for performance reasons. I know creating separate applications for each OS is a pain but it would be nice if these services at least provided native Windows and Mac versions and then offered a Java version as a backup. I think Apple has taken a pretty good approach with Java. The latest version of Mac OS X automatically disables Java if it hasn’t been used after a period of time. And when you need Java for that WebEx session, the OS will happy ask if you want to temporarily enable it.

#####

How long have you been able to live without Flash and Java on your primary computer? Let us know in the comments below. Today’s post pic is from JavaSimples.com.br. See ya!

4 comments for “Java, Flash, and the Choice of Usability Over Security

  1. September 5, 2012 at 12:50 pm

    # Java, Flash, and the Choice of Usability Over Security http://t.co/qESfE9fS

  2. September 5, 2012 at 3:08 pm

    Java, Flash, and the Choice of Usability Over Security http://t.co/0oH0MzeK security is hard. convenience is, well, convenient

  3. September 5, 2012 at 4:17 pm

    BLOGGED: Java, Flash, and the Choice of Usability Over Security http://t.co/fe2hNVZT //I couldn’t do it. 🙁

  4. September 25, 2012 at 12:03 pm

    Critical Java Flaw Affects 1 Billion Users http://t.co/l7JVV99A //Remove, rm, rm! Oh I forgot I was unable to do that. http://t.co/mLvpfZ4m

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.