Skip to content
Naked Security Naked Security

Advent tip #23: Check that Java is turned off in your browser

Fewer and fewer websites actually rely on Java, so the only people who really benefit from it being on in your browser are the crooks.

You’ve heard of Java.

It’s a computer programming language that can be used to develop applications that aren’t tied to a single sort of computer.

Java programs have two main ways of running:

  • As full-blown applications, installed permanently onto your computer in the same way that you might install Word on Windows or Keynote on a Mac.
  • As web applets, delivered in a web page to run inside your browser, under stricter security controls than full-blown Java applications.

A few years ago, Java applets were a happy hunting ground for cybercrooks: finding an exploitable bug in the applet subsystem was as good as finding a bug in the browser itself.

At the same time, fewer and fewer websites actually relied on Java, so the only people who really benefitted from it being turned on in your browser were the crooks.

That’s the problem with software that you only rarely need, but which is continually exposed to outside threats: it’s easy to ignore it, and let it get out of date, only to receive a rude shock when it’s used to attack your computer.

That’s why we’ve been recommending for years that you turn Java off in your browser.

Even Oracle, the owners of Java, agree these days, and have provided a “switch” for centralised control of browser-based Java.

Why not do us all a favour, including yourself, and use your Java Control Panel to check that it really is turned off?

💡 LEARN MORE: Turning off Java won’t turn off JavaScript ►

💡 DID YOU KNOW: Java was originally named after a tree ►

💡 LISTEN TO OUR PODCAST: Sophos Techknow – All about Java

(Audio player above not working? Download MP3 or listen on Soundcloud.)

Images of Christmas tree and Advent calendar courtesy of Shutterstock.


But… What do you do if you frequently use a site that relies on a Java applet? Is there a way to “whitelist” a site, so that Java applets can run on those sites but not any others? I’d hate to go into the browser settings every time I want to use that site.


I haven’t had Java on in my browser for at least two years now and I have never come across a site (not even one I didn’t care about) that still requires Java. But if you have a site that does, you can list it specifically in the Java Control Panel.

I’m not free of Flash yet (there is exactly one site I need that relies on it)…but I live in hope :-)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!