This is less like handing over the keys to your computer than it used to be. Java can be configured so that Java content is disabled in all browsers (at least from version 7 update 10 and higher). But if the application requires an old version, or you just have little faith in the Swiss cheese that is Java's security controls, then it would be nice to isolate your Java installation.
There are several ways to isolate Java, from hardening its configuration to only running it in a virtual machine. What I'm going to suggest here is another option, using Java without installing Java.
This approach is already really common with server-side applications. It is common for server-side applications to install themselves with their own copy of the Java runtime, as this means there is no danger of compatibility issues with the current shared install of Java on the server or any updates to it. So why not take the same approach for client-side applications, and benefit from isolating Java to the one application that needs it.
So here's what to do (using Windows notation, but it's similar for non-Windows):
- Obtain the offline Java installation .exe
- Follow these instructions to get access to the Data1.cab file
- Unzip the Data1.cab to get the core.zip file
- Unzip the core.zip file to get the JRE files
- In the .\lib folder there are several .pack files, you need to unpack these to their .jar equivalents using unpack200.exe (in the .\bin folder) e.g. "..\bin\unpack200.exe -r rt.pack rt.jar". Hat tip.
- (Optional) You can remove several files as they are usually unnecessary (importantly the browser plugin is one of them). This makes the total size smaller, but not by much.
- Run you client-side Java application by directly invoking .\bin\java.exe
I got this working for Burp Suite, but I didn't regression test all of its functionality, so whilst the method seems to work, I can't give any guarantees it does. YMMV.