Contact Points

• Michael Coates & Dan Veditz (security assurance)
• Alex Keybl (release engineering, monitoring enterprise feedback)
• David Keeler (security engineering)
• Justin Dolske & Jared Wein (Firefox frontend engineering)
• Benjamin Smedberg & Georg Fritzsche (stability/plugins Engineering)
• Matthew Grimes (user advocacy team)
• Mary Trombley (user research)
• Stephen Horlander (visual design)
• Larissa Co (user experience designer)

Communication

• Jan 29 - Mozilla Security Blog - Putting Users in Control of Plugins
• Jan 29 - CTP For Flash 10.2 and lower

Items Under Development

• Most of the bugs related to click-to-play can be found in this dependency tree.

User research study: testing the user reaction and experience when Flash is made click-to-play:

• Tracked bugs: CtPUR:+ in the whiteboard. This list triaged and maintained by bsmedberg.

Turning on click-to-play by default:

• Tracked bugs: CtPDefault:P in the whiteboard. This list triaged and maintained by bsmedberg.

Security Improvements for blocked plugins:

• Primarily this means making the UI non-clickjackable for known-insecure plugins, and is tracked in bug 832481.

Usability Improvements (for security-blocked and CtP-by-default plugins):

• will be refined based on data from the user research study. It is very likely that we will need to implement bug 834749 or something like it to make "always for this site a more prominent option (perhaps the most prominent option).
• The doorhanger itself may also need to be refined
• The behavior of the doorhanger/notifications when small/hidden plugins are present may need work. This especially impacts sites that use plugins to play audio or do special processing (file upload controls that use Flash can also be affected)

Feedback to Prioritize

https://etherpad.mozilla.org/CTP-feedback

Links

• Support Article on CTP
• Current plugin blocks
• Flash distribution

Flash Population Data

Daily statistics about the Flash versions used within Firefox are gathered via telemetry.

• [1/29] Blocking 0-10.2.*: ~2.8% of users will be CTP
• Blocking non-current 10.3.*: ~2.47%
• Blocking 11.0.*-11.2.*: ~6.9%
• Blocking 11.3.*-11.4.*: ~4.5%
• Blocking non-current 11.5.*: ~7.4%

Flash Uptake Data

• ~1/7 (.146 released) - 11.5.502.135 is 77.8% of our population
• ~1/14 - 11.5.502.146 is 68.9% of our population
• 1/28 - 11.5.502.146 is 75.9% of our population

So in 1 week, ~89% of users who are automatically updating get on the latest version. After 2 weeks, 97.5% of users are automatically updated.

Current proposal for blocking non-current versions of Flash:

• 2 weeks must pass since the latest release
• previous_minor_version_population/(previous_minor_version_population+current_minor_verison_population) must be less than 5%

Planned UX Changes

Several UX changes are planned to refine the CTP experience. A few notes:

• We won't be using the terminology that there is a security risk with a plugin unless it is actually the situation
• We're exploring the best way to highlight/make visible the "always enable plugins" for this site option