Closed Bug 850269 Opened 13 years ago Closed 13 years ago

blocked vunerable plugin warning text is confusing

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Version:
19 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bryan, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.160 Safari/537.22 Steps to reproduce: Loaded a java applet Actual results: Firefox displayed the text "This plugin has security vulnerabilities. Click here to active the Java(TM) plugin." Expected results: Users of our site are confused thinking that our actual java applet is the vulnerable code. We are getting emails asking us to fix Java (we are not Oracle). It would be great if the text of the warning made it more explicit that it's their installed version of Java that's vulnerable along with links or methods of upgrading their version of Java.
Status: UNCONFIRMED → NEW
Component: Untriaged → Plug-ins
Ever confirmed: true
Product: Firefox → Core
Blocks: click-to-play
We understand that most users have problems distinguishing between an insecure plugin and a site which uses it, but at this point we don't think we can make the wording more precise without losing effect. It is clear to Mozilla that Java is fundamentally insecure, and at this point in time even the most recent release of Java have active security holes which are being exploited in the wild. Therefore we expect to show these security warnings permanently for Java content, and we expect responsible website authors to stop using Java complete as soon as possible.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
In fact, it may be a wise idea to change the text. I propose to change the sentence "This plugin has security vulnerabilities." to "The plugin for this page has security vulnerabilities." A non-technical user reading the first sentence may legitimately think "this plugin" is the thing that the Web author has developed and placed on his page. And the Web author would not appreciate that. Even for a technical user, "this plugin" is not clear. What plugin ?? The user has requested a page, the user has not requested any plugin.
"and we expect responsible website authors to stop using Java complete as soon as possible." Java provides capabilities that aren't present in any browser, one example being multiple file download without using a zip file or multiple save prompts. We could use Flash, but that's another issue in itself. The help desk emails asking us to fix Java have gotten numerous to the point we now display a notice to Firefox users telling them their browser is unsupported. Please reconsider this ticket.
Bryan, bugzilla is not really an appropriate place to argue security policy. You are welcome to post to the mozilla.dev.security forum/mailing list: https://lists.mozilla.org/listinfo/dev-security You're also welcome to propose that we implement multiple file download in raw HTML, if that's an important capability... we're always looking for ways to keep the web competitive. But that doesn't really change the terrible security situation of Java.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.