One piece of news that’s been making the rounds on security news sites lately is Mozilla’s decision to go “opt-in” with the Adobe Flash plugin, instead of leaving it on by default like it currently is. Right now, when someone installs any browser, they also get Flash built in, and when they go to a website that requires Flash, the plugin gets loaded right away. Instead, according to a new proposal by Mozilla to be implemented in a future version this year, they will change that model to be “opt-in”. When a user visits a website that requires Flash, instead of an automatically-loading plugin, an image or message will appear requiring the user choose whether or not to activate the content by loading the plugin. Because Flash is one of the more popular plugins out there and gets attacked regularly, this will help to prevent malicious sites from loading a hidden SWF file, and infect an unpatched browser. This is the first time a browser maker has decided to go this route with Flash, but is it worth it? Are users going to find this useful or annoying? And more importantly, is it really a useful security measure — something other developers should look at?
There are many ways to implement such a feature, and on the surface it sounds like a good idea, not just for security but for speed as well. Any time a user goes to a website containing content that requires a plugin, or worse several plugins, this slows down the loading time considerably. By asking the user has to specify whether they want to play that content makes the page load faster, and then they get to decide if they want to wait the extra second or two for the plugin to load. Of course, the negative side is that it can be annoying to many users. Extra clicks to get to content may become a nuisance. Users of extensions like NoScript and AdBlock already know what it’s like. They have been able to disable Flash in a very similar fashion for years now. But users that have these extensions also tend to be the more sophisticated ones, and they probably aren’t the targets of this new feature. Instead, it’s the less savvy users who may fall for fake Flash pages.
It’s not clear yet how the final version of this particular Firefox feature will operate, or how users will react. But if it turns out well, this may be a first of many. This could become the default for all plugins. After all, with HTML5, pages can be created with advanced multimedia and dynamic functions without having to use any plugin, so websites don’t need so many plugins. So if it proves to be a good security benefit, a speed increase, and something users can live with, it might be that we see other browsers doing the same in the future, and even other application developers.
Do you think the majority of browser users will embrace the trend toward opting in? Will it have any real effect on the amount of malware that gets downloaded?