Java is problematic these days. In fact, in my recommendation, you should disable or even remove Java from your computer. PC World says that a new exploit is selling on the black market for $5000. And while Oracle says that Java is fixed, Homeland Security says it's still risky.
Personally, I don't think the benefits outweigh the possible risks. Only one of my websites uses Java, and we are working on a replacement for it right now. And I don't visit many (any, I think) sites that use Java in a primary fashion. So I have removed Java from my computers. I think it's the safest thing for me to do.
Do the websites you build use Java? What do you think about the security risks, do they worry you? Have you changed your websites because of them? Please leave your feedback in the comments.
Lucky you, my Internet banking system (or any other online ID service in Denmark) uses Java for the login function. In their case I am making sure that at least it warns me every time about the signed applet.
However I wonder whether or not Java is okay to use in the case of pure server-side (like JSP/JSF), what do you think?
@Alexander I don’t know whether that would be better or not. If the JSP uses the most up-to-date version of Java it’s probably okay (according to Oracle it’s been patched).
For general websites its fine. All languages and systems have some security risks.
Java is the language currently being attacked by the media and others creating the current fear.
End of the day, java will be patched as exploits are found.
The important thing with any system, is to ensure all aspects are up to date and patched appropriately.
From the look of the results I think a lot of people are getting Java mixed up with JavaScript. Either that or every single person in the world who has ever used Java in web pages has responded to this quiz.
The percentage of web pages that use Java is so close to zero that most people would never notice if they didn’t have it installed.
Java on the server is a totally different situation – there it isn’t providing any security risk for those simply visiting a web page.
Java isn’t the only web technology suffering security issues. Why have a policy about one in particular .
@Ismet: At my company we have policies about the use of many specific web technologies. In fact, the policies are different for many of them. For example we’re allowed to use JavaScript on non-secure, non-https pages but not on https pages. But we aren’t allowed to use ASP at all. JSP is acceptable, but Java applets are not.
This question is not specific enough. Are we talking about using Java as a software developer would? Or simply allowing it to remain enabled in one’s browser? By now, for the latter group, hopefully most people who use the Internet have disabled Java in their web browsers.
NOTE: do not confuse Java with javascript. Javascript was originally called “livescript” and was invented by the makers of NetScape. They later greatly muddied the waters by changing its name to javascript. The two languages have absolutely nothing to do with each other. Javascript only runs in your browser and is necessary to properly render many web pages. If you disable it you will not be very happy while surfing the Internet. Java, OTOH, is not needed for most Internet usage.
Oracle Corp., which now owns the rights to Java, has been negligent with their security patches. They have become, like the language itself, big and bloated. They are making the same mistake that CompuServe made, which laughed at AOL in the early 1990s, which was then purchased by AOL. ^_^ AOL later on had its own era of hubris and now they are a former shell of what they once were. Oracle will soon follow suit as more and more robust database systems come into use.
As a developer I don’t use Java for the reasons stated above. Other programming languages now exist (as both scripting and desktop languages) that are easier to work with and more secure. Plus most of them are free to download, so you skip the high development cost of using Java.
And as far as being “cross-platform” (the original lure of Java) your web browser could care less what scripts are rendering all those web pages you are viewing. PHP, C#, Ruby on Rails, Python — they all do an adequate job of this. Again, web browsers have become agnostic. They simply don’t care what languages are being used on the servers out there to send you all those pages.