Firefox has a blocklist service that protects users from malicious or faulty plugins and extensions. We’ve used this sparingly in the past but due to the success and popularity of Firefox we’ve seen more and more activity on the blocklist than ever before.
Why Blocklisting is Hard
The most difficult part of the blocklist service has been deciding when to actually use it. Our policy outlines some general guidelines, but it’s not so simple when millions of users are involved because you also have to consider how you could potentially affect user experience. We have to weigh security and stability with user happiness.
In the past, being proactive with the service has been tough. Take, for example, the time we blocklisted a plugin and add-on as requested by Microsoft. Another example would be the blocking of a relatively hidden Java plugin or ancient versions of QuickTime.
In most cases we prevented an expected user interaction from being used. Whether it’s Flash on YouTube, QuickTime for movie previews or Java for applets — when users can’t do what they want to do, it’s a really negative experience. We don’t want to prevent users from doing what they want to do on the web. On the other hand, we don’t want users to be vulnerable to exploits caused by outdated plugins.
So while we were upset to know that what we did ruined the browsing experience for some people, we also knew that what we were trying to do was right and helped considerably more people than it hurt. I am proud of this — at least the idea that we are willing to do something unpopular because it’s the right thing to do. I do believe, however, that we can manage to keep users safe and happy simultaneously.
Keep people safe and happy? What a wonderful challenge.
Things We’ve Learned
Working on the blocklist, we’ve learned:
- Many people are not aware of which plugins they have installed on their system.
- People don’t like having their software disabled.
- For many users, it wasn’t clear what to do once their plugin or add-on was blocklisted.
- Out-of-date plugins can be a real and serious threat to user experience and security.
- Plugins are indeed an integral part of our everyday web experience.
What Can We Do About It?
The threat plugins pose to users will not go away, and we will continue to fight to keep users safe. We can fight smarter, though. The blocklist service will always be here, and we’ll use it when we need to. But increasing awareness about plugins and how to keep them up to date is a much more positive and proactive approach.
A few projects cover this initiative:
- Plugin Check is a web-based tool with cross-browser compatibility any web user can use to check their plugins against our plugin database. This helps users know what plugins they have installed and how to keep them up-to-date.
- Plugin Directory is an online interface for our plugin database that will be used as a portal for vendors and users to keep plugin data up to date. It’s currently in staging and about ready to launch.
- The Plugin Update Service is a Firefox project which adds plugins to the add-ons manager. Having an integrated experience consistent with add-on updates will make plugin updating easier for everyone.
- Out of Process Plugins (electrolysis) reduces the impact plugins have on the stability of Firefox. When your plugin crashes, Firefox won’t crash with it.
With these projects, I am confident we will offer a better experience for users; keeping the web happy and safe at the same time.
Get Involved
If you’d like to know more and get involved we’d love to hear from you:
- Read about how the blocklist works.
- Read about PFS2 and how this all started.
- See what’s in store for Firefox 4.
- Join us in IRC! We’re all in #webdev.
Dan wrote on :
Fred Wenzel wrote on :
Michael Lefevre wrote on :
David Tenser wrote on :
Ken Saunders wrote on :