Quick Links

You've probably heard all about how the Java browser plug-in is insecure. 91% of system compromises in 2013 were against that insecure Java plug-in. But Java isn't the same thing as JavaScript -- in fact, they're not really related.

Most of our readers probably understand the difference, but not everyone knows it. Any confusion isn't accidental -- JavaScript was originally named JavaScript just to associate it with Java in people's minds.

Java Basics

Related: Oracle Can't Secure the Java Plug-in, So Why Is It Still Enabled By Default?

Java is a popular programming language used for everything from server software to desktop applications and even Android apps. You've probably heard of Minecraft, which is written in Java. Running a Java application requires Oracle's Java runtime on your computer. It was previously developed by Sun, but Oracle purchased Sun -- so it's now Oracle Java instead of Sun Java.

But Java isn't just used for traditional applications. Back in the 90's, Sun developed a browser plug-in that allowed you to run Java programs --or "Java applets" -- inside web browsers. The Java plug-in isn't widely used anymore, and it's been a source of endless security problems. You do not want to run Java applets inside your browser if possible. The Java plug-in -- and Java content in web browsers -- has proven insecure and bad.

There's just one Java plug-in, and it's created by Oracle and bundled along with the Java runtime. If there's a problem with it, you have to wait for Oracle to fix it. There's no competition to improve it.

java-applet-on-the-web

JavaScript Basics

JavaScript is a programming language used by web pages. HTML is the layout language that defines how web pages are laid and and JavaScript is the language that lets web pages be more dynamic. JavaScript is what enables web applications like Gmail to function, and JavaScript is used by practically every website at this point.

JavaScript was originally designed to be a lightweight scripting language to run in web browsers. It isn't a separate browser plug-in that comes from one company -- every browser includes its own different JavaScript engine. Browsers natively run JavaScript code without relying on a third-party plug-in. There's been much competition among browser vendors to make JavaScript faster and better.

javascript-in-action-on-gmail

Why Is It Called JavaScript, Then?

JavaScript really has nothing to do with Java; it isn't just a simplified subset of Java. JavaScript was developed under the name "Mocha" and was named "LiveScript" when it appeared in a beta release of the Netscape Navigator web browser back in 1995.

In 1995, Netscape announced the language would be named "JavaScript" in a joint announcement with Sun. This happened around the time Netscape added support for Sun's Java applets. We can look back at the announcement today:

"The JavaScript language complements Java, Sun's industry-leading object-oriented, cross-platform programming language...

JavaScript is an easy-to-use object scripting language designed for creating live online applications that link together objects and resources on both clients and servers. While Java is used by programmers to create new objects and applets, JavaScript is designed for use by HTML page authors and enterprise application developers to dynamically script the behavior of objects running on either the client or the server."

The announcement goes on and on like this, talking about both Java and JavaScript. This is usually seen as an attempt by Sun and Netscape to associate the new language -- JavaScript -- with the Java language that was popular at the time. The name made people a bit confused and caused them to associate the new language with Java, giving JavaScript some instant respect. If it's called JavaScript and was announced by Sun in an announcement that talked about Java a lot, surely it was related to Java -- right? Nope.

In 1998, Brendan Eich, who invented JavaScript, claimed in an interview that JavaScript was intended "look like Java, but be a scripting language" for lightweight usage. It might look a bit like Java, but it's very different.

netscape-navigator-browser-retail-box

JavaScript is Practically Mandatory for the Modern Web

Related: What Is NoScript, and Should You Use It to Disable JavaScript?

We've moved away from Java content in the browser over the years. While Java is still widely used, it's become a dirty name when associated with web browsers. Java has also become an increasingly disliked piece of consumer software known for bundling junkware with security updates.

Where the Java name was originally intended to add credibility to JavaScript, the Java association is now tarnishing its name. It's easy for JavaScript to come to mind when you see apocalyptic headlines about Java plug-in vulnerabilities. That was the whole point of the name -- to make them seem related.

Some people go out of the ir way to disable JavaScript in their web browsers with add-ons like NoScript. But JavaScript isn't insecure like Java is in the browser. Yes, there's an occasional security vulnerability in a web browser that can be exploited via JavaScript, but the hole is patched up and we move on. This isn't unique to JavaScript -- there could be a security vulnerability in a web browser that could be exploited via HTML, CSS, or other technologies, too. There's no way to completely protect yourself against possible future browser vulnerabilities. Just keep your browser and its plug-ins updated.

websites-require-javascript

JavaScript powers the modern web, whether you're using a browser on your computer or smartphone. Disabling it would make many websites unusable.

On the other hand, the Java browser plug-in is used on very, very few websites. If you disable the Java browser plug-in, the web will continue working normally. You'll probably never notice you don't have it.

Image Credit: nyuhuhuu on Flickr, Marcin Wichary on Flickr