Will Mozilla's plan to implement a feature that blocks the automated display of plug-in-based content improve Firefox...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
security? Or will it increase the threat posed by rogue images that install malicious files? Separately, are there any telltale signs to identify a malicious click-to-play image?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Mozilla's click-to-play feature has the potential to improve desktop Firefox security just as much as its NoScript plug-in extension. If the browser plug-in check feature is enabled by default, users may be able to safely click on all images, but if users are forced to manage the feature on a site-by-site basis, they might enable it on all sites, resulting in a minimal net security improvement. Employing a shared blacklist or whitelist throughout the enterprise could make the feature more effective for end users who lack the technical knowledge to manage the capability themselves, but this strategy might duplicate website blacklists and whitelists that are already implemented. Suggested features include checking a plug-in to see if it is updated before playing content (or when the browser is started) and placing all of the plug-ins (or the entire browser) in individual sandboxes. These potential features could have minimal user visibility and improve Firefox security, but the negative impact on the browser's performance may be too significant.
Potential telltale signs of a malicious click-to-play image might apply to a video on YouTube, but it can be difficult for end users to distinguish a malicious ad or embedded content from legitimate content. Mozilla's development of a browser plug-in check could make end users more vulnerable to clicking on a malicious ad not knowing if it was a legitimate ad or content on a website. The website could clearly differentiate ads from content, but users might still struggle to identify the ads. The image displayed by the click-to-play feature could provide details about the content's source and the source's reputation and ask for confirmation before playing the content. However, it should not simply ask the user to click if they want to play, as most end users will do so without giving any thought to the potential security risk.
Dig Deeper on Web browser security
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.