The online world is new enough that many of us aren’t really sure how we can keep ourselves as safe as possible. In the physical world we have generations of experience about how to minimize risk (beware of dark “shortcuts” through unknown neighborhoods alone at night), and well-developed social institutions to mitigate risk (police forces, insured accounts at banks, etc.). In the online world most of us are still learning what we can do as individuals to improve our own safety. Sometimes it’s daunting.
It turns out that one important thing each of us can do is keep our software up-to-date. By doing so we get a regular flow of security improvements. Firefox has a good update rate. But it’s easy for people to forget to update software that we don’t think about very often. One type of software that’s easy to forget about is a category known as “plugins.” Plugin software works with a browser to display additional types of content. Plugins are not created by the browser developers; they are separate teams and separate software. Because of the interaction with the browser, many people don’t know or forget about updating plugins. And a crash or security problem in a plugin often feels like a problem in the browser. So it’s easy for people to think that they’ve fixed the problem by updating the browser when in fact the plugin is still a problem.
Last week Mozilla tried something new to help people help themselves. The results so far have been encouraging. We realized that a lot of people are using old version of the “Flash” plugin. We suspected that this is because people didn’t know they should update or that updating is an important safety habit. Flash is not a Mozilla product — it’s from Adobe — so updating the browser doesn’t update Flash. And nearly everyone uses Flash to view video. So we put a notice on the Firefox update page, letting people with old, less-secure versions of Flash know that Adobe offers an updated version with security fixes.
The response to this notice has been very high. The percentage of people viewing this (in the English language, US version) and then following the link to update flash is about 30%. This is a very high response rate. A typical response rate for this page is around 5%. A more detailed analysis can be found at our metrics blog.
We’re very careful about putting anything on the Firefox update page, so asking people to deal with a different product is new. The response suggests that people are receptive to clear information about how to keep themselves safer. That’s encouraging. It benefits the individual doing the updating, and also provides a system wide “public health”- like benefit as well.
Online security is a tough problem. It will be with us constantly, just like questions of physical security never go away. There are things each one of us can do to improve our setting. At Mozilla we’ll keep thinking about how we can help people figure out and do these things. And hopefully we’ll be part of a growing community of people doing this.