Now I’m as much of an advocate for personal choice and control as the next person, but I think that Mozilla taking a “Not on my watch” attitude/approach is totally acceptable. I’d rather a few users be pissed off than false statements being spread like “My identity was stolen thanks to Firefox”, or, “My system was hacked and taken over because I used Firefox”.

First and foremost though, and like Mike said, awareness should be the first step.
How often do users even bother to view the Plugins pane in the Add-ons Manager anyway?
If there is a vulnerable plugin, there should be a clear and strong alert that requires user interaction to close/disable the alert or to get info on what to do about it.
In the Plugins pane, stronger visualizations should be used too.
The green check mark is cool, but there should be icons and colors used for Vulnerable plugins too (like a red triangle with an exclamation mark), and they would be more noticeable and add more of a sense of urgency if they were under the Plugin’s title.

I think that users identify needed or required actions with icons more than they do button colors, but both wouldn’t be a bad idea.

In any event, thanks to Mozilla for looking out for us all.

For example, if there is a vulnerability in the version of QuickTime the user is running, instead of just blocking it, we could 1) inform about the vulnerability and what this means, and 2) allow the user to choose if he/she wants to remain vulnerable or disable the current plugin. In other words, put the user in control, but nudge him/her to do the right thing.

Of course, whenever possible, we should just upgrade the plugin, but the above example assumes there’s no secure version out yet.

Thanks for a very well-written blog post!

I’m sure all these other projects are great (I must admit I haven’t read the details yet), but I don’t see any of them addressing this issue, in the event that a plugin is blocklisted (which you acknowledge will continue to happen).

With the Java blocklisting, I don’t think the problem was that the information about what to do did not exist, the problem was that Firefox UI links to a blocklist page with no context, which in turn sends people directly into bugzilla.

It may be that you just didn’t mention it, but it would seem that simple changes to the current UI (or even just changes to the web page it currently points to) could make a huge improvement to the experience.

(Also, I’m getting a 403 error on the Plugin update service link)