Mozilla’s latest version of Firefox will come with click-to-play enabled by default. This feature is meant to deal with vulnerable or outdated plugins, and plugins that are blocked with the click-to-play flag will not be loaded by default — you will have to click on the plugin to run it in your browser. The click-to-play plugins will accompany a blocklist, which is essentially a list of addons and plugins that are disabled to prevent users coming to harm. This includes vulnerable and outdated versions of popular plugins.

Whenever you are browsing a site that utilises a vulnerable or outdated plugin that has been included in the blocklist, you’ll see the click-to-play frame over the blocked content. If you think that the site is safe enough for you to run the plugin, simply click on the content to run it. Combining click-to-play with a blocklist enables you to choose whether vulnerable but useful plugins can be run on certain websites.

Under attack...again!

Click-to-play will improve plugin security on Firefox.

This is quite a useful feature that can be enabled in Chrome as well. For users with slow Internet connections or data limits, click-to-play can prove to be especially useful as flash and other content can be loaded only when needed. This feature can also be found enabled by default on some smartphone browsers, including Opera, Chrome and Dolphin. Click-to-play is also a user-friendly way to indicate that you have outdated or unsafe plugins installed in your browser.

Apart from click-to-play, Mozilla is testing a new security mechanism in Firefox that will enable the browser to connect securely to a specified set of websites only when the site sends a valid security certificate. Future releases of Firefox will contain a list of sites known to employ HSTS (HTTP Strict Transport Security), which is a mechanism by which a server can indicate that the browser must use a secure connection when communicating with it. This list in Firefox is important because a browser usually doesn’t know that it should communicate securely with a domain or website unless the server asks it to. This may lead to hackers or malicious code preventing the browser from ever establishing a secure connection with the host. The HSTS list will indicate to the browser that it is to connect to the specified sites securely by default, and unsecure connections to these must be refused.

A post on the Mozilla Security Blog states, “We have added to Firefox a list of hosts that want HSTS enforced by default. When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security.”

Tags: , , , , , , , , , , , , , , , , ,