It turns out that applets are failing because the security update in S8155973 restricted MD5-based signatures in JAR files. It was eventually backed out by S8166381 but that one didn't make to the update.
One easy way to fix is to edit /etc/java-7-openjdk/security/java.security and remove MD5 from the list of "jdk.jar.disabledAlgorithms". By default this is a new setting and should be the last line, just make sure it looks like: jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024 For future reference, once can see when an applet is being affect by looking for the following log line: Codebase matches codebase manifest attribute, but application is unsigned. Continuing. The browser must be run with icedtea plugin debug enabled as in "ICEDTEAPLUGIN_DEBUG=true firefox". Also, please be aware that Oracle is planning to reintroduce the MD5 signature restriction back in January, see section "Restrict JARs signed with weak algorithms and keys" in http://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html -thanks
