Click to play, the next big problem for many smaller companies

Richard Bateman richard at
Wed Sep 11 22:42:25 UTC 2013

On Sep 11, 2013, at 10:08 , Benjamin Smedberg <benjamin at> wrote:

> On 9/9/2013 5:04 PM, Richard Bateman wrote:
>> Verifying authorship does give you some ability to assign accountability for a plugin.  I guess I'm still trying to understand exactly what the problem you are trying to solve is; it started out feeling like you were trying to protect against intentionally malicious plugins,
> No, not particularly. If we know of an *intentionally* malicious plugin, we would hardblock it. But since plugins are installed binary software, they could basically already do anything they wanted.

You can also flag a plugin that is known to have vulnerabilities. I realize that this doesn’t *solve* the problem, but it may help make your issue less critical.  It’s just a htought.

>> but the more we discuss it sounds like you're actually worried about poorly written plugins / plugins with security vulnerabilities.
> Yes, partly. We are trying to protect users against being exploited via insecure plugins. We are *also* trying to provide users with an informed choice about whether to use 3rd-party software. With addons, we present that choice at install time; but since plugins can be installed on the system by third parties.

What if you just ask them about it the first time the browser detects a new plugin is installed? You could show all of the known information and a big “IF YOU DIDN’T INSTALL THIS, DON’T ENABLE IT!” message or something. If it’s the first time the browser is launched (or if the plugin just appeared) then the user should have some context because in most cases it just happened.  Safari does something similar to this and it has never bothered me (though I realize I’m not a typical user).

>> There seems to be a misperception that hidden plugins are uncommon
> There may be many plugins that exist which are used hidden, but that doesn't mean that many users have or need them, or that we need to design for that case. We need to balance the needs of most users against the small set of users who may actually be using these plugins. Getting accurate numbers on this is hard, but what little data we do have says that there can't be more than about 2% of users in the entire world who have anything but the top 5 plugins:
> * Flash
> * Shockwave
> * Java
> * Silverlight
> * Quicktime

I realize that you’re talking about a global scale, but just because only 2% of the users in the world don’t have anything but those plugins doesn’t mean that those 2% aren’t important.  Look at it another way: what percentage of users are ever hit by a security vulnerability in something *other* than those top 5 plugins? I would guess that even of those 2% the number is very very small.  In this case, you are making a bad user experience for those 2% just to make things less dangerous for a very very small percentage of that small percentage.  That doesn’t sound like it makes sense to me.

It sounds like your security problems are coming (on a percentage basis) mostly from those 5 plugins as well.  If that’s the case, you should be warning more about those 5 and less about other less well known ones because the less well known ones are actually more likely to be important.  Wouldn’t it be safe to say that if only 2% have other plugins installed that those 2% probably are much more likely to be plugins that *are* critical to the use of the website, just like all of the people in the thread I linked you to (did you go and read it?).

I think you can solve 90% of the cases you are concerned about just by adding warnings to those 5 plugins; I think that in 90% of the cases where it is a different plugin than those 5, the user actually *wants* the plugin and installed it by default. Even 2% of a number as big as [# of users using firefox] is a really big number of people that you are going to be causing problems for.

> In particular locales that number may be skewed: there are countries that have high-profile banks or government institutions which use plugins for auth/key exchange. But I surveyed those major sites back in February, and at that time all of them used visible plugin instances.

Go back and look at the Russian website mentioned in the email thread; it’s the one that all Russian citizens use to pay their utilities, and if the plugin is installed it uses it hidden.  In fact, I’m a little shocked that you have found any that were visible; if you have any of the links and want to send me a personal email, I’d be curious from a professional perspective to see what they are doing, because I can’t think of a reason why I’d possibly want something like that visible.


More information about the firefox-dev mailing list