Firefox Java update ready to stop BEAST attacks
The Hacker News
Firefox developers searching for a way to protect users against a new attack that decrypts sensitive web traffic are seriously considering an update that stops the open-source browser from working with Oracle's Java software framework.


Johnath, the alias for Firefox Director of Engineering Johnathan Nightingale, weighed in: "Yeah - this is a hard call. Killing Java means disabling user functionality like facebook video chat, as well as various java-based corporate apps (I feel like Citrix uses Java, for instance?)"

He went on to say that Firefox already has a mechanism for "soft-blocking" Java that allows users to re-enable the plugin from the browser's addons manager or in response to a dialogue box that appears in certain cases. "Click to play or domain-specific whitelisting will provide some measure of benefit, but I suspect that enough users will whitelist, e.g., facebook that even with those mechanisms (which don't currently exist!) in place, we'd have a lot of users potentially exposed to java weaknesses."


In order to protect users from an attack that decrypts sensitive web traffic, Firefox developers are looking at an update that stops the browser from working with Oracle's Java. The move would stop Firefox from working with a number of very popular websites. The team is only holding off because of how much such a ban would hurt user experience.The Browser Exploit Against SSL/TLS has earned its BEAST acronym. By injecting JavaScript into an SSL session, it can recover secret information that's transmitted to a predictable data-stream location. It took researchers Thai Duong and Juliano Rizzo were able to use BEAST to get an encrypted authentication cookie used to access a PayPal account in less than two minutes.

The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser.

The prospect of Firefox no longer working with Java could cause a variety of serious problems for users, particularly those in large corporations and government organizations that rely on the framework to make their browsers work with virtual private networks, intranet tools.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.