Click-to-Play Plugins, Blocklist-Style

David Keeler

14

You may have heard of click-to-play plugins (in short: don’t load plugins until they’re clicked). You may have also heard of the blocklist (essentially a list of addons and plugins that are disabled to prevent users coming to harm; this includes vulnerable and outdated versions of popular plugins). Now, appearing together for the first time in Firefox Beta, allow me to introduce click-to-play blocklisted plugins!

This is how it looks in action:

(Note that the popup notification won’t show itself automatically. This is intentional, so as to not interrupt the user. To open the popup, simply click the plugin icon in the url bar as shown below.)

By combining the safety of the blocklist with the flexibility of click-to-play, we now have an even more effective method of dealing with vulnerable or out-of-date plugins. Instead of choosing between vulnerable but useful (by allowing an old plugin to run automatically) and safe but less useful (by completely disabling old plugins), click-to-play blocklisted plugins gives the user the ability to make an informed decision depending on their current activity. For instance, when browsing a reputable video sharing website, a user might feel safe enough to enable a vulnerable plugin in order to view the site’s content (in fact, the trusted site can be whitelisted using the “Always activate plugins for this site” option in the button drop-down menu). Of course, it would be best if the user upgraded the plugin to a secure version, but perhaps they can’t for one reason or another. In another scenario, they might not fully trust a site they arrive at after visiting a link sent from a friend. In this case, the blocklisted plugin would not automatically run, and the user would be protected.

At the moment, click-to-play blocklisted plugins is a security feature that protects against drive-by attacks targeting plugins that are known to be vulnerable. It does not prevent attacks where a user is convinced to activate a vulnerable plugin on a malicious site. It also is not an all-purpose plugin management system.

This feature is enabled by default, so users are automatically protected. For the adventurous, the about:config preference “plugins.click_to_play” can be set to true to enable click-to-play for all plugins, not just out-of-date ones. However, this aspect of the feature is still in development.

This feature is currently in Firefox Beta, so grab a copy. For more information about the specific plugins we’re starting with, visit the add-ons blog. There is also more information in a few bugs.

14 responses

  1. Dimas wrote on ::

    Is there a way to deactivate this feature? In a corporate environment we don’t want that users could disable plugins. Thx.

  2. gewb wrote on :

    Stated “This feature is enabled by default” – how can this feature be:

    a) Totally, forever disabled
    b) Totally, forever removed

    Regards,
    GEWB

  3. Bah wrote on :

    This is dumb, outdated plugins should be completely blocked, with an “Update plugin” button shown that automatically updates them.

    With this idiotic interface, most users will just click “allow” and there’s no added security whatsoever.

    Also, please only allow the Flash plugin by default, and require explicit action to enable others, since web pages requiring non-Flash plugins are extremely rare.

    1. Gianni wrote on :

      I agree that vulnerable plugins should be blocked but there are people who can’t update all of them (commercial software) and would rather have the choice to still enable them when necessary. I also agree that if there was a button to update the plug-in it would be awesome but it’s not that easy because sometimes the plug-ins come with the whole software package and commercial software often requires buying the new version.

      Like I have written in another post below if we had just a simple, little option that (like you also want) disables entirely the vulnerable plugins until they are updated it would be a perfect compromise until a better plugin-update system comes along: I can’t keep the count of how many computers I had to fix because of drive-in malware installs caused by old plugins and I’m 100% absolutely sure that the prompt would still be ignored by a great part of the users, already accustomed by all the windows security warnings. Please, Mozilla devs, add that option for us poor sysadmins victims of users laziness :(

  4. Matt wrote on :

    Seems useful, especially in light of the prevalence of addons like Flashblock.

    Is there any way to interact with this via the plugin architecture? Would it be possible to allow plugins to register a callback which can enable or disable plugins? A few use cases pop to mind. First, implementing a filter that enables or disables a plugin on a per site, or per domain basis (ala FlashBlock). Another is allowing the user to decide which plugins he would request be “Click to Play”.

    I can speak from my own experience that browsing with FlashBlock enabled is noticeably faster, and decreases the number of ads or popups I see. It would be nice to have this same ability regardless of the plugin.

  5. dup wrote on :

    Sounds good.
    I think it would be better with a changeable setting in the full-GUI preferences manager to turn this off, though, so nobody feels forced into it. Open source is about choice, and one choice users can make is to be insecure for the sake of convenience.

  6. Gianni wrote on :

    I’ll re-post my comment from the Addons blog since this is a more appropriate place because it discusses the feature directly:

    “Could we please have an option, even if just hidden in the about:config page, to block the vulnerable plugins without the prompting (with a message like “You must update this plugin before being able to view this content”)? With that option we could be able to set up Firefox to be completely safe against third-party plugins exploit when we set it up for not tech-savvy users that would just ignore the prompts rather than completing the updates first. I already stop downloads for those users (with publicfox) but drive-by malware installs have become the bane of my existence and turning all plugins off is way too excessive to solve the problem.”

  7. Quang Đức wrote on :

    I like it, I require an options feature for user to disable any plugin having on my Firefox.

  8. Alexey Trunev wrote on :

    It would be great to have an opportunity to assign per-site permissions to run plugins. At least via about:config.
    For example: I know that I have outdated plugin but I permit it to run only on trusted sites on my Intranet.

  9. Guest wrote on :

    Hi,

    While this feature is cool for Firefox, NoScript users have Click-to-Play feature and Almost-same Blocklist-style for ages now and it comes embedded with more cool (and advanced) features like ABE and the Anti Reflected XSS Protection.
    So if you want to have an test-drive of how it may work with the current stable Firefox just install NoScript and have a good secure (fap =P) time.

    Best Regards
    PS: I know that the protection from outdated scripts its not available in NoScript, thats a pretty cool feature but everything less than that is already available with NoScript.

  10. Why wrote on :

    Why would you use such an outdated version of Java? Are you crazy? I mean its Java, it has enough security holes when it is up to date, why would you let it get outdated.

  11. Why wrote on :

    And also please see
    https://blog.mozilla.org/security/2012/04/06/why-an-outdated-java-plugin-is-so-serious/

  12. Gianni wrote on :

    Maybe you should consider hiring somebody to write a small extension to allow Java only on websites you approve and maybe block other dangerous behaviors like downloading executables or archives containing them. If you keep an outdated java plugin enabled like that with no restrictions it just means exposing all your users to malware.

  13. Education IT wrote on :

    Would be very nice, we do have heavy filtering on acceptable websites. But thinks like Facebook and others are not on that list so things do get in.

    Thank you for the suggestion, as just a help desk tech, can’t force anything but can make the suggestion to those who can look into it.