Java : what’s important to know

GameRoom’s core is written in Java. Surprised ? Many of you won’t notice the difference, others might not like that. For those last, please read this article.

Wait, isn’t Java the root of all evils on our modern computers ? Buggy, slow, insecure ? That may have been true if you installed Java the classical way, but GameRoom does require you to do so. Before explaining our solution, some basic explanations and frequent misconceptions about Java :

 

  • Q : Java is insecure and my computer will be h4ck3d, what were you thinking!

A : This may be true for Java’s web plugin, that allows applets to execute code in your web browser. Although the idea might have been good and allows cool features in web-pages, it is now recommended to deactivate it as a huge amount of exploits have been found. Understand this : by activating this plugin, you allow every web-page you browse to execute some code, and some may use known exploits.

Now GameRoom does not use Java’s web plugin (indeed, it does not execute into a web-page), you can deactivate it as you wish. Java applets and Java Desktop apps are two far different things!

 

  • Q : Yes but Java and its JVM (Java Virtual Machine, needed to execute Java programs) are still insecure, I saw an exploit found on it a month ago?

A : It would be lying to deny it, the JVM always had new security flaws found. But what are those security flaws ? And what is the difference with other classical apps ?

To answer this, it is necessary to understand the aim of the JVM. This Virtual Machine was developped to execute Java code safely. Many security bounds are implemented : for example, it is almost impossible to encounter buffer overflows as the JVM does the memory management and prevents those situation. In comparison, buffer overflows are the very first security issue in “classical” C or C++ apps (CERN source) that you surely use daily.

Now it happens that, quite often, researchers find a way to produce those prevented “security issues” via exploits. Although this means that the JVM failed at guaranteeing a higher level of security (in contrast of classical apps), it does not mean that a Java program will be less secure that any other C or C++ program you might have downloaded online. Quote, from Carnegie Mellon University :

“While Java has suffered a few high-profile exploits, the most notorious of these exploited vulnerabilities in the Java core libraries and only worked on applets.

[Author’s note : applets are those web programs executing with Java’s web plugin as mentionned before]

Most exploits that involve Java are injection exploits, such as cross-site scripting (XXS), that are not specific to the language itself. In contrast, C has a long and sordid history of exploits going back to the late 1980s (and probably earlier). For these reasons, Java is often considered more secure.”

Just follow this rule of the thumb : only download what you trust. The dev behind the program you are downloading may not be malicious at all; but if he did not follow correct security rules his software can be an entry point for experimented hackers. Needless to say, as shown by the Carnegie Mellon University, a Java Desktop program will less likely become an issue.

 

  • Q : I don’t want to install it : because it will run in background/ask for updates/other apps would use Java

A : No problem. We now how Java can be a hassle for some. Hence, we do not require you to install Java; a JRE is bundled within GameRoom’s folder. This is the perfect integration for you :

  1. The JVM will only start with GameRoom and close with it. It will not run in background if GameRoom is not running in background.
  2. It will not ask for updates (as it will not run in background). You don’t even need to think about updating it : updates are provided with GameRoom’s updates, so that you always run GameRoom with the latest and most stable/secure/optimized JVM.
  3. It will not set a Path variable for it. This means that even if you download a Java app (.jar) by mistake, double-clicking on it will not make it execute. Thuse, it will be as if it was not installed from your perspective
  4. It will of course not install the previously mentionned Java’s web plugin.

Conclusion :

As we have seen, even if Java has always been violently criticized from the security point of view, common misconceptions are spreading about it. Java’s web plugin is to be rightly incriminated, Java’s Desktop apps are even less likely to be a security issue than C or C++ apps, that we use everyday. I invite anybody disagreeing with this article to expose their arguments and sources in comments, I’ll glady respond to it.

Thanks for reading, I hope it has enlighted you on some common misconceptions. Always document yourself about such matters before reacting, or you will end spreading false ideas !

If you’re still not convinced, I’ll let you read those articles :