* Java Pros and Cons

The place to post news about genealogy products and services that might be of interest to other Family Historian users.
Post Reply
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Java Pros and Cons

Post by tatewise »

This thread picks up the discussion on Ancestris versus Family Historian (17033) regarding Java risks.

The Java Runtime Environment (JRE) is not the same as Java Script (JS).
JRE will not run in most current browsers as they they don't support the NPAPI protocol, and in the Java Control Panel the Enable Java content for browser and Web Start applications can be unticked, but Ancestris still runs.

A Google search suggests that JRE is not as risky as it used to be.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
ColeValleyGirl
Megastar
Posts: 5464
Joined: 28 Dec 2005 22:02
Family Historian: V7
Location: Cirencester, Gloucestershire
Contact:

Re: Ancestris versus Family Historian

Post by ColeValleyGirl »

It's still Java, Mike, which I don't install either. And it's a very old version as well!
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Ancestris versus Family Historian

Post by tatewise »

As far as I can tell Java Version 8 Update 221 Release date July 16, 2019 is the latest JRE, and is the one recommended for Ancestris and the one that I am using. It does not run in my browsers.
What version is later?
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
mjashby
Megastar
Posts: 719
Joined: 23 Oct 2004 10:45
Family Historian: V7
Location: Yorkshire

Re: Ancestris versus Family Historian

Post by mjashby »

As I introduced 'Ancestris' into another discussion thread, albeit with a qualifying comment that anyone using it must not be averse to installing the Java JRE, I'm feeling rather guilty, although I admit to having similar reservations, because of past concerns about the impact on online security!

Java is, of course, much more secure than it used to be and, as Mike mentioned all modern browsers can be easily configured to 'block' unwanted Java actions. Java Version 8.0 LTS (1.8) might seem quite old, given the number of later versions released by Oracle, but was only released in 2014, will continue to receive updates until December 2020; and has planned Extended Support (security updates) through to 2025, which is somewhat better than current versions of both Windows 7 and Windows 10, MacOS and most if not all Linux OS versions.

Of course, I do hope that that those who insist they don't install/use Java also don't use Android Mobile Phones/Tablet devices, because the AndroidOS uses Java and the vast majority of Android Apps are primarily written in 'guess which computer language?'; as are many online server side applications (including Cloud backup services), Google Gmail and other Google services, Minecraft (for the Gamers), etc., etc.

But would I install Java on my PC/Laptop? I admit to still struggling with that one because I honestly haven't seen the need very often; and on the few occasions when I have had that need, I have managed with a Portable Version of Java (no installation required so no possibility of any unwanted interaction with installed browsers/other applications).

Mervyn
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Ancestris versus Family Historian

Post by tatewise »

As I said before, all current popular browsers (Firefox, Chrome, Edge) CANNOT run Java even if enabled in the Java Control Panel because they do NOT support NPAPI that is essential to running Java.
I also only run Ancestris (with Java) in a User Account and not an Admin account.
Obviously it is up to each user to choose what level of risk they are prepared to accept.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
avatar
DonF
Diamond
Posts: 97
Joined: 07 Dec 2014 00:31
Family Historian: V7
Contact:

Re: Ancestris versus Family Historian

Post by DonF »

The latest Java release is Java 12 (Mar 2019) although Java 13, 14 are available in early access builds.
See https://en.wikipedia.org/wiki/Java_version_history
User avatar
ColeValleyGirl
Megastar
Posts: 5464
Joined: 28 Dec 2005 22:02
Family Historian: V7
Location: Cirencester, Gloucestershire
Contact:

Re: Ancestris versus Family Historian

Post by ColeValleyGirl »

I do hope that that those who insist they don't install/use Java also don't use Android Mobile Phones/Tablet devices, because the AndroidOS uses Java
I can't avoid it on my phone, so have to accept and manage the risk by being careful what I install and where I browse to from my phone.

I don't have to accept the risk on my PC so I don't.
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Java Pros and Cons

Post by tatewise »

@DonF - Forgive my ignorance, but what is the difference between JRE and JDK? Are they compatible?
Version 8 is the latest JRE and all the later Java versions are only JDK.
I know JRE = Java Runtime Environment and JDK = Java Development Kit but is that significant?

If Java cannot run in any Web Browser or Web Start application, and care is taken not to install any 'baggage' that may be in the download (and that goes for any download), what exactly are the risks?
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
mjashby
Megastar
Posts: 719
Joined: 23 Oct 2004 10:45
Family Historian: V7
Location: Yorkshire

Re: Java Pros and Cons

Post by mjashby »

Mike

Installing a Java JRE is similar to having to install a specific version of the VC++ Runtime for any software that needs it, i.e. The JRE is required simply to run Java Apps, but serves no other purpose except enabling software to function. Unfortunately, history tells us that security holes in the 'early' JRE software releases, along with the even worse problems with 'Flash' software, were both heavily exploited and therefore responsible for many internet browser security problems. Mostly these involved remotely launching invasive actions via the user's installed internet browser when the presence of Flash or Java extensions were detected.

The JDK provides a full Java software development and testing environment but also includes a JRE installation for running apps, i.e. it's really only needed by Java software developers or people wanting to learn how to program in Java, but does also enable Java apps to run.

Mervyn
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Java Pros and Cons

Post by tatewise »

Mervyn, if Java can't run in a browser (as I've stated) there is no extension running, so there is no risk?
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
avatar
DonF
Diamond
Posts: 97
Joined: 07 Dec 2014 00:31
Family Historian: V7
Contact:

Re: Java Pros and Cons

Post by DonF »

Mervyn's JRE/JDK explanation is correct.
If you try to download the 'latest' Java run-time, Oracle will offer 1.8 u221 (as of now), but if you ask for the full JDK, you can choose one of the later versions (which include the same-level JRE).
And I'd agree with the other comments that the security concerns are totally over-blown. Do you also stop Microsoft installing their .NET component because there have been security bugs discovered in it?

Don
User avatar
ColeValleyGirl
Megastar
Posts: 5464
Joined: 28 Dec 2005 22:02
Family Historian: V7
Location: Cirencester, Gloucestershire
Contact:

Re: Java Pros and Cons

Post by ColeValleyGirl »

Don,

Microsoft upgrades are usually painless and happen in the background. Java updates happen very frequently (often because of security patches), and require active intervention every time - which is (a) a faff and (b) make Java very infrequently updated by many people, which means security problems are magnified. I'm savvy enough to do the upgrades -- except of course I don't need to run it, so it isn't installed -- but others are not.

Java is a favourite target for malicious exploits because it's so widely installed... and the damage can be done by opening an email with a dodgy attachment, or browsing to a dodgy website that installs something silently (the website doesn't have to invoke Java).

Advice from (chosen at random) the Australian Government on mitigating the risks.
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Java Pros and Cons

Post by tatewise »

FYI: Microsoft .NET is required for Ancestral Sources. Although it updates automatically, it has had a chequered history of unreliable/faulty updates, so not always painless, and it was advisable to hold off its updates for a while.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
ColeValleyGirl
Megastar
Posts: 5464
Joined: 28 Dec 2005 22:02
Family Historian: V7
Location: Cirencester, Gloucestershire
Contact:

Re: Java Pros and Cons

Post by ColeValleyGirl »

I'm not saying Microsoft .NET or other commonly installed stuff is perfectly safe -- I'm saying that the ubiquity of Java (how many people who don't need it have bothered to uninstall it?) together with the upgrade process being a pain in the neck (so that people don't upgrade, especially those who don't use it but still have it) means that it became a target of choice for malicious developers on the PC at least.

As an aside, in the past (don't know if this is true now) Java only checked for upgrades once a week or once a month and left old versions installed alongside the new one, so upgrading did not improve security.
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Java Pros and Cons

Post by tatewise »

According to the Java Control Panel where its Update tab has Check for Updates Automatically ticked by default, it says: "Every Wednesday at 09:00, Java Update will check for updates. If an update is recommended, an icon will appear in the system taskbar notification area." There is also an Update Now button.

I too uninstalled Java long ago for security reasons, but before then it was already strongly recommending that old Java versions it detected be uninstalled, which it would do automatically.

I have only installed Java again recently (disabled in browsers to minimise risk) purely to experiment with Ancestris.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
mjashby
Megastar
Posts: 719
Joined: 23 Oct 2004 10:45
Family Historian: V7
Location: Yorkshire

Re: Java Pros and Cons

Post by mjashby »

Mike,

Java can, and does, still run in many Internet Browsers, the main one being Internet Explorer, which is still installed on every Windows PC, and remains widely used, especially in the business and academic environments, however, Java security has been improved dramatically from both the developer and Browser side. See Oracle's current advice statement on browser security: https://www.java.com/en/download/help/b ... plugin.xml The potential risk with Internet Explorer would probably be in not occasionally launching an unused installation so that it can receive any necessary plug-in updates, although the self-update check performed by the Java installation itself should mitigate that risk as long as the user does accept the offered updates.

It seems that Java Web Start apps continue to work via any browser (even without a Java extension/plug-in) and these can download/install local apps/automatic updates via Websites visited, as well as run 'in browser' apps if a Java JRE is installed locally - https://www.java.com/en/download/faq/java_webstart.xml The likely risk there is probably similar to that of the unwary user clicking on links in spam e-mail or accepts a pop-up 'offer' to download/install/run a Web App from an untrusted source, or can't resist the temptation of clicking on random web links to unknown sites.

I take Helen's point that many computer users can be 'lazy' when it comes to internet security and software updates, but running older browser versions and/or failing to properly check browser extension settings is probably the main 'risk' and that is not limited to installing Java; and ranks alongside the potential issues of continuing to run an internet connected PC with a Windows XP or Vista (and soon Windows 7) operating system that no longer receives security updates and/or can't run updated software versions.

With my earlier aside about Android devices, what I haven't been able to ascertain is reliable opinion on the level of risk associated with running a 'remote Java device' that has free (wired or wireless) access to a PC/laptop. It's probably no better/worse than the risk of linking that PC/Laptop to a public Wi-Fi network with unknown security levels; and, as long as the Android device's operating system and software is up to date and only software from trusted sources (App Stores) is installed, it is probably equivalent to that of an up to date PC Java installation; i.e. the main risks to the user security still comes from unsafe e-mail handling, poor browsing behaviour, or downloading files/software from unknown sources. The curse of the random clicker!

Mervyn
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Java Pros and Cons

Post by tatewise »

I say again that in the Java Control Panel the Enable Java content for browser and Web Start applications is unticked, and Ancestris still runs OK, so even IE and Web Start apps are inhibited from running Java in this scenario.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
User avatar
ColeValleyGirl
Megastar
Posts: 5464
Joined: 28 Dec 2005 22:02
Family Historian: V7
Location: Cirencester, Gloucestershire
Contact:

Re: Java Pros and Cons

Post by ColeValleyGirl »

Which is fine Mike, until a virus that exploits Java locally lands on your machine...
User avatar
tatewise
Megastar
Posts: 28333
Joined: 25 May 2010 11:00
Family Historian: V7
Location: Torbay, Devon, UK
Contact:

Re: Java Pros and Cons

Post by tatewise »

Yes, I understand that. I'm just countering all the comments about Web Browser and Web Start exploits.
In many scenarios those would be enabled, but NOT in the case of Ancestris.
We are in danger of going round in circles.
It seems that in this Ancestris scenario, the risks are primarily via virus exploits perhaps via Email, which is much the same as most other Windows related risks, and minimised by a good anti-virus tool.
Mike Tate ~ researching the Tate and Scott family history ~ tatewise ancestry
avatar
DonF
Diamond
Posts: 97
Joined: 07 Dec 2014 00:31
Family Historian: V7
Contact:

Re: Java Pros and Cons

Post by DonF »

It seems that in this Ancestris scenario, the risks are primarily via virus exploits perhaps via Email, which is much the same as most other Windows related risks, and minimised by a good anti-virus tool.
Absolutely agree Mike.
And that's pretty much the same conclusion in the Aussie Govt document Helen linked to - replace the word 'Java' in that document with, well, just about anything, and the list of mitigation strategies still hold true.

And just for the record, the Java updater DOES delete all old Java versions (OK, yes, it didn't use to, but it does now). It defaults to checking for new versions weekly, but you can change that to be daily, weekly, monthly (you pick the time of day) or 'do it now'. It can be set to notify you before downloading, or before installing. I don't see it as being any more or less intrusive than MS updates, with the added benefit that it seems to work correctly every time.

Not that I'm a Java fan (it's the most horrible language I've ever coded in) but, as I said before, I think the security concerns are over-blown.

Don
User avatar
ColeValleyGirl
Megastar
Posts: 5464
Joined: 28 Dec 2005 22:02
Family Historian: V7
Location: Cirencester, Gloucestershire
Contact:

Re: Java Pros and Cons

Post by ColeValleyGirl »

the risks are primarily via virus exploits perhaps via Email, which is much the same as most other Windows related risks, and minimised by a good anti-virus tool.
AND regular updates to the latest version.
Post Reply