Security vs. convenience: Will users embrace the opt-in?

Takeaway: Patrick Lambert looks at Mozilla’s recent decision to make Flash and other plugins an opt-in feature for users instead of a default. Will users regard it as a nuisance or a safeguard?

One piece of news that’s been making the rounds on security news sites lately is Mozilla’s decision to go “opt-in” with the Adobe Flash plugin, instead of leaving it on by default like it currently is. Right now, when someone installs any browser, they also get Flash built in, and when they go to a website that requires Flash, the plugin gets loaded right away. Instead, according to a new proposal by Mozilla to be implemented in a future version this year, they will change that model to be “opt-in”. When a user visits a website that requires Flash, instead of an automatically-loading plugin, an image or message will appear requiring the user choose whether or not to activate the content by loading the plugin. Because Flash is one of the more popular plugins out there and gets attacked regularly, this will help to prevent malicious sites from loading a hidden SWF file, and infect an unpatched browser. This is the first time a browser maker has decided to go this route with Flash, but is it worth it? Are users going to find this useful or annoying? And more importantly, is it really a useful security measure — something other developers should look at?

There are many ways to implement such a feature, and on the surface it sounds like a good idea, not just for security but for speed as well. Any time a user goes to a website containing content that requires a plugin, or worse several plugins, this slows down the loading time considerably. By asking the user has to specify whether they want to play that content makes the page load faster, and then they get to decide if they want to wait the extra second or two for the plugin to load. Of course, the negative side is that it can be annoying to many users. Extra clicks to get to content may become a nuisance. Users of extensions like NoScript and AdBlock already know what it’s like. They have been able to disable Flash in a very similar fashion for years now. But users that have these extensions also tend to be the more sophisticated ones, and they probably aren’t the targets of this new feature. Instead, it’s the less savvy users who may fall for fake Flash pages.

Whether or not a feature is going to be annoying depends on its implementation. We’ve seen how many people complained about Windows Vista’s user access control, yet with Windows 7, Microsoft refined the feature to be much less of a pain. Here, having a nasty error message on every page that includes a Flash file would not be very elegant. Instead, the best way might be to have a simple bar at the top of the page, something users are used to, where they can click on the Accept button. Then, the browser could remember the preference on a per-site basis. Still, is this really a good security measure? To answer that we only need to look at recent exploits, and how people typically get compromised. In the vast majority of cases, some type of injection is the culprit. Whether a site has an SQL vulnerability, and a remote script is loaded, or it’s a badly designed comment form which allows HTML to be added, the result is the same. People are sent to another site, usually through a frame, to load a JavaScript file. Then, payloads are sent to the browser trying to exploit recent bugs in Flash, Adobe Reader, the browser itself, and so on. So yes, in this case, if a hidden iframe is loaded on a compromised site, then that Flash exploit payload would never get loaded, since the user wouldn’t be clicking on it.

This prompts an interesting question. Is this a better way to build applications, in general? Take another online tool that millions of people use everyday: IM. Whether you use Microsoft Live Messenger, AIM, ICQ or any other, these applications no longer support just text. They allow people to send images, videos, links, music and much more. In fact, IM used to be a big target for hackers around 10 years ago. Every couple of months we would hear of a new virus that spread like wildfire through the IM clients, bot accounts sending corrupted images, or EXE files that would run automatically. Since then, these clients have been hardened to be almost foolproof. Now, if you send anything but text on the majority of these networks, a user action is required. Nothing loads by default, you need to opt in and click the Accept button to view the image, video or presentation. Many of them even blocks binaries entirely. Email has turned out pretty much the same way. The number of computers being infected when users ran Microsoft Outlook, and an email they received ran some JavaScript automatically, even just through the preview pane, was insane. Now, many email providers like Gmail won’t even show images from unknown senders until the user opts in.

It’s not clear yet how the final version of this particular Firefox feature will operate, or how users will react. But if it turns out well, this may be a first of many. This could become the default for all plugins. After all, with HTML5, pages can be created with advanced multimedia and dynamic functions without having to use any plugin, so websites don’t need so many plugins. So if it proves to be a good security benefit, a speed increase, and something users can live with, it might be that we see other browsers doing the same in the future, and even other application developers.

Do you think the majority of browser users will embrace the trend toward opting in? Will it have any real effect on the amount of malware that gets downloaded?

~ Patrick Lambert

Related Posts