There are very few cases to ever have Java actively installed in your browser. It still has desktop and app useage, but that's different than applets. You can't run Photoshop CS6 under El Capitan without the Java SE 6 runtime installed for instance.

If you have Java active in your browser here's what I suggest:

You can listen to vid1900 (I would) or you can listen to Alex (in this case, I would not), you can listen to me. Either way, do yourself a favor, and just go into your settings, and uncheck it. Turn it off. Restart your browser to be safe. Then try it. You know what will happen? Nothing. You won't notice a difference. And you'll be safer.

But here's my argument if you're interested:

We cover this stuff at Ars Technica (where I work) on a regular basis. We're a world renown publication when it comes to our security coverage. Don't listen to the creative director, look at the people who make it their job to understand these things. Look what our security editor, Dan Goodin, wrote just this last July for instance:

"Internet users should take renewed caution when using both Adobe Flash and Oracle's Java software framework; over the weekend, three previously unknown critical vulnerabilities that could be used to surreptitiously install malware on end-user computers were revealed in Flash and Java."

"Ars is once again advising readers to limit, or if possible completely curtail, use of both Flash and Java, at least until fixes for these three critical bugs are available."

— Source: http://arstechnica.com/security/2015/07/two-new-flash-exploits-surface-from-hacking-team-combine-with-java-0-day/

Once again. Because we say it all the time. Such as ...

"Ars has long advised people to assess if they truly required Java and other browser plugins and if not to consider uninstalling them."

— Source: http://arstechnica.com/security/2015/08/fake-eff-site-serving-espionage-malware-was-likely-active-for-3-weeks/

One of our other writers who covers the programming and security beats:

"Chrome 42, released to the stable channel today, will take a big step toward pushing old browser plugins, including Java and Silverlight, off the Web. Those plugins use a 1990s-era API called NPAPI ("Netscape Plugin API") to extend the browser, and with Chrome 42, that API is now off by default."

— Source: http://arstechnica.com/information-technology/2015/04/chrome-starts-pushing-java-off-the-web-by-disabling-plugins/

Chrome turned that shit off, and it's not coming back now. Chrome is a major browser heavyweight. And they don't even support it anymore. Does it really seem that necessary to you?

Remember, Java ≠ javascript. Your bank might ask you to have javascript on, they won't ask you to have Java on. And if they do, time to get a bank that understands modern technology, because I wouldn't leave my money with one that required Java.

Also, on the topic of fake virus scam artists, this is IMHO a hilarious but informative take on trolling one of those guys by one our own writers who they made the mistake of trying to scam:

I am calling you from Windows: A tech support scammer dials Ars Technica

When the call came yesterday morning, I assumed at first I was being trolled—it was just too perfect to be true. My phone showed only "Private Caller" and, when I answered out of curiosity, I was connected to "John," a young man with a clear Indian accent who said he was calling from "Windows Technical Support." My computer, he told me, had alerted him that it was infested with viruses. He wanted to show me the problem—then charge me to fix it.

This scam itself is a few years old now, but I had not personally received one of the calls until yesterday—the very day that the Federal Trade Commission (FTC) announced a major crackdown on such "boiler room" call center operations. The very day that six civil lawsuits were filed against the top practitioners. The very day on which I had just finished speaking with Ars IT reporter Jon Brodkin, who spent the morning on an FTC conference call about this exact issue. And here were the scammers on the other end of the line, in what could only be a cosmic coincidence.

I walked around my office with the phone against my ear, then settled into my desk chair and put the call on speakerphone. I wanted to know just what it felt like to be on the receiving end of such a call. I wanted to know how a group of scammers half a world away convinced random and often tech-illiterate people to do things like run the built-in Windows Event Viewer, then connect to a website, download software, and install it (together, no easy feat for many mainstream users). I wanted to know just how the scammers eventually convinced their marks to open up remote control of their PCs to strangers who had just called them on the telephone.

So I played along—which was difficult without a Windows PC in my office. To buy time, I told the scammer that I was waiting for my nonexistent computer to "boot up," then sent a furious blast of instant messages to Brodkin, asking him to do whatever the scammer told me to do and report back on the results. Luckily he was at his computer and immediately agreed—and we were off.

You can read the rest here if you like:

http://arstechnica.com/tech-policy/2012/10/i-am-calling-you-from-windows-a-tech-support-scammer-dials-ars-technica/

How in the world do you get adware in your media access control addresses?

So we present evidence, and you just attack us all as being stupid. While ignoring the evidence. Actually, I'm not clueless, I'm educated on the topic. And demonstrated it with links, written not by random strangers, but by people I work with daily.

You mean like the 0-day exploit from July of this year that I posted above that you're conveniently not addressing?

Are you just being stubborn because it's your nature? Or is there something else going on here? I hope JJP's online strategy isn't centered around using a browser-based Java applet or something.

Erica hasn't written for us in years. And honestly I couldn't care less what you personally think of Ars Technica, we have industry recognized security writers.

Dan Goodin, our security editor who I cited, is a 2 time SANS winner.

http://arstechnica.com/staff/2012/10/ars-it-security-editor-dan-goodin-receives-sans-award/

"The SANS Institute is a cooperative research and education organization for security professionals, and its Top Cyber Security Journalist Award Winners are voted on by a panel of over 110 journalists who write on cybersecurity topics."

Gonna go with that being a slightly better indication of who's a professional over "this guy on internet forum". Which includes me. Don't believe me? Fine. But ignoring the advice of experts on the topic seems myopic.

But by all means, continue to throw in with Alex on this one if you like.

Uh, no. I mean this zero day exploit, that runs malicious code without any of that (the very same one I linked earlier):

http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/

"Several months ago, we disclosed that Pawn Storm was using a then-undiscovered zero-day Java vulnerability (CVE-2015-2590) to carry out its attacks. At the time, we noted that a separate vulnerability was used to bypass the click-to-play protection that is in use by Java. This second vulnerability (CVE-2015-4902) has now been patched by Oracle as part of its regular quarterly update, with credit given to Trend Micro for the discovery.

Click-to-play requires the user to click the space where the Java app would normally be displayed before it is executed. In effect, it asks the user if they are really sure they want to run any Java code.

Bypassing click-to-play protection allows for malicious Java code to run without any alert windows being shown."

My emphasis added.

If defending Java browser plugins is the horse you really want to ride, have at it. But you're not doing your rep any good by doing so, it's a pretty weird hill to die on.

It's a shame, you're a smart guy, you know a lot about useful topics like powder coating, and I'm sure we'd get along fine in person. But you just can't help but being a needling dick online for whatever reason. You're in the wrong here. No security expert would ever back your play. Places like Trend Micro have been recommending limiting Java for years, long before this last zero day exploit.

http://blog.trendmicro.com/trendlabs-security-intelligence/how-to-use-java-if-you-must/

This isn't exactly secret cutting edge stuff.

Okay Alex, you think you know security? But do you know this one?

12289479_10205180042970398_5245454227084567155_n.jpg

(This fight is seeming about as silly, I'm ready to let it go, I don't care who "wins").

I just wonder if he's so hot to defend Java because that's what it will be using. It's a weird thing to get all passionate about. I hang out with technical people every day. I doubt I could find a single one that would be willing to defend Java applets in any capacity. Java in browsers has been a joke for ages now. Even when you have to use it for some reason it's a kludge.

Always the first place I check for parts!

Hmm, of viruses maybe, but those topless anime dolls might not count as squeaky clean!

I did actually, and rightly so, I shouldn't have called you a dick, I apologize.

But I did take issue with your statement that everyone in this thread was clueless. I'm not actually. I've backed up everything I've posted with links and evidence. Including the fact that the zero day exploit for Java entirely bypassed all of the warnings, which is why it was a big deal in the first place.

You've conveniently ignored all of my evidence and links, and just stuck to your guns. Whatever, I said I was over it with my joke image and I'll try and stay that way, no need to make this personal.

So basically all you have left is insults. When you're losing the argument that's the next step, lash out. Try and change the topic, make people forget that you're ignoring the facts.

Not sure what the lovely group of talented people I work with did to deserve it, but considering you're bringing up a writer who hasn't worked for us since 2009 it's pretty obvious you're not even a reader of their work.

Somehow I think they'll survive.

The doctor told me it was lipstick.

What brand of pork and beans? I'm asking for a friend.

Cold Blooded

I think all the people defending Java plugins decided to play Frontier instead.

Well not to explain the joke, but the sound effect loop on Frontier is crickets.

Oh, but it was so, so very broken.

That's ridiculous. No one still uses hydrocoptic marzelvanes.

Yeah, just because Apple is using Intel now doesn't mean they're just another OEM, they do a crazy amount of customization. Their towers are unfortunately over-designed and stupid now, but their laptops are brilliant. I'm typing this on a Retina iMac and it's a great machine.

You still shouldn't use the Java browser plugin on them though.

Ha, so true. I loved the Cube for what it was, but a good computer was not it.