0

I've just encountered a Java applet on a random website and I'd like to start it.

Given Chrome's relentless incompatibility with plugins since time immemorial, I went and asked on irc.mozilla.org what the best older Firefox version to use might be, as I know that the very latest versions have removed NPAPI plugin support just like Chrome did in 2015.

I was promptly told in IRC to go try Java Web Start instead - which I later discovered backs up Oracle's own recommendations. (TIL that applets are now deprecated as of Java 9.)

Here's the thing though. Java Web Start has required applets to be signed since Java 7u21; the "prompt to run unsigned applets anyway" option that used to be buried in the settings is long gone.

So using Java Web Start means installing an older copy of Java. Ouch.

But... if I have to downgrade, I might as well install an older Web browser (alongside my existing browser) as well, and benefit from seamless applet launch! (I recognize the risks of using the older Web browser for anything else, of course.)

So: what would be the recommend Web browser / Java version combination to pursue to run random applets?

Should I go with Firefox 51? Should I use one of the Firefox forks? Should I fish Chromium 44 out of Launchpad? (I'm not on Ubuntu, but have never had shared-object issues with launchpad packages.) Should I maybe even go use Opera 12? (Do I have to use a VM? I don't have any set up, and don't really have the RAM for it either at this point.)

Again, I recognize the security risks in using an older browser. My argument is that if downgrading is my only option, it's not that much worse to get an older browser running alongside my main one as well, and then I don't have to fiddle with .jnlp files, I can just go straight to the URL of the page with the applet in it. Of course this also handles the problem of Java/JavaScript interop if that ever comes up as well.

I'm asking this question on serverfault rather than superuser because I'd like this question to be associated with answers that would work well in business environments that need to pay some attention to security best practice.

In my case I just want the applets on old webpages I come across to work with little effort. (The applet that prompted me to ask this question is not on an intranet as part of a legacy system.)

I can live with fussing around with JWS, but starting an old browser for the task is much nicer.

i336_
  • 184
  • 8

1 Answers1

2

The best practise is to get your application signed properly.

Any other method makes your application insecure against many attacks, and therefore is not suitable for professional use.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • I can't argue with that. Downgrading anything isn't wise. I'll see about possibly asking elsewhere, then. Thanks. – i336_ Dec 17 '17 at 23:38
  • This answer might help you: https://stackoverflow.com/questions/21157450/how-to-make-a-machine-trust-a-self-signed-java-application – Tero Kilkanen Dec 18 '17 at 05:42