Monday, January 21, 2013

Is Java Safe?


Story first appeared on USA Today




Q:  Why is Java on our browsers if it so vulnerable?  What does even do?  If it is “disabled” what will I no longer be able to do on my computer?

A: Once again, Oracle's Java software is in the news as a hazard to your Mac or PC. Six days after the discovery of a severe vulnerability led Oracle to rush out a patch, on Wednesday security writer Brian Krebs reported a different such "zero-day exploit" that could be used to attack this widely-deployed program.

This is not what people, myself included, hoped when Sun Microsystems released the first versions of Java in the mid-1990s. Back then, the idea was to make the Web more than a way to display words and pictures; you could instead embed a small Java program in a page, and anybody with Sun's Java virtual-machine software installed could run that "applet."

But three funny things happened along the way to that future.

Java's promise of cross-platform compatibility — "write once, run anywhere," as Sun's pitch went — didn't pan out either, leading to Web developers joking about "write once, debug everywhere" and shying away from the software.

Those same developers figured out how to make complex, interactive Web pages without using Java or any other plug-in software. You can edit a spreadsheet in Google Docs, crop a photo in Yahoo's Flickr, and manage your e-mail in Microsoft's Outlook.com using nothing more than a modern browser.

Malware authors, meanwhile, realized that Java's extensive deployment — Oracle, which bought Sun in 2009, estimates that it is on more than 850 million personal computers — made it a tempting target. That has led to attacks such as last spring's Flashback, which took advantage of Java's cross-platform compatibility to hijack Macs as well as Windows PCs.

That's why I advised turning off Java last year. Fortunately, it's now easier to do that: In Oracle's current release of Java, its Windows control panel and Mac System Preferences pane have an "Enable Java content in the browser" option under a "Security" heading. Click to clear that checkbox, and you're done worrying about hostile Java applets.

If you don't see that, you may need to update your Java first; check your version at java.com. Unfortunately, Oracle has continued Sun's abusive practice of bundling third-party junk in the Java installer. You'll need to opt out of it adding an Ask.com browser toolbar and changing your search default to that site.

(On a Mac, you may only have Apple's older Java software, which should already be disabled in Safari but may require some manual configuration in Mozilla Firefox and Google's Chrome.)

Uninstalling Java outright through the Windows control panel will make you even safer, but some desktop programs — for example, the Minecraft game, TiVo Desktop and the open-source Microsoft Office alternative LibreOffice — may require it for some features. I can see keeping Java around for those cases, but I can't justify anybody at home keeping it active in the browser, and I certainly can't endorse any Web developers continuing to use it on their sites.

Years after competitors rolled out this feature, Yahoo quietly added an option to its Yahoo Mail service that will encrypt your use against snooping attempts — not just while you send your username and password, but even as you read and write e-mail.

This encryption — called both HTTPS, short for "hypertext transfer protocol secure," and SSL, for "Secure Sockets Layer" — became an option at Gmail in 2008 and the default there in 2010. Microsoft's various mail services added this choice in 2010 as well. Yahoo, however, contented itself with encrypting only your login; a hostile network, such as a rogue Wi-Fi hot spot, could have still read your e-mail.

Yahoo hasn't made much of a fuss about this change, aside from a Twitter reply by CEO Marissa Mayer: no press release, no posts on its corporate or mail blogs.   Currently, there is only one help file with an explanation of how to enable it: Log into your Yahoo Mail account,  click the gear icon at the top right, select "Mail Options" and click the checkbox next to "Turn on SSL."