The early stages of the Internet felt a bit like the free love era, in that people could pretty much do what they wanted, even if it was bad for them. I remember having many conversations with telecom carriers about the issues of consumers doing stupid things, getting their devices pwned, and then wreaking havoc on other consumers on the same network. For years the carriers stuck their heads in the sand, basically offering endpoint protection suites for free and throwing bandwidth at the problem.

But that seems to be changing. I know a few large- scale ISPs who put compromised devices in the penalty box, preventing them from doing much of anything until the device is fixed. This is an expensive proposition for an ISP. You, like me, probably end up doing a decent amount of tech support for less sophisticated family members, and you know how miserable it is to actually remediate a pwned machine.

But as the operating systems have gotten much better at protecting themselves, attackers increasingly target applications. And that means attacking browsers (and other high-profile apps such as Adobe Reader and Java) where they are weakest: the plug-in architecture. So kudos to Mozilla, who has started blocking plug-ins as their default setting.

It will now be up to the user to enable plug-ins, such as Java, Adobe, and Silverlight, according to Mozilla director of security assurance Michael Coates, who announced the new functionality yesterday in a blog post. Mozilla’s Click to Play feature will be the tool for that: “Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play, Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play, or the user has previously configured Click To Play to always run plugins on the particular website,” he wrote.

Of course users will still be able to get around it (like the new Gatekeeper feature in Mac OS X), but they will need to make a specific decision to activate the plug-in. It’s a kind of default deny approach to plug-ins, which is a start. And more importantly it’s an indication that application software makers are willing to adversely affect the user experience to reduce attack surface. Which is good news from where I sit.