You should keep Java turned off in all your browsers. All the time. You should never leave it enabled.

To expand on how

Firefox: tools menu | add-ons | plugins | find the java plugin and click disable.

Chrome: type chrome://plugins/ into the address bar and hit enter. find java in that list and click on disable near it.

IE: (xp) start | Control panel | internet options | programs tab | manage add-ons button. find all java entries in the list and click on the disable link.

(windows 7) I don't have a vm in front of me but it should be similar to the xp instructions.

With Chrome you should block all plugins, not just Java. You will still be able to watch a YouTube video by 'right' clicking the plugin's element and choosing 'Run This Plug-in'. Steps:

Settings | Under the Hood | Content Settings... | Plug-ins -> Block All

If you selectively disable plug-ins in Chrome you won't be shown the Plug-in element and won't be able to select 'Run This Plug-in'.

You can also set Chrome so that plugin-requiring content is click-to-play, which I find a bit more convenient than block-all.

Chrome will prompt if any page tries to use Java. If you trust the site, you can allow it to run.

Personally, after seeing just how many exploits come in through java I don't think it's wise to even have this hook enabled; it's another attack vector that exists and it's better in my opinion to just not enable it at all.

And, it's not just the number of exploits. It's the nature of the exploits. They're usually very reliable, and often don't even rely on accidental corruption so much as "features that accidentally expose all of runtime memory to the Java sandbox".

Java was iffy in 1998 when it was just the applet sandbox and a graphics context. But today, OS vendors have bridged Java into all sorts of systems code. It's a debacle. Just don't enable it.

Yep, no flash plugin, no silverlight, and no java plugin on my macs. Java is disabled and only used on chrome if I need to use it. Which has been once in a year, and only to get results for the bufferbloat project. So basically, not all that useful outside of clojure/jruby/etc...

It's difficult to tell, though, whether you can trust the site: the MacDefender Trojan spread through vulnerabilities in sites whose owners were trustworthy, but their sites had been compromised.

Java isn't that widely used on the web anymore, and you will probably know if a site will require Java, so you'll be prepared to allow it. If Java spontaneously pops up when you're not expecting it, you'll generally want to deny it. It's more a question of whether you trust the site and you legitimately expect it to use Java at that point rather than simply whether you trust it in general.