I have a fairly definitive answer on this. Buried in the "enhancements" section of the java 8 documentation.
http://docs.oracle.com/javase/8/docs/technotes/guides/jweb/enhancements-8.html "For sandbox RIAs, SocketPermissions for the origin host is no longer granted. Calls from JavaScript code to the
RIA are not granted SocketPermissions beginning with JDK 8."
I Leave it to the reader to decide in what universe this is an enhancement.
So it appears that Oracle has decreed that sandboxed applets can't use sockets; they have to become all-permissions
applets, which have unrestricted access to the client's machine. It mystifies me how requiring users to trust applets with
unrestricted access will enhance security.