As we mentioned last year, well-known plugins such as JAVA will soon stop working in browsers. JAVA, ActiveX, embedded Flash, Silverlight and other plugin based technologies have been victims of some of the largest security threats on the internet in the last few years._⁽¹⁾ Some reports are even stating that JAVA is the biggest vulnerability for US computers. In our previous blog posting we have discussed Alternative JAVA solutions with mobile apps and explained why we used JAVA plugins in the beginning. This time we will discuss the fact that JAVA plugins will stop working and developers of web browsers will stop supporting them.

Legacy systems using JAVA and ActiveX

The loss of the JAVA and ActiveX technology is going to be a big problem as a lot of software has been written with that technology. Governmental organisations, financial institutes or large enterprises found the ability to use Java on their backend servers. Large organizations often have many applications deployed across their environment and may not know which ones are using browser plugins for security and identity purposes. Business applications sometimes require JAVA plugins or ActiveX components to execute the identification and authentication of users or to place digital signatures.

Security risks

There are also lots of sophisticated security based programs that rely on Java Applets and these are just going to become unusable. The argument is that JAVA plugins have to connect deeply to the browser’s architecture and this makes it too difficult to keep everything up-to-date and secure.

When will support of JAVA plugins will stop?

This discontinuation of the JAVA plug-in is caused by the major browser developers, namely Microsoft, Google and Mozilla, which have announced plans to remove or restrict support for plug-ins in their respective products, or have done so already. Only Internet Explorer 11, itself a legacy browser that’s receiving only security fixes, is set to offer any continued plugin support. Here is the complete overview:

*overview as of October 2016

Transition necessary for security

Although application vendors are working hard to move to alternate technologies, a small number of organisations still rely on plugins that haven’t completed the transition yet. Oracle’s message to Security Officers whose applications currently rely on the Java browser plug-in is that they need to consider alternatives, such as using alternative security solutions with mobile apps. If you’re a Security Officer, you should be aware of how this change will affect your users experiences if parts of your security (process) rely on legacy plug-ins. _⁽²⁾

Our advice: new ways of identification and authentication

It is possible to use other alternative technologies to replace the use of JAVA plugins to continue to use SafeSign IC. However, this is often a large investment and does not have many apparent advantages, such as decreasing the number of helpdesk calls of the end-user. Although the use of middleware in combination with smart cards or USB tokens will remain necessary within the near future. We advise organizations to implement a new form of identification and authentication of users. AET Europe developed ConsentID Identity Provider, where the end-user will authenticate himself through an App on his mobile device. With this App it is also possible to digital sign documents or transactions.

Furthermore, integration of this solution will no longer take place at the front-end (web browser), but at the back-end of the business web application through an interface for authentication and digitally signing documents. This is much easier to maintain than when JAVA scripts are used.

Sources
_{1 Snowbound, 2 Webkit}