"Your Java Applet Is Insecure" - Java SE Applet Security Warning Dialogs
(Doc ID 1531711.1)
Last updated on OCTOBER 22, 2019
Java Platform, Standard Edition - Version 7 to 7 [Release 7] Information in this document applies to any platform.
Why do I see Java security warning dialogs in my web browser?
At JavaOne in September of 2012, Oracle communicated our intent to provide a Java "best used before" security feature. In Java SE 7 Update 10, delivered December 2012, we introduced the new Java security feature and provided release notes. The new security feature helps keep desktops safe by providing Java capabilities to dynamically change runtime behavior based upon Java's security posture (e.g., above or below the security baseline). If Java is operating below the security baseline, some operations will carry increased risk. Different or additional warnings will then be issued to browser users.
Why do I see these security warning dialogs today?
February 1st 2013, the Critical Patch Update (CPU) adjusted the security baseline. Any prior Java releases (e.g., 7u10/7u11) are considered below the baseline and adjust their behavior accordingly.
Why do I care if Java in my browser is above or below the security baseline?
First, if Java is operating below the security baseline, it's vulnerable to attack. Second, security dialogs will be presented communicating the increased risk. The specifics of the dialog messages depend upon the specifics of the environment.
How does the "best used before" feature work?
When Java is running, it contacts Oracle servers for current security baseline information. If the baseline is available, it's considered during operation. For added safety, if Oracle servers cannot be contacted (e.g., behind firewalls, etc.) Java includes an expiration date. The expiration date is approximately four weeks beyond the next CPU. If the expiration date is reached, Java assumes it's operating below the security baseline (e.g., vulnerable) and changes its behavior appropriately.
I don't like these security messages what can I do?
For users and enterprises, keep Java up to date by upgrading to the latest Critical Patch Update or newer. For software developers, sign plugin code using a certificate anchored to a root Java truststore (e.g., cacerts). Ensure your code is compatible with the latest publicly available versions of Java.
What does Oracle recommend?
For safety, Oracle recommends users and enterprises keep Java software up to date. Additionally, please see <Note 1553875.1>, "Handling the New JRE Security Dialogs", for more information.
Sample Security Popups
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!