Putting Users in Control of Plugins

mcoates

33

Mozilla is changing the way Firefox loads third party plugins such as Flash, Java and Silverlight. This change will help increase Firefox performance and stability, and provide significant security benefits, while at the same time providing more control over plugins to our users.

Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play or the user has previously configured Click To Play to always run plugins on the particular website.

ctp-in-action

More User Control
Users should have the choice of what software and plugins run on their machine. Click to Play allows users to easily choose if they wish to run a plugin on a particular site. Users can also configure sites to never run plugins or conversely always run plugins. This change puts the user in control.

Increased Performance & Stability
Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user’s experience on the Web. This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox. By only activating plugins that the user desires to load, we’re helping eliminate pauses, crashes and other consequences of unwanted plugins.

Significant Security Benefits
One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit. We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website.

In addition to the security benefits provided by Click to Play Mozilla also strongly recommends that users keep their plugins up to date. The following website can be used to determine if plugins are current.
https://www.mozilla.org/plugincheck/

Implementing this change
Our plan is to enable Click to Play for all versions of all plugins except the current version of Flash. Click to Play has already been enabled for many plugins that pose significant security or stability risks to our users. This includes vulnerable and outdated versions of Silverlight, Adobe Reader, and Java.

More specifically, our next steps are the following:
1. Click to Play old versions of Flash (versions <=10.2.*) and slowly add more recent insecure Flash versions to the Click to Play list. Note: The most current version of Flash will NOT have Click To Play.

After we complete final UI work:
2. Click to Play current versions of Silverlight, Java, and Acrobat Reader and all versions of all other Plugins.

During this change we will monitor the results and feedback of the new settings and UI to ensure we’re providing a quality experience and delivering the many benefits of Click to Play to Firefox users.

 

Michael Coates
Director of Security Assurance

33 responses

  1. PlugIn McAddOn. wrote on :

    Whenever you blog about plug-in security, you should add an explanation of the differences between plug-ins and add-ons.

  2. philipp wrote on :

    will the doorhanger notification panel shown expanded by default on pages with click-to-play content (which i’d find annoying) or only on demand when you click on the icon next to the address-bar?

    1. Curtisk wrote on ::

      The doorhanger only shows when you click on the icon in the address bar.

      1. Daniel Veditz wrote on :

        Or when there’s a non-visible plugin (like Pandora).

  3. Asbjørn wrote on :

    Please add the ability to whitelist only certain plugins for a site. In particular, I need to have Java installed for using our national digital id in Denmark (NemID), but I only want Java activated on those specific sites that use it and not sites, where I want some other plugin to run (i.e. Flash, which I prefer to have click-to-play as well).

    1. Daniel Veditz wrote on :

      Allow-for-site-by-type is a feature we do very much want to have: Vimeo needs flash, not Java; your bank may need Java but not Flash. I don’t have an expected release for that yet, though.

    2. Use NoScript wrote on :

      The NoScript extension can be used to whitelist/blacklist java on a per-domain basis.

  4. Felix wrote on :

    seems i have stick with flashblock ..
    though totally overdue
    cant wait to see it happen :)

    1. John Schoenick wrote on :

      A user-selectable “Click to play all plugins” option is in the works as well

    2. a wrote on :

      about:config
      look for click_to_play, switch to true.

      works on firefox release and for flash as well. awesome.

  5. webuser wrote on :

    if you further choose to include flashblock and firegestures functionality it actually comes close to what a extensible, open-source version of opera from 2k3 should have been.

    progress

  6. Xan Charbonnet wrote on :

    What version of Firefox will be the first to include this new behavior? Can it be disabled in about:config via the plugins.click_to_play option?

    1. Dimas wrote on ::

      I will need to disable this feature in our enterprise too. I hope we can do it with an about:config preference.

  7. LOGAN wrote on :

    Ah, well maybe it’s more secure, but the biggest problem is that third party software can deploy plugins in the first place. I can’t count how often I have to go into manage plugins just to be sure no software has added ‘something’, and if so, have to disable manually. This is I feel part of the security problem and really hope you will prompt the user or have a disable all plugins by default having to activate a plugin instead. Please!

    1. Danny Moules wrote on :

      Unfortunately even if Firefox tries to stop third-parties deploying extensions by one method, they can just manually take control of the user’s desktop and install the add-on via another mechanism. When you install third-party software it generally requests lots of control over your machine, more than enough to bypass any protections Firefox can put in place. If you don’t want such third-party applications to have such access to your system then the only option is to not install them in the first place.

  8. Anonymous-783 wrote on :

    Putting users in control of plugins does imho not add any security at all – it needs educated, sometimes experienced users to decide whether a plugin is allowed to run or not on a specific site…

  9. Chris wrote on :

    Mozilla,… you’re such security hypocrites.

    While you let security holes open for years (insecure TLS renegotiation is per default still not considered a failure) and while it takes long to drop untrustworth CAs (or you don’t drop them at all)… you claim here to add something for security.

    But actually most plug-ins, are usually installed by the distro and are therefore secure anyway.
    An the only really totally broken and crappy plugin (Flash) is exempted….

    WTF….

  10. Anonym wrote on :

    I don’t get it why there’s a exception for flash. That’s the only plug-in that uses too much CPU and crashes my browser regularly. If Flash is excluded, this feature is useless.

  11. Kyle wrote on :

    Mozilla should provide its commitment to users by allowing them to disable this “feature.” Pro users do not need this.

  12. TomH wrote on :

    So if I receive the notification “This plugin has security vulnerabilities” with no option to update, does that mean it in fact has vulnerabilities or that I’m receiving a general statement regardless?

    1. Georg Fritzsche wrote on :

      Yes, in that case it really is vulnerable, it’s a message for that specific case.

  13. NotAmused wrote on :

    Please tell me this click_to_play can be completely disabled in about:config. The PDF thing is going to be a nightmare for clients of mine who have researchers going to different university, research center and journal sites (repositories) for papers and articles.

    Yeah, a user can disable the check for certain sites, but when you have hundreds of such repositories…you get the picture.

  14. Michael Kaply wrote on ::

    Without some sort of whitelisting, this will completely break enterprise deployments.

    You will end up with enterprises turning off blocklisting completely.

    Please don’t do this on the Firefox 17 ESR.

  15. Macromedia wrote on :

    Silverlight is not a problem! Flash is. Flash should be added and Sliverlight excluded.

  16. tim ashman wrote on :

    Please allow this to be completely disabled. I’m tired of mozilla treating me like child. If you insist on doing this I will be finding a new browser and changing my corporate policy for the default browser. Dont do this

    tim

  17. Richie Hindle wrote on :

    (You’re not going to like this request.)

    Please publish information about how to programmatically defeat this feature via the installer of a third-party plugin. When our users install our software, it includes a Firefox plugin, and they expect that plugin to work – after all, they just installed it. They don’t want their browsers putting more and more barriers in the way of the software that they just chose to install.

    Presumably Firefox keeps a record of those plugins that the user has chosen to enable – how can I make our installer preemptively add our plugin to that record?

  18. Richie Hindle wrote on :

    Where is the developer documentation for Click To Play? There’s a load of questions I have about this:

    How can I find out from JavaScript whether click to play has disallowed our plugin?
    How can I find out from within my installer whether click to play is enabled?
    How can I find out from my installer whether click to play will disallow our plugin?
    How can I find out from JavaScript whether click to play is currently prompting for our plugin?

    (I’ve searched MDN but not found anything.)

    1. Georg Fritzsche wrote on :

      That information is not exposed. Instead you could regularly poll for your plugin being scriptable or have your plugin call into the page when it’s loaded – until this succeeds your plugin was probably blocked or failed to load and you could show a message accordingly. Check e.g. out how Soundcloud handles this.

      1. Richie Hindle wrote on :

        @Georg: Thanks for the info and advice – will do.

  19. Martin Husemann wrote on :

    If anything needs blocking by default, it is Flash – maybe then stupid web designers will get a clue.
    It is great to see that at least all the other plugins are equal.

    How long will it take untill the first plugin installation procedures (not using .xpi) will automatically “fix” your firefox configuration for you to always play the freshly installed plugin on all sites?

  20. Anony123456 wrote on :

    I did not ask for click-to-play or to break the web with this enabled by default. I will say this if you don’t give us a way to fully disable this I will be uninstalling firefox. I do not like any application blocking previous versions under some sort of security garbage that you must click to play first.

    As the owner of my PC my choice will be to never use firefox again!

    Just like M$ wanting to charge a fee monthly for the windows blue OS and office its my choice to find better alternatives.

  21. Axis wrote on :

    I am, personally, glad for you opting to “click-to-play” for security issues with plugins. This gives users a choice that should be a users.
    Thank you!

  22. Neyland wrote on :

    Enterprise use for FF on OSX. I need to be able to use my Office plugins (Sharepoint, Lync) and Silverlight on all of our domain’s intranet web sites.

    It seems rather pointless from a security standpoint to turn off plugins, but globally allow flash… it’s the largest threat vector for drive by downloads on Windows systems we see.