How to kill Java dead, dead, dead

Why client-side Java must be eliminated despite its widespread use

InfoWorld's Galen Gruman sides with the anti-Java brigade, saying client-side Java is an outdated technology that now does more harm than good, and must be eliminated despite its widespread use. 

Once again, flaws in Java are creating big holes that hackers exploit to victimize users and, even worse, sabotage or spy on many of the computers that run key business processes at utilities, banks, hospitals, and government agencies. Enough already. Wake up and smell the coffee: Client-side Java needs to go, and fast. Even if the current bugs can be fixed, there will be more.

The problem is that Java is widely used and embedded in the apps that we use every day at work and at home. It just can't be turned off, though the federal government's Homeland Security Department team has recommended we all do so even with Oracle's Monday patch installed. Sure, you can disable Java in your browser, which Apple did via remote control for OS X Lion and Mountain Lion users. And you can uninstall Java on your PC or Mac. But you'll end up turning it back on again because you have little choice.

Java on the client side has turned into a malicious hacker's best friend, and developers really don't need it anymore. In fact, it's causing them more problems than it's worth. Although using Java lets a developer avoid writing custom code for the various versions of Windows and OS X, whether for native apps or browser client functions, the fact is that apps get tied to a specific Java version. Developers have a version-management problem anyway.

You'd think that IT organizations would have stomped out client-side Java long ago. I regularly hear IT folks moan about how they can't upgrade some users to Internet Explorer 8 because some specialty app they're running only works with the Java supported by IE6. I even know some who've had to give users two PCs because one app uses a Java version supported only by IE7 and another app uses Java supported only by IE8, which both can't be installed on the same PC. Java is the problem.

Of course, I also hear developers say things like the current Java 7 vulnerability is no big deal because their app uses an older version -- so the madness continues.

The feds recommended that users disable Java in the browser, and they should. But that still leaves Java on the desktop where it can be exploited, as Mac users found out a couple of years ago to Apple's chagrin. Apple's response was to deprecate Java in OS X Lion so that it was no longer installed as part of the operating system.

But when an app needs Java, users get a prompt to download and install it. Many popular apps do, such as Adobe's Creative Suite and even Symantec Anti-Virus. Oh, the irony that an antimalware app requires the use of one of the biggest malware conduits to function!

Apple had the right idea but didn't go far enough. It should prevent Java from ever running in OS X. Microsoft should do the same in Windows. Apple did that from the get-go in iOS, and few people noticed. The Metro (aka Modern) part of Windows 8 also doesn't support Java, which is a partial step in the right direction. Even the Java-based Android OS won't run Java apps or Web plug-ins.

Websites that still use Java, such as some banks, telcos, and airlines, will quickly adjust once more operating systems block it, just as websites have largely done after Apple blocked Flash in iOS. Today, only BlackBerry 7 OS runs unrestricted Flash on the mobile side, and the world is none the worse off.

Of course, despite Adobe's attempt to make Flash the common front-end UI technology for mission-critical apps such as ERP and CRM, Flash essentially was used only for video playback. The various codecs such as H.264 in HTML5 easily replaced Flash for that decidedly nonmission-critical purpose.

Java is still widely used for the front end of mission-critical apps and Web services -- thousands if not hundreds of thousands of them. That's why getting rid of Java on the client side will be tough. If Java went away tomorrow, many banking and e-commerce websites would cease to function, as would many electronic medical records systems and tons of specialty Web apps, from building inspector reporting tools to online voting.

Yes, online voting: France's online voting system requires Java to function. Without Java, rural and overseas voters are stuck, as there is no concept of a mail-in ballot there. (France's online voting systems also depend on specific versions of Java, so Mac users couldn't vote online in that country in last year's election.)

Those "unscheduled outages" would be devastating if OS X and Windows suddenly blocked Java, as the feds essentially asked us to do this week. If Apple couldn't make OS X Lion users suck it up and live without Java, Microsoft certainly can't do that in Windows given the hundredfold more apps in the Windows world than in the OS X world.

But here's what Apple and Microsoft can and should do: Announce that the next major versions of OS X and Windows will not run Java, period. Developers will thus have a deadline to convert their apps to Java-free versions -- a strategy that worked wonders for the major effort needed to prevent the Y2K crisis in 2000. Of course, that was a real deadline, and there's a danger that Microsoft or Apple might blink and extend the deadline, which would let developers delay even more.

To help push developers along, Apple and Microsoft should market Java-free, just like grocers market "fat-free" and "GMO-free," as an aspirational advantage and not a deficit.

But users aren't the real problem; businesses are. As much as IT staffers moan about Java, they hate to update software and operating systems, and their corporations hate to pay for it. Just listen to IT whine about how quickly Apple makes users update to OS X (about four years after release is the effective cutoff, versus six to 10 years for Windows depending on the hardware quality). Then imagine if they were told that by 2015 the then-current operating systems and the apps that run on them will need to be Java-free. Remember, parts of the U.S. Department of Defense still run Windows 2000. Yet most Java apps are those sold to businesses and are even developed by businesses internally.

The feds can help. Regulations for financial, utility, transportation, aerospace, and medical providers could designate the non-Java-free operating systems as noncompliant to security standards for gaining or renewing government contracts. Local governments would follow suit. That'd unleash a tidal wave of Java-free app updates. Loss of income is the motivation that vendors and developers need.

Of course, such dramatic action is unlikely given the government's hesitancy to interrupt the profit flow of its main owners -- er, contributors. But there may be a backup plan that's happening quietly even today: the move from traditional PC technologies like Windows to mobile ones like iOS and Android. The major mobile operating systems do not run Java apps or Java Web plug-ins. Migrating from PCs to iPads -- or making tablets a standard computing platform alongside PCs -- could be the quickest way to get rid of Java and force developers to stop using it.

If Microsoft and Apple don't make Windows and OS X Java-free platforms like iOS, Metro, and Android, client-side Java will still probably disappear over time even as Oracle tries to patch the technology in the usual security war of attrition. It just won't disappear fast enough.

We can't wait much longer. In an era where the United States and Israel have launched a quiet cyber war against Iran and others with worms like Stuxnet, and Iran has counterattacked by trying to take down U.S. banks' websites, it won't be long before Java is used like the lax airline security was on 9/11 to make something really bad happen. Already, Java flaws helped an unknown country spy undetected for five years on at least 39 nations -- the Red October hack. Stop it now.

This story, "How to kill Java dead, dead, dead," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.