Important info about the latest Java update and my CPC games website

[Devilmarkus]

The latest Java update is special.
By default it blocks now any applet, until you change some settings in your system control panel.



To enable applets like JavaCPC Applet, please change these settings:

Open the Java Control panel.

Jump to "Security" settings.

Change the slider from "High" to "Medium".



Now click "Edit Site List".



Here click "Add" and enter "http://cpc.devilmarkus.de"; (Without the quotes)
Then just click "Ok" in all dialogues.

That's it!

Enjoy my CPC games

[Gryzor]

F*****ck and I was wondering why the hell I couldn't use the applets on some sites! Thanks!!!

[redbox]

Is this the solution to Java being the massive security black hole it's become recently?

I'd rather they just made it safe

[Devilmarkus]

But why just Java?
Javascript, Flash, Silverlight, all these components have security risks...

[mr_lou]

Is this the solution to Java being the massive security black hole it's become recently?

I'd rather they just made it safe

Um.... that's what they did.
Safe = annoying to use. It's always been like that for any platform.

It is Java 7 update 51 that includes this security. But it is "only" unsigned and self-signed stuff that gets blocked.
If you sign your stuff with a certificate from e.g. Thawte or Verisign, then it'll run.

The problem of course is that these certificates cost about $299.... a year!
Obviously no sparetime hobby developer will pay this. (JavaME developers has always had this problem).

And so, Java has now become the last choice for many sparetime developers aiming for the web.
Sad.

As I've said before, Javascript will rule the world.
It's a matter of time. Sit back and watch.

[mr_lou]

But why just Java?
Javascript, Flash, Silverlight, all these components have security risks...

Silverlight was stillborn.
Flash is dead.
Javascript remains.

Take a look at Android. Google chose to not make life miserable for developers. No need to sign your app with an expensive certificate. Instead, the user must actively accept that the app accesses a bunch of things at install time.
Very nice for everyone - except no one reads or understands what it is each app wants access to. So just like any EULA, users just accepts whatever.
Next thing you know, articles pops up about virus on Android, and Android being unsafe, blah blah blah blah.

Personally I find the security model with JavaME better. Here, the user accepts nothing at install time. Instead, everytime the (unsigned) app wants to access a certain something, then the user must accept. Makes it much more easy to understand.

But the whole "must buy expensive certificate to be able to do whatever you want" just doesn't make any sense to me.
Scammers makes plenty of money on their criminal actions. They have plenty of money to buy such an expensive certificate. Providing a fake identity for the certificate is no problem for those people.

So the safest model, as I see it, is the unsigned JavaME stuff. Annoying, but safe.

The security model introduced in Java 7 update 51 is crap. It'll partly kill Java, and partly just have everyone else add a bunch of URLs to the exception.sites list - resulting in Java still being "unsafe" - and that'll kill Java even more.

Android is alive and well, because it's easy accessible.


How should the whole security model be in your opinion? Do you have the solution?     (asking anyone here)

[Carnivius]

Thanks Devilmarkus.  I was wondering what the hell was going on and why I couldn't play the games anymore.   A ridiculous situation from the Java peoples that makes it difficult for non-techy people like me to access harmless site features such as your online CPC emulation.

[MaV]

Silverlight was stillborn.
Flash is dead.
Javascript remains.

Microsoft and Adobe both offer proprietary software, one was first (Flash), the other one is late and has no chance. Adobe learns the hard way (as all companies do) that security is costly. In the end it will lose because it will not commit itself to fixing all the bugs (or rewrite the software ... or indeed open it to the community).

JavaScript is used in many browsers and updated continuously. All of the browser developers have interest in keeping it safe. (here's the winner).

But the whole "must buy expensive certificate to be able to do whatever you want" just doesn't make any sense to me.
Scammers makes plenty of money on their criminal actions. They have plenty of money to buy such an expensive certificate. Providing a fake identity for the certificate is no problem for those people.

Google are the most userfriendly with Android. Problem: The list of libraries to which you have to grant access is very general, and you ultimately have to trust the app not to spy on your personal data. Since you expressly have to allow it, Google is no longer responsible.

The JavaME model has its flaw exactly in that you have to accept access. The typical user will soon be annoyed by granting access to things he doesn't completely understand and just clicks to accept, and a few will always deny access and then blame the program for not working properly.

Ultimately having a trusted third party still is the best solution. The question is whom you can trust?

As to the certificates: Think like a corporation here, and it will start to make sense. 300$ is peanuts for a company to guarantee access, and the responsibility then lies with the certificate authority. The company that uses Java can excuse themselves and point fingers at Oracle, saying they fucked up.
The certificate authority OTOH trusts only companies or persons that can be made liable for damages done due to problems with their software. So in the end, the app developer or software company *will* be held liable (and has to pay for it).

So the safest model, as I see it, is the unsigned JavaME stuff. Annoying, but safe.

But you still don't know what the app does with whatever it has gained access to.

The security model introduced in Java 7 update 51 is crap. It'll partly kill Java, and partly just have everyone else add a bunch of URLs to the exception.sites list - resulting in Java still being "unsafe" - and that'll kill Java even more.

Java won't go away, just because Oracle decided to piss off a few hobby developers who have problems now with applet certificates. It is much too wide spread in the corporate world and there's no competitor language for business application anywhere close in acceptance that will succeed it. And once anything is established in the corporate world, it is there to last. I know companies that still use COBOL and PL/1 and systems programmed in OS/360 assembly in the 70s (i.e. banks, assurance companies, government et al.).

From that point of view, Oracle did the best they could do, because they are abominable in fixing bugs in Java. The time it takes them to fix some of their serious bugs is counted in months.


BTW, it's no secret to some here, but for the protocol: I hate Java.

[Carnivius]

JavaScript is used in many browsers and updated continuously. All of the browser developers have interest in keeping it safe. (here's the winner).

Though many people purposely disable it in their browsers for various reasons. I'm not one of them so don't ask me why.

[MaV]

True. Because it still can pose problems, and you can switch it off as a conscious decision. Then again, I was talking about the corporate world where the standard is to allow it (otherwise a lot of web applications would not run.)

[cpc4eva]

i did all those recommended changes to the security settings and the java cpc loads fine but still cannot use joystick when i tick the map joystick box

[Devilmarkus]

The "Map joystick" box just changes the joystick input to Q,A,O,P and SPACE.

You cannot use a real joystick in the web-applet.

Sorry.

[Executioner]

As to the certificates: Think like a corporation here, and it will start to make sense. 300$ is peanuts for a company to guarantee access, and the responsibility then lies with the certificate authority. The company that uses Java can excuse themselves and point fingers at Oracle, saying they fucked up.
The certificate authority OTOH trusts only companies or persons that can be made liable for damages done due to problems with their software. So in the end, the app developer or software company *will* be held liable (and has to pay for it).

I've had to pay for a Java code signing certificate for my business, and believe me, it's not the money that's the issue, it's the way the certificate authority in question validates that a company or person is real in Australia (apparently having a phone number listed with the Yellow Pages means you're for real, yet an ASIC ACN means fuck all)... But then, I did use some backyarders called Comodo who are based in Manchester and barely understand English, but a hell of a lot cheaper than Verisign.

But you still don't know what the app does with whatever it has gained access to.

I'm not sure most people care, they're more interested in whether they trust the company who wrote it.

Java won't go away, just because Oracle decided to piss off a few hobby developers who have problems now with applet certificates. It is much too wide spread in the corporate world and there's no competitor language for business application anywhere close in acceptance that will succeed it. And once anything is established in the corporate world, it is there to last. I know companies that still use COBOL and PL/1 and systems programmed in OS/360 assembly in the 70s (i.e. banks, assurance companies, government et al.).

It's most likely the anal retentive corporate world, especially the banks that insisted they put it there so their employees can't download malicious Java applets and webstart apps.

BTW, it's no secret to some here, but for the protocol: I hate Java.

I love Z80 assembly language but I also really like Java, except for some of the C-style bits.

[mr_lou]

Java won't go away, just because Oracle decided to piss off a few hobby developers who have problems now with applet certificates.

I didn't say it would go away. I said it would partly kill Java.
In time though, it will result it Java being gone.
Because, this security model will make Java less popular. Fewer developers will go with Java when choosing their platform. Simple logic.
When fewer developers choose Java, it will be a question of time before it gets replaced.
The platform is officially dead when only very few still use it. J2ME has been considered dead for years now - despite that a whole 45% of active phones (stats from the WhatsApp sale) are running it.

I've had to pay for a Java code signing certificate for my business, and believe me, it's not the money that's the issue, it's the way the certificate authority in question validates that a company or person is real in Australia (apparently having a phone number listed with the Yellow Pages means you're for real, yet an ASIC ACN means fuck all)... But then, I did use some backyarders called Comodo who are based in Manchester and barely understand English, but a hell of a lot cheaper than Verisign.

The money is an issue for newbie indie developers.
I don't know what kind of "security check" Thawte or Verisign does - but I'm sure someone who makes a living from scamming people can fool them.
The JavaME developers has no choice. They have to go with either Verisign or Thawte if they want their stuff to run everywhere.

Nokia woke up too late sadly. Finally they decided to offer signing of apps for developers. Brilliant, but partly way way too late, and partly not that helpful anyway because they had too many requirements themselves.

Oracle should offer somewhat the same thing. Make a "Java Applet Store", and offer to sign applets for developers. That won't happen of course.


As I've said before: Javascript will rule the world. Client-side, server-side. Even compiling into native executables. Just wait.

[Sykobee (Briggsy)]

I don't think I would be wrong in stating that 95% of Java development, possibly 99%, is never seen by a consumer, it's all back end stuff.


And that's why Java will never die.  It may never be a hip language/platform ever again, it may die for applets and end-user games, but it's been mostly dead there for a long time (Minecraft aside) anyway.


It's annoying when you know Java well, and want to do something in a browser or standalone executable, and you now need a code-signing certificate.  But Javascript in the browser now has good performance.  You may be best off refactoring the Java codebase to something that can make use of a Java to asm.js compiler (once these mature).

[mr_lou]

I don't think I would be wrong in stating that 95% of Java development, possibly 99%, is never seen by a consumer, it's all back end stuff.

Well, consumers see a lot of BD-J (Blu-Ray Java) every time they watch a Blu-Ray movie.
I'm looking forward to experimenting with that myself. Check out this demo:

Hey Marcus, how about porting your CPC emulator to Blu-Ray? 

[Executioner]

As I've said before: Javascript will rule the world. Client-side, server-side. Even compiling into native executables. Just wait.

It's unlikely that a lot of bigger corporations would allow their developers to replace a strongly typed, very structured language with Javascript. Personally, I like Javascript but wouldn't dream of writing an entire application using it.

[Phi2x]

.

[Executioner]

And if what you want is strong typing, there's also some clever stuff from Microsoft here: Welcome to TypeScript

Seriously? Clever and Microsoft in the same sentence?

[Phi2x]

.

[andycadley]

Oracle should offer somewhat the same thing. Make a "Java Applet Store", and offer to sign applets for developers. That won't happen of course.

Unlikely. All the browser makers have roadmaps that include the end of support for binary plugins, which will mean the end of applet support. Oracle themselves would rather Java became a server side only technology too. Flash is the only plugin that really has much traction left and that's why the likes of Google and Microsoft have just baked it in to their latest browsers, so it no longer has to count as a plugin.

[mr_lou]

All the browser makers have roadmaps that include the end of support for binary plugins, which will mean the end of applet support.

Wouldn't surprise me.
But I hope it'll stay the same way Flash has.

Oracle themselves would rather Java became a server side only technology too.

I doubt they'll drop their Java Embedded devices.

[Puresox]

I cannot get this alteration to work ? I have Win8 , I get to the Java security, move the slider to medium, then when I select edit site list .Where it asks to add sites, the box comes up to type in any site it has a Red Exclamation  mark to the left of it , I am unable to paste in a site , I can type in a site but as soon as I press enter it  does nothing? Any advice on what else I may need to do?

[Puresox]

Don't worry , it seems it is not necessary to go through the Add process .

[Executioner]

When security is set to medium you don't need exclusions. These are only used on the higher settings.