Friday, July 20, 2012

"Click to Play" arrives in Firefox

Popular browser plugins like Flash and Adobe Reader are part of the typical web browser, with an installation base of 90+% on corporate computers (see the State of the Web report). However, they can also represent big security holes. The Blackhole exploit kit, for example, has long contained code to exploit vulnerabilities in Flash, Java and Adobe Reader. While few people may actually need a Java plugin, Flash is still required on many websites and a PDF reader in the browser is quite convenient.

Click to Play

Browser vendors have been looking for ways to secure browser plugins. One way to achieve this involves sandboxing the plugins, i.e. running plugins in a more restricted environment than the browser, with fewer rights. Unfortunately, many exploits have demonstrated that it is all too often possible to break out of the sandbox.

Another idea involves disabling plugins by default and enabling them only when they are actually required by the user. "Click to Play" means that users must take action to enable a plugin by clicking on the area of the page that is handled by a plugin, like a Flash animation.

The vast majority of exploits, including Blackhole, use invisible elements to run the malicious code: an invisible applet, invisible Flash animation, etc. Since Click to Play requires the user to actually notice elements on he page that require a plugin in order to activate it, these exploits would not run.

Click to Play in Firefox - 2 clicks are required to enable the 2 Flash animations

Some inconveniences

Click to Play seems like a great security improvement. Unfortunately, there are legitimate cases when a plugin might be required to run without having to display anything. For example, Flash is commonly used to copy text to the clipboard (a shortened URL, for example).

There are also JavaScript frameworks that use invisible Flash or Java applets to get access to the webcam or microphone (this is not possible through JavaScript only).

There also UX challenges when asking users to click YouTube videos over and over, for example, or to ensure that users understand why they may not want to enable all plugins by default, etc.

Today, only two major web browsers support Click to Play - Chrome and Firefox, but this feature is disabled by default in both browsers.

Chrome

Click to Play was introduced as an option in Google Chrome in March 2011 with Chrome 10. Because it is disabled by default and Chrome rarely requires users to navigate through the settings to enable it, most users are likely not aware of this security feature.

In the latest versions of Chrome, Click to Play is well hidden! To enable it one must go to the Wrench Icon - Settings - Show advanced settings - Content settings...then scroll down to Plug-ins and select "Click to Play". That's five clicks to access the option. This is definitely restricted to power users! If you do not know what "Click to Play" means, you are out of luck because there is no mouse-over or popup to show more information.

Click to Play option in Chrome 20

While the screenshot of Chrome 10 showed placeholders explaining that users had to click to enable the plugin, the current placeholder are quite obscure, with no information about what they are.

Click to Play placeholders - What should I do?

It looks like the Click to Play feature is pretty much dead in Chrome, restricted only to power users. Not much has happened since it was released over a year ago.


Firefox 14

Finally, a year after Chrome, Click to Play is making it first appearance in Firefox 14. Like Chrome, it is disabled by default, and restricted to power users. There is no UI option to enable the feature. You have to go to about:config, search for click_to_play, and change the option to true.

Enable Click to Play in Firefox 14

Firefox's placeholders are better than Chrome's, as they clearly state "Click here to activate plugin". I wish however that they would indicate which plugin is going to be activated (Flash versus Java, for example).

Click to Play placeholders in Firefox

I'm afraid that the current implementation does not play well with Flash embedded in an IFRAME. On  a website that embeds a YouTube video, I get a black box, with no option to enable Flash to see the video.

To Mozilla's credit, this is just the first iteration of Click to Play. Full support for Click to Play is scheduled for Firefox 16. Looking at their website, they seem to have a good plan to tackle the UX issues.


I hope Mozilla and Google are working on making Click to Play the default setting. This would result in a big improvement in securing users online. Right now, only a few users are aware of it and even fewer benefit from the added security.

4 comments:

Jon Daley said...

i've used flashblock for years, and i don't have an automatic pdf opener thing. i might be vulnerable to a java exploit, though every java program i've purposely used has a couple dialogs to click on.

so, i guess i'm missing the point of click to play.

Julien Sobrier said...

@Jon Daley - Instead of having each user install flashblock, javablock, pdfblock, etc., plugins would be disabled by default. This would make the default installation of Firefox much more secure.

Anonymous said...

Flashblock can be circumvented, it was never secure, only convenient (source: Flashblock website/authors).

It's a good day that the browser vendors are very very slowly finally starting to care about security. Since clearly Adobe doesn't care, and Oracle cares a little but fails a lot.

Anonymous said...

I am in the process of trying to disable this blasted "click to play" design error for my users; they are confused and annoyed by it. Security is highly overrated: give me ease-of-use any day. Period.