Muzzling buggy and insecure Web browser plugins like Java and Flash goes a long way toward blocking attacks from drive-by downloads and hacked or malicious Web sites. But leaving them entirely unplugged from the browser is not always practical, particularly with Flash, which is used on a majority of sites. Fortunately for many users, there is a relatively simple and effective alternative: Click-to-Play.
Click-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari) that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them.
To enable click-to-play on Chrome: From the main menu, click Settings, then in the search box type “click to play,” and click the highlighted box labeled “content settings.” In content settings, scroll down to the “plug-ins” section, and change the default from “run automatically” to “click to play”. To enable exceptions so that certain sites (krebsonsecurity.com?) are allowed to load Flash and other content by default, click the “manage exceptions” box. Alternatively, this can be done in Chrome through the address bar: when you browse to a site that has content blocked by the click-to-play feature, an icon will appear on the far right side of the address bar that allows you to add an exception for the current site.
To enable click-to-play in Firefox: Open a browser window and type “about:config” without the quotes. In the search box at the top of the resulting window, paste the follow “plugins.click_to_play”, again without the quotes. Double click the entry that shows up so that its setting under the “value” column changes from “false” to “true” (hat tip to F-Secure.com for this advice). To enable per-site exceptions, look for the blue lego-like icon in the lefthand portion of the URL bar, and click it; click the “activate” button to enable plugins just for that session, or to make it permanent for that site, click the down arrow next to “activate all plugins” and select the “always activate plugins for this site” option.
Opera users interested in this feature can enable it by clicking “Ctrl+F12”, and then the “Advanced” tab, then “Content,” and then enabling the “Enable plug-ins on demand” option.
Safari users can get a click-to-play like experience using either the ClicktoFlash extension – which, as its name suggests blocks Flash content – or the more comprehensive ClickToPlugin extension.
Getting a click-to-play like feature working in Microsoft‘s Internet Explorer seems to be a bit more complicated. Internet Explorer 10, which includes its own version of Flash, uses a Microsoft-provided whitelist of websites that are allowed to play Flash content by default. IE10 users on Windows 8 can add any site they like to the whitelist, but the steps for doing so are hardly straightforward. See this writeup for more information on how to do that (if someone knows of an easier way with IE10, please leave a comment below). PCMech.com explains how to sort of get click-to-play working in IE9, but this option may produce incessant pop-up prompts.
I mentioned at the outset of this post that some of these approaches can be used to block Java content from running by default, but a far safer approach with Java is simply to unplug it from the browser until and unless you need it (or uninstall it completely). If you need an idea of why I recommend this, have a gander at just a few of the most recent posts on Java.
One final note for those who decide to keep Java; unplugging it from the browser is a good idea, but keep in mind that Oracle’s Java installer re-enables the plug-in when the program is updated (shakes fist at Oracle).