The Web Just Became More Secure: Google Drops Support for Java

Matthew Hughes 11-09-2015

When Java was first publicly released in 1995, it was revolutionary.


Developers could write their code once, and (in theory) run it on any computer they wanted without having to make any changes. It was, and still is, incredibly fast. This speed has lead to it being used in time-sensitive contexts, like high frequency trading algorithms on Wall Street.

Java was also incredibly ahead of its time. From its first release, developers could use it as a tool to embed web-app like logic into web pages. These were called Java Applets, and because the code was running in a separate process outside of the web browser, they were perfectly suited for high-intensity tasks like games, visualizations and simulations.

But that was then, and this is now.

It’s safe to say that Java – particularly in the browser – has lost its shine. A large part of this is due to security concerns. The next version of Google Chrome (version 45, scheduled for December) has removed support for it entirely.

Is Java Actually Insecure?

When writing about Java – particularly from the perspective of security – it’s important to differentiate between between the Java Runtime Environment (JRE) and the Java browser plugin.


The Java Runtime Environment (which includes the Java Virtual Machine What Is the Java Virtual Machine & How Does It Work? Though it isn't strictly necessary to know it works in order to program in Java, it's still good to know because it may help you become a better programmer. Read More and some software libraries) is often accused of being insecure, but that’s not necessarily true. Although the JRE has had its share of severe, zero-day vulnerabilities What Is a Zero Day Vulnerability? [MakeUseOf Explains] Read More , it’s for the most part a very well-designed, secure piece of software. It runs applications within a “sandboxed” environment, where the potential damage caused by a piece of software is limited. If the program wants to perform actions outside of “the sandbox”, the user is informed and has to approve them.


But in the browser, it’s a slightly different kettle of fish. The Java browser plugin is a notoriously insecure piece of software. According to Kaspersky, it’s responsible for almost 50% of cyber attacks in 2012.

But that’s because, perversely, the Java browser plugin is defective by design. Java applets simply aren’t sandboxed as they should be, and they blindly run any code that’s been signed with a cryptographic signature, without question.


To put this into layman’s terms, if you’ve got a malicious piece of software, and you want to ensure it can run rampant on any computer without any interference, you need only cryptographically sign it. That’s terrifying.

Of course, it doesn’t help that most people are running an insecure version of Java, thanks to its infuriating and broken upgrade process. According to Kaspersky’s 2012-2013 Java Under Attack report, anywhere between 55% and 37% of people use older (and vulnerable) versions of Java.

Perversely, Oracle (and previously Sun Microsystems) have almost de-incentivized people from installing the latest versions of Java by using it as an opportunity to surreptitiously force the installation of the Ask Toolbar (which can be easily removed 4 Annoying Browser Toolbars and How to Get Rid of Them Browser toolbars just don't seem to go away. Let's look at some common nuisances and detail how to remove them. Read More ), or change their default browser to Yahoo!.



Thankfully, Google’s doing something about it. After September, they’re going to discontinue support for NPAPI (Netscape Platform API) in Google Chrome, which will effectively make it impossible for Java applets to run. It will also break support for older versions of Adobe’s Flash (which has its own security problems), Silverlight (which nobody used), Unity, and the Facebook plugin.

There are rumblings that Firefox will soon join Chome in deprecating NPAPI, but so far nothing has really emerged. And, of course, NPAPI is still enabled on Internet Explorer, Opera and Safari.

Kill Java. Kill It With Fire

Java is an interesting, and startlingly common attack vector for malware to infect your computer. But there’s something you can do about it. It’s simply, and it’s obvious.

You simply delete the entire Java runtime from your system.


If you’re not using it, there’s no real point in having it installed, and deleting it is easier than you think. Here’s how you do it on Linux (Ubuntu – other distros may vary), Mac OS X, and Windows 10.

Removing Java on Linux (Ubuntu)

Removing Java on Linux is simultaneously simple and complicated. It’s simple in the respect that you need only run a few commands. But it’s also complicated, as you need to know what Java runtime you’re removing.

But wait, there’s more than one Java runtime?

Well, yes. You see, there’s the official one that’s produced by Oracle – the developer of Java. But there’s also the OpenJDK, which is an open source implementation released under the GNU General Public License – a permissive software license Open Source Software Licenses: Which Should You Use? Did you know that not all open source licenses are the same? Read More favored by open source products.

Odds are good that you’ve got the OpenJDK, but it’s easy to check. Just run:


java -version

Then, it’s a simple matter of removing the relevant packages with your package manager.


sudo apt-get autoremove openjdk-jre-7

If you’re using an older version of the OpenJDK, change the version number (openjdk-jre-<version>) to correspond with it. If you’re using the Oracle JDK, run:

sudo apt-get remove oracle-java7-installer

Removing Java on Mac OS X

These instructions work for Yosemite; the latest version of OS X. It’s actually surprisingly simple to remove Java here. You merely need root access and a bit of confidence with the command line.

Open a terminal and run the following:


sudo rm -rf /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/
sudo rm -rf /Library/PreferencePanes/JavaControlPanel.prefPane

Hurrah! You’ve removed the JRE on your machine.

Removing Java On Windows 10

To remove Java on Windows 10, simply open the Start menu and search for Java. Then right-click it, and click Uninstall. Don’t be afraid if there are more than a few items with Java in the name.


It’s as easy as that. But there’s also an official Oracle app that automates the process of removing Java.

If you’re using Windows 7, you might want to check out this post Is Java Unsafe & Should You Disable It? Oracle’s Java plug-in has become less and less common on the Web, but it’s become more and more common in the news. Whether Java is allowing over 600,000 Macs to be infected or Oracle is... Read More by former MUO-er, Chris Hoffman, which explains in perfect detail how to disable and remove Java from your PC.

Begone, Java!

The era of Java applets is long gone. Good riddance.

They were slow, insecure, and quite frankly, there are much better technologies that’ve supplanted them. HTML5, and Canvas in particular, spring to mind. Google should be applauded for finally discontinuing support for them in Windows 10.

Of course, the only way to truly be secure is to remove it entirely.

So with that in mind, is there any real reason to have Java installed on you computer? I didn’t think so, but what do you think? Any thoughts? I want to hear them. Leave me your comments in the box below, and we’ll chat.

Photo Credits: Gil C /, WetWebwork via Flickr

Related topics: Java, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. rizal
    March 25, 2017 at 1:02 pm

    the title should be "Google drops Java support for chrome". what a cheap clickbait

  2. NaN
    November 11, 2015 at 5:59 pm

    It's just the Lava Applets that suck, are out of time and need to disappear (as flash, silverlight and all that kind of software)... NOT Java! Is very misleading jumping from java applets to the whole Java Runtime Environment that is as secure or insecure as any other common use program running out there that's got his bugs. Moreover, Java is the number one programming language right now in almost any programming language ranking (see some below) - in large part because of Android Apps programming that's made in Java - so please, don't talk about thw whole JAVA when is ONLY JAVA APPLETS!

    • rizal
      March 25, 2017 at 1:03 pm

      the writer never code in Java. don't mind him

    • anti BS
      March 21, 2018 at 11:00 pm

      And also, a big quantity of google webapps (like gmail, google drive, docs, etc) are mainly programmed in java for the server-side :D

    • Nick
      May 9, 2018 at 11:22 am

      While the article does make some good points, it is cloaked in the ridiculous notion that Java is anything BUT hot. Java is what the largest operating system in the world (Android) is built with. And that's just scratching the surface of Java's wide range of implementations. There is a large demand for Java skills, which an endless list of job postings looking for Java skills bear witness to.

  3. Anonymous
    September 19, 2015 at 3:44 am

    Really! All they needed to do was tell people how to stop automatic plugin interaction with all browsers or just theirs, this would be enabling "click-to-play" (ask to activate, Let me choose when to run plugin content) and keeping your plugins updated. I mean hell, nag if you have to, but don't kill off an important resource! Why is it so important to keep these enabled? Well for one it extends your ability when running certain content (games, animation, audio/video), and two, your ISP/Webmaster/Admins will take their time transitioning to what ever Google now recommends will be better. So in that drastic gap, what the hell are suppose to do to view your important content then, especially when it's work related.

    Well, it's good think I stopped using Google Chrome and FxChrome a long time ago.

    Now, for anyone interested in what I'm using, it's Pale Moon (an Open Source web browser forked off from the Firefox/Mozilla code).

    Here's the link: [Broken Link Removed] .

  4. Anonymous
    September 15, 2015 at 11:30 pm

    I Just Have 1 Rant About java.

    When I Select I Do Not Want Automatic Updates, The pos Goes Behind My Back, And Returns To The Defaults As Soon As Possible.

    Why Pretending There Is A Choice When There Is None ?

  5. Anonymous
    September 13, 2015 at 9:15 am

    This article is very misleading: you are basically saying that the Java plugin for browsers is the same thing as the Java Runtime Environment and suggesting a complex procedure (for the average user) to remove the JRE which has nothing to do with Web navigation security but has the side effect of preventing users from executing any safe Java desktop application.

    This is the kind of articles infesting the Web with false or inaccurate security advices, sadly some users tend to believe this stuff uncritically. The next thing you are suggesting will be to disable Silverlight from browsers and completely remove .NET from Windows machines? Then why don't we remove Ruby, Python and the whole bash shell from any desktop?
    Totally ridiculous.

  6. Anonymous
    September 13, 2015 at 1:52 am

    My ONLY regret(?) about this is concerning one program called Freemind. It's an outstanding mind mapping program...written entirely in Java. Massive suckage there.

  7. Anonymous
    September 12, 2015 at 1:29 pm

    The overwhelming danger from Java comes from enabling the browser plug-in. Unless you're manually downloading infected applets, having it inert on your computer doesn't hurt any more than any of the other run-times or application frameworks you might have installed (Windows Scripting Host, .NET, Python et al.). As an IT guy, I have to deal with a number of tools that still expect me to have Java, so I just have to make sure to keep it up to date. I do this by scripting updates with application repositories such as Chocolatey.

    On Windows, the Java Control Panel applet provides a unified interface for enabling and disabling Java access in browsers. For people who still need Java for applications (e.g. DirSync Pro or Filebot), this is the setting that allows the greatest safety for its use.

    Firefox isn't going to be giving up NSAPI any time soon; it's also the component of that browser that allows for Flash (which we also hate but mostly still kind of want) and third party PDF viewers to display content in a browser window. I realize that Firefox is in the process of becoming Chrome with a different rendering engine, but for the time being it does not have an alternative plugin architecture.

    • Anonymous
      September 13, 2015 at 1:56 am

      Thank you...just disabled Java content in my browsers.

  8. Anonymous
    September 12, 2015 at 1:26 pm

    If java is dropped, what would be its replacement? All I'm aware of is HTML5 quickly removing Flash.

  9. Anonymous
    September 11, 2015 at 8:56 pm

    My mom LOVES the Pogo games, which use Java. I guess that site's going to have to do a major overhaul to please its many users who are going to find their preferred browser (or browsers, if/when FF follows Chrome's lead) no longer cooperating with the site. :-(

    • Dustin
      February 2, 2019 at 3:12 pm

      Yes exactly my point!!!! I do as of now myself play on and hate that java is ending in all browsers

  10. Anonymous
    September 11, 2015 at 8:41 pm

    Libre Office and Open Office do use Java, but crucially they do not run in a browser environment so do not utilise the java browser plugin which is where the design flaw exists, Java itself is not inherently insecure as stated in the article.

  11. Anonymous
    September 11, 2015 at 7:01 pm

    Java support has been removed from Chrome on Linux for a long while. I dont miss it.

  12. Anonymous
    September 11, 2015 at 6:03 pm

    Doesn't LibreOffice/Open Office use Java?

    • Matthew Hughes
      September 11, 2015 at 6:16 pm

      I think so, but don't quote me on that.

    • Anonymous
      September 11, 2015 at 7:07 pm

      Unfortunately, so does Minecraft. The difference is that, at least in Windows, the Java it requires is bundled with Minecraft supposedly to be used just for Minecraft alone.

      On Linux I've been using OpenJDK instead of Oracle Java. I don't know if it is as unsecure or not, but outside of Minecraft I have been able to remove it from my system.

      Windows 10, Minecraft didn't want to work (graphic drivers issue) so I have been using the Mobile version (Windows 10 Beta) so as far as I know, I do not have Java running on it and I am losing nothing.

  13. Anonymous
    September 11, 2015 at 5:12 pm

    There are way too many things that still use Java that haven't updated their plugins. Synology Surveillance Station, Avocent KVM viewer, etc. Their answer is typically, "use a different browser".

  14. Anonymous
    September 11, 2015 at 4:47 pm

    I use DirSync Pro, and the damned thing uses Java. Anyone knows of decent alternatives?