14 DAY TRIAL // Firefox researchers are discussing the possibility of completely disabling Java content in their browser as a solution for stopping the BEAST.
The proof-of-concept called the BEAST has caused waves of panic in the past few days, each browser vendor trying to come up with something that will stop the potential attacks. Firefox, as you might recall, was the last on the list, having a real problem in implementing the new TLS versions of the security protocol.
Now they've come up with a radical solution which implies blocking Oracle's Java plug-in as it seems that it sits at the origin of the issue.
Mozilla's bug forum, Bugzilla, reveals an interesting conversation between researchers who've discovered a “SOP bypass bug” in Java. They've alerted Oracle on the matter, but until they come up with a response, the team pondered upon if ”It may or may not be the same SOP bypass that Rizzo & Duong used in their demo.”
The first thought revealed by Brian Smith was “I recommend that we blocklist all versions of the Java Plugin.”
After further hours of deliberation, no conclusion was reached but they were still working on the problem.
“In the interest of keeping this bug updated with the latest status, this morning I asked Johnath for some help in understanding the balance between the horrible user experience this would cause and the severity/prevalence of the security issue and am waiting to hear back.
“We also discussed this in the Products team meeting today and definitely need better understanding of that before putting the block in place,” revealed Jonathan Scott.
Finally, Johnath, who is actually Johnathan Nightingale, Mozilla's Director of Firefox Engineering, wrote “Yeah - this is a hard call. Killing Java means disabling user functionality like facebook video chat, as well as various java-based corporate apps (I feel like Citrix uses Java, for instance?)”
“We do have soft-blocking now, which disables but prompts with the option to re-enable, and also allows users to re-enable from the addons manager, but it still means it's dead for most people.”
We'll have to wait for Oracle's response as they might come up with an alternative solution to this issue.