True. But once those plugins go away, something else will become the new low hanging fruit. Personally, I wonder how well WebGL will hold up, given that 3d graphics drivers are absolutely not written with security mind, and were never really intended to be hooked up to the web...

That is a good point. A bit like how people would switch to Macs to avoid viruses, but all they were really doing was moving to a place that wasn't being targeted yet.

I don't like the monolithic design of modern browsers - it is rendering engine, javascript interpreter, sandbox, audio, video, webgl, user management, local store etc. all in one big heap.

We will need features to let users swap parts out, highly customize them, apply advanced ACL's to each component (since the browser becomes the new OS) and disable them (chrome://flags)

Can you point out an example of a Mac virus?

There are many, but they don't get the publicity other malware gets. One example of Mac-malware would be SabPub: https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X...

It wasn't self-propagating, but MacDefender scareware still claimed a lot of machines. http://en.wikipedia.org/wiki/Mac_Defender

Apple also has a poor record at security patching, which allows for more drive by downloads, especially through Java. Further reading: http://voices.washingtonpost.com/securityfix/2009/06/apple_p... http://krebsonsecurity.com/tag/mac/

Microsoft is refusing to support WebGL for security reasons. I can't make up my mind about whether to be annoyed or impressed.

As with many (but not all) things Microsoft do, when the thick layers of gelatinous hivemind diatribe are pealed away what's left are sound, conscientious engineering decisions made by an organization with a near pristine history of supporting end users and going to extraordinary lengths to preserve backwards compatibility.

As for instances where they have not preserved support and compatibility, Silverlight comes to mind, and they dumped that largely in favour of frameworks targeting HTML+JS.

(I'm not a Microsoft employee, just a user who appreciates the APIs I cut my teeth on 20 years ago remain applicable today)

That's covered by the "backwards compatability" item.

It took them a while to even take patching security vulnerabilities in a timely manner seriously. I can understand that secure design (e.g. not running everything as admin) could fall under "backwards compatibility."

Yeah, I read that a few weeks ago, I can't remember the source. It will be really funny in the next year or two if the security experts encourage everyone to use IE to ensure a safe browsing experience.

You can be both! But I am usually more annoyed by rich content than the lack thereof. It grabs your CPU and memory and screams out to anyone in your vicinity, "Look what x is browsing!"

If I remember there is some issues with passing untrusted shader code to the GPU

So it may be a legitimate concern (only blown out of proportion)

>I wonder how well WebGL will hold up, given that 3d graphics drivers are absolutely not written with security mind

It doesn't seem to be holding up too well against normal use, never mind deliberate attempts to exploit it: it's not uncommon for WebGL demos to crash at least one browser/hardware combo. Example from the last WebGL submission I read a few days ago: http://news.ycombinator.com/item?id=5211211

Chrome has a "Click to Play" feature for all plug-ins which is way more handy than having a second browser or a bunch of extensions.

Go to chrome://chrome/settings/content and look under plug-ins. There is Run automatically (default), Click to play and Block all.

Firefox has one, too.

about:config, search for "plugins.click_to_play". Enable!

> Don't use Flashblock or Javablock or similar extensions, they hide the applet, they don't stop execution.

For Flashblock on Firefox, at least, this is incorrect. And if it were true, you would lose the main benefits of using Flashblock to begin with: better security, privacy, lower CPU and memory use. Which makes using such a plugin rather pointless, so I doubt any blocking plugin works this way.

> so I doubt any blocking plugin works this way.

That sounds like an assumption based on how you would implement it. Until Chrome implemented its native click to play, most of "click to play" plugins were targeted at advertising and simply blocked visual rendering and audio playback. It's not for lack of trying, the underlying framework for the plugin to stop execution simply didn't exist.

Firefox started blocking Java plugins in January '13. I wonder how long before other browsers follow suit.

This works only for outdated Java versions that are known to be vulnerable (they're blacklisted by Mozilla version-by-version).

If you happen to have the newest Java version which hasn't been publicly announced as exploitable, it will not be blocked unless you enable `plugins.click_to_play` in `about:config`.

Anyway it's still a very good move from Mozilla side to minimize the risks.

That's too bad, I was hoping they had made all Java plugins "click to play" or whitelist only.

Firefox also has the feature that will block Flash and the other plugins if an update has been released, which is also good

IMO all browsers should implement 'click to run' by default for all plugins on all sites

> Don't use Flashblock or Javablock or similar extensions, they hide the applet, they don't stop execution.

Wow, thanks. I was under the (false, obviously) impression that Flashblock effectively turned Flash objects into "click-to-run".

> they hide the applet, they don't stop execution.

The OP is wrong about this. At least for Safari/ClickToPlugin – I just verified it myself. After all, it'd be fairly pointless otherwise...

OP is also wrong about Flashblock on Firefox.

I should have clarified that I meant Chrome, my post was originally Chrome only and I added in Firefox and Safari with an edit

Chrome extensions are nothing more than loading a JS file onload

Yet Chrome has a "Click to Play" feature for all plug-ins which is way more handy than having a second browser or a bunch of extensions.

Go to chrome://chrome/settings/content and look under plug-ins. There is Run automatically (default), Click to play and Block all.

I am using that in my second browser, but I am not as confident in it as all that stands between the user and executing a plugin again is a clickjack

I'd rather have complete separation

Doing a proof-of-concept on a 'click to play' to run a plugin is something that I have been meaning to do

It's not that easy, I think Chrome has some good anti-clickjacking algorithm implemented. I remember once I couldn't enable a Flash video on one site because it had an overlay advert over part of it.

Moreover, you have to right-click and then click "Run this plugin" from the native Chrome menu. I doubt you can create any overlay over native browser's menu.

> Moreover, you have to right-click and then click "Run this plugin" from the native Chrome menu. I doubt you can create any overlay over native browser's menu

It must be different on Windows. I have it enabled on my Mac and it requires a single click to enable a plug-in.

Good to know. Indeed I am on Windows.

Interesting. Please post it on HN if you get a proof of concept.

Opera: go to opera:config#UserPrefs|EnableOnDemandPlugin

To enable all plugins on page, click the play/puzzle icon in the address bar. To permanently enable plugins on certain pages: right click -> Edit site preferences... -> Content.

I have this enabled both in Opera and in Chrome. Certain sites are permanently whitelisted. Much better browsing experience.

Also to verify java not working can use this to test:

http://www.java.com/en/download/testjava.jsp