[corty]

There is a whole heap of applets for educational content, e.g. interactive simulations of experiments and such. Those are still useful but unlikely to be ported to Javascript, similar to lots of Flash content.

If the Java VM weren't as botched and insecure as it is, applets would still be with us, at least as an important part of internet history and retained tools and knowledge.

[toyg]

The Java VM is not particularly insecure, its browsers interfaces are (or rather were).

[corty]

The JVM itself shipped with a ton of vulnerabilities, e.g. in vendored ancient versions of libjpeg and similar stuff. Those didn't only affect applets but all Java client and server side applications that presented e.g. image processing as an attack surface.

Also, vendoring the JVM itself by virtually all java applications lead to those vulnerabilities being exploitable for ages, even after they were publicised and fixed in the latest version. In that regard, the JVMs were usually in worse shape than the browsers' applet interface which was updated far more regularly.

[cesarb]

No, other than the bytecode validation bugs, IIRC the security issues were mostly in the JVM's sandbox. It used a blacklist model in which each "dangerous" operation was supposed to call the security manager, which would check if the calling code had permission to do the operation; but there were often holes in these checks, usually chaining several innocent operations and making use of Java's powerful reflection, which allowed an applet to trick "trusted" code in the JVM into doing the supposedly forbidden operations.

[2sk21]

Agree - almost every week, new exploits were being discovered, even back in the 1990s!

[DonHopkins]

You have a good point: Ken Perlin still has a whole lot of great educational Java applets on his page, which he's been developing and using educationally since the very early days of Java.

https://mrl.cs.nyu.edu/~perlin/