CtP discoverability issues proposal

Richard Bateman richard at batemansr.us
Thu Sep 5 20:10:03 UTC 2013


I’d accept that argument a lot more readily if you weren’t planning to whitelist flash for the foreseeable future.  Actually, though, my point is not that the plugins may not have security vulnerabilities — I totally get that this is a problem.  Partially I misread his statement as saying that most of the plugins were actually intentionally malicious.  Still, the reason that Flash and Java are so commonly exploited seems pretty clear — they are plugins that allow the execution of (relatively) arbitrary code.  Most other plugins don’t do that.  I could see that as an excellent reason to block flash and/or java when it’s hidden; I’m not sure why we’re punishing every other hidden plugin, however.  The security and stability issues of most plugins isn’t anywhere near as complex as it would be for flash, silverlight, or java — and more to the point, those issues are going to be every bit as big of a deal for a visible plugin as an invisible one, so I’m not sure how making hidden plugins more vulnerable is going to make a huge difference beyond convincing those using it to create a simple facade to make it look more legit.

And back to the real point, I understand the reasons for click to play — and even agree with them for the most part!  My argument comes from the fact that there are a great many (I’ll refrain from guessing how many) people that under the current plan will end up on a website that *does not work correctly* with *no idea why that is*.  The reason for this is that you don’t want to accidentally annoy people when they visit a website with a compromised ad network?

I’m having trouble with that one.

As I mentioned in another email I am collecting information to help you all understand just how often this will really be a problem; I don’t think you actually realize the scope of the problem.  I also reiterate my suggestion that you could at least restrict the automatic blacklisting to plugins that are unsigned or are known to cause a problem, like other browsers have done (I’ve seen both Chrome and Safari block Java in some cases; it didn’t bother me a bit).

Richard

On Sep 5, 2013, at 13:59 , Justin Dolske <dolske at mozilla.com> wrote:

> On 9/5/13 9:50 AM, Richard Bateman wrote:
> 
>> [...]How many such individual plugins are there that
>> are malicious? How do they normally get installed?  I can understand a
>> concern about plugins with security vulnerabilities, but I have never
>> even heard of a widespread plugin that was actually an attack.
> 
> Are we talking about the same "plugins"? Flash and Java have been huge attack vectors over the years, and continue to be despite signifigant efforts to address their exploitability. I expect other plugins to have just as many security and stability issues -- the web is a wild and difficult place to expose code.
> 
> This is pretty broadly agreed upon, so I think the burden would be on others to show why that's _not_ true.
> 
> Justin
> 
> _______________________________________________
> firefox-dev mailing list
> firefox-dev at mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev




More information about the firefox-dev mailing list