As we mentioned last year, well-known plugins such as JAVA will soon stop working in browsers. JAVA, embedded Flash, Silverlight and other plugin based technologies have been victims of some of the largest security threats on the internet in the last few years.⁽¹⁾An example of the area in which JAVA plugins are often used is identification and digital signatures via a smart card or USB token that operates with the middleware SafeSign IC. Within Public Key Infrastructure (PKI), we usually talk about three applications: authentication, non-repudiation and confidentiality that use plugins.

But why did we used JAVA plugins?

JAVA allowed richer functionality through a browser at a time when browser capabilities were limited. They provided centralized distribution of applications without requiring users to install or update applications locally.⁽²⁾ As (cyber) attacks have become more sophisticated by taking advantage of the very redeeming capabilities of these applications, it has become increasingly difficult to keep evolving these older technologies. And in fact, there’s no longer any the need for this technology. And the large browser companies such as Google, Mozilla, Microsoft and Oracle have stopped supporting them. The burden of keeping plugins secure has become uneconomical while the vulnerabilities keep increasing.⁽¹⁾

Grow of mobile use

The rise of internet usage on mobile devices, (typically without support for plugins), let the use of apps increasingly grow. The emergence of the app store model grew for reasons related to simplicity, security, and centralized availability. Given these evolutions in mobile, delivery, and capabilities, the set of browsers that continue to support standards based plugins has shrunk over time.⁽²⁾

When will support of JAVA plugins will stop?

Google Chrome stopped supporting the plugin standard on which the Java plugin depends last year, and Mozilla has announced it will do the same by the end 2016. Microsoft Internet Explorer still supports the standard, but the newer Microsoft Edge browser does not. Oracle finally has admitted the plugins to be outdated and decided to discontinue them. ⁽³⁾

Large organizations often have many applications deployed across their environment and may not know which ones are using browser plugins. Especially in business environments where custom build (web based Java) applications are common and cannot be easily replaced or rewritten. Business applications require sometimes JAVA plugins to execute the identification and authentication of users or to place digital signatures. Organizations that haven’t switch from the use of browser plugins, have to realize that their systems (even in an enclosed, internet-free environment), are still vulnerable for a attack or data breach. It’s a threat that can endanger people’s private data, and companies finances and assets. Those organizations will have until 2017 to migrate their systems to other platforms and frameworks.

Alternative solution for JAVA plugins

It is time to look around for alternative solutions that can be implemented by means of other technologies. For example: Java Web Start technology can serves as alternative of Java browser plugin and provides a great deployment solution for Java technology-based applications. It works with any web browser. ⁽⁵⁾ From a security perspective though, Java Web Start can be used as an attack vector for exploiting vulnerabilities in the Java runtime, just like Applets. ⁽⁶⁾ Javascripts could also be implemented as an alternative technology. Business application programmers should keep in mind that they need to develop with an alternative technology to keep the use of the middleware of SafeSign. Only then users can continue to identify and authenticate themselves via multiple browsers and sign documents or transactions digitally.

Our advice

It is possible to use other alternative technologies to replace the use of JAVA plugins to continue to use SafeSign IC. However, this is often a large investment and does not have many apparent advantages, such as decreasing the number of helpdesk calls of the end-user.

Although the use of middleware in combination with smart cards or USB tokens will remain necessary within the near future. We advise organizations to implement a new form of identification and authentication of users. AET Europe developed ConsentID Identity Provider, where the end-user will authenticate himself through an App on his mobile device. With this App it is also possible to digital sign documents or transactions. The ConsentID App can also support smart cards and can be easily installed from e.g. the Applet store or Google Play store .

ConsentID app

For the end-users it is convenient and easy to use. By integrating the ConsentID solution in the back-end of your business applications, a higher security level will be reached to defend (cyber) attacks or data breach. It is our sincere belief that informed organizations can make better choices, which lead to a more secure world for everybody. Relying on us, you secure your world in a user friendly and innovative way. If you want to know how we can help you and your organization, contact us today. We can help you with IT security solutions for identification, authentication and digital signatures.

Click here for more information about ConsentID Identity Provider.

Sources

1. _{http://www.snowbound.com/blog/3262/why-browser-plug-ins-are-being-phased-out-part-2}
2. _{https://blogs.oracle.com/java-platform-group/entry/npapi_plugin_perspectives_and_the}
3. _{http://www.wired.com/2016/01/goodbye-applets-another-cruddy-piece-of-web-tech-is-finally-going-away/}
4. _{http://www.oracle.com/technetwork/java/javase/migratingfromapplets-2872444.pdf}
5. _{http://news.thewindowsclub.com/oracle-to-discontinue-java-browser-plugin-81828/}
6. _{http://www.pcworld.com/article/3027473/security/oracle-is-planning-to-kill-an-attackers-favorite-the-java-browser-plug-in.html}