Firefox adopts default-deny policy for plugins

Discussion in 'other security issues & news' started by EncryptedBytes, May 5, 2012.

Thread Status:
Not open for further replies.
  1. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Good news for firefox users:

    source

     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I tried that approach with some relatives, who use Google Chrome, but didn't work out. For something like Youtube is a no brainer, but to some other website with quite a few flash content, it was a pain in the arse to figure out what they actually needed to allow, so they asked me to disable the click-to-play feature of Google Chrome. :(

    I wonder why they don't come with something "smarter". For instance, allow plugins only if the request is coming from a first-party, but block if it's coming from a third-party. Considering that most exploits will simply redirect users to the malicious website hosting the exploit, from an hijacked legitimate website, mostly ads...

    Wouldn't it be a better approach? o_O A bit like what some extensions allow for referrers - allow it from first-party, but not to third-parties. Something like Youtube could be allowed by default, if it's embed in some other website. Any harm?

    If the users do visit some website require the plugins, some of them either will freak out and think something is broken, or realize what it is about, but get annoyed by it and disable it altogether. I'm assuming it would be possible to disable it, just like in Google Chrome; which is off by default, actually.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I get doing this for Java, which isn't used that often and probably has more exploit sites than sites that use it genuinely. But... for all plugins? Users are going to get ~ Snipped as per TOS ~.

    And with the Flash sandbox coming to Firefox I don't see this as being necessary.
     
    Last edited by a moderator: May 5, 2012
  4. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I am sure it will easily be disabled, perhaps even a whitelist? Though I enjoy have an embedded option to nuke websites from orbit. :D
     
    Last edited by a moderator: May 5, 2012
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    And, just like Noscript in the hands of most folks, this will be like playing Minesweeper. "Gee, now which of these four or five grey boxes is a video/game/whatever, and which are ads? Gosh, I hope clicking this particular box doesn't get me pwned!". The problem with most of these ideas is that they sound utterly brilliant on paper, but put them to work in the hands of Joe Schmoe, and watch the face-palming commence. White-listing will, eventually, make everything okay..until you visit a new website of course. But, you have to play Minesweeper before you can "settle in".
     
Loading...
Thread Status:
Not open for further replies.