I've actually been wondering for a long time how Adobe was going to enforce their statement that Flash Content would stop working at the end of the year. This makes it sound like there's a date-based kill switch built into their software.
I don't think I like that. Yes, using Flash in a web browser once it has stopped receiving security updates is a bad idea, but what if you need to view a website in the Wayback Machine which incorporates flash, and you've set up an isolated VM for the purpose? I suppose you could set the VM's clock back, but that's a major PITA which could potentially cause other issues.
The existence of Flash Projector softens the blow significantly, but there will be some content that must be viewed within a web browser. Perhaps an earlier version of Flash Player lacks the kill switch?
I just wanted to note that the problem you mentioned is being actively addressed by the Ruffle team. As you mention, it will continue to get better with time.
Indeed, even if a time-based killswitch was embedded into current versions of Flash, it would make no sense for versions of Flash from before the whole "Flash is going out of style; Flash is deprecated; Flash is dead" arc to contain such a killswitch. Flash used to be one of Adobe's tent-poles!
Conveniently, given that any Flash content published as SWF was probably authored at least 10 years ago, you could very likely get away with using such an older version of Flash to view such sites.
Rather than tracking one down yourself, I'd suggest, for best compatibility, just using a VM of an OS that ships with an older version of Flash. For example, later releases of Windows XP.
> I suppose you could set the VM's clock back, but that's a major PITA which could potentially cause other issues.
Like breaking TLS cert validity date checks.
Though, I suppose if some website hasn't migrated off Flash by 2020, it's probably reasonably likely to also be in the subset of websites that haven't implements https by now as well...
I should point out that while the Projector doesn't download the killswitch policy file, it does honor it, so you'll have to jump through extra steps to use files in the projector after January.
File this right along with Apple pulling older versions of iOS from the App Store. If you look at it sideways, it makes sense from a security perspective. But at the same time you are closing off entire chapters of computing history.
I admitted upfront it's wholly unsubstantiated, but something to the effect of a sovereign entity with the ability to compel the maintenance of access so as to not burn some 0-day involved in some ongoing operation/investigation/etc.
The end of an era. Flash had many problems but it also enabled us all to develop rich content before browser support and cross platform compatibility was in the positive state it is today. It was a creative era of fun mini games and animated web comics. I definitely have some nostalgia
I'm wondering right now whether the true reason for killing Flash Player so thoroughly is really security, or if there's something else involved like a license agreement for some code embedded within Flash Player which requires Adobe to pay periodically until Flash Player no longer runs.
The true reason for dropping Flash was to prevent web based apps from challenging Google and Apple's store apps, as they couldn't monetize those.
Flash was a true enabler and was supposed to be replaced by HTML5 which has never fulfilled its intended purpose.
Security was never a problem as that could be dealt with by having access source code and fixing the bugs in it, and that didn't stop Google from continue to ship it years after it got deprecated.
Its even more amazing how Mozilla couldn't succeed or abandoned their effort to create a flashplayer, yet ruffle.rs is creating a Flashplayer in both the Rust language and the web assembly system created by Mozilla.
It apparently never occurred to Mozilla that they could write the Flashplayer in C and compile it in Web Assembly.
Expected behaviour from a company ever so reluctant to bite the hand that feeds it.
There are 893 vulnerabilities listed of severity 9.0 or greater, such as remote code execution and similarly dire problems. Flash may have been innovative, but from a security perspective it's hot garbage and it's long past time to get rid of it.
Adobe has form on nixing old products because of third party code. Last year they said that users of old versions of Creative Cloud apps may be subject to third-party legal action if they kept using them: https://fstoppers.com/legal/adobe-customers-using-old-softwa...
Got a pop up dialog asking me to uninstal. I did it.
At work we have to shut down two of our older web tools because of this. We're too small to put resources in fixing. They were old and he didn't port to javascript. (It wasn't non-trivial, you could draw a box around some points and it would pass that data along via ajax.)
A look back at Steve Jobs’ Thoughts on Flash [1] written a full 10 years ago:
Flash was created during the PC era – for PCs and mice. Flash is a successful business for Adobe, and we can understand why they want to push it beyond PCs. But the mobile era is about low power devices, touch interfaces and open web standards – all areas where Flash falls short.
The avalanche of media outlets offering their content for Apple’s mobile devices demonstrates that Flash is no longer necessary to watch video or consume any kind of web content. And the 200,000 apps on Apple’s App Store proves that Flash isn’t necessary for tens of thousands of developers to create graphically rich applications, including games.
New open standards created in the mobile era, such as HTML5, will win on mobile devices (and PCs too). Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.
41 comments
[ 4.3 ms ] story [ 97.4 ms ] threadI don't think I like that. Yes, using Flash in a web browser once it has stopped receiving security updates is a bad idea, but what if you need to view a website in the Wayback Machine which incorporates flash, and you've set up an isolated VM for the purpose? I suppose you could set the VM's clock back, but that's a major PITA which could potentially cause other issues.
The existence of Flash Projector softens the blow significantly, but there will be some content that must be viewed within a web browser. Perhaps an earlier version of Flash Player lacks the kill switch?
FWIW, Ruffle appears to be able to play Flash content within a web browser: https://ruffle.rs/demo/
(Related Internet Archive post on their new Flash collection: https://blog.archive.org/2020/11/22/flash-back-further-thoug...)
Conveniently, given that any Flash content published as SWF was probably authored at least 10 years ago, you could very likely get away with using such an older version of Flash to view such sites.
Rather than tracking one down yourself, I'd suggest, for best compatibility, just using a VM of an OS that ships with an older version of Flash. For example, later releases of Windows XP.
That's what the blog One Terabyte of Kilobyte Age (https://oneterabyteofkilobyteage.tumblr.com/) uses to generate its screenshots, and they almost always work.
The copyright stance on breaking DMCA for preservation is far more clear when the original owner is explicitly dropping support.
Like breaking TLS cert validity date checks.
Though, I suppose if some website hasn't migrated off Flash by 2020, it's probably reasonably likely to also be in the subset of websites that haven't implements https by now as well...
https://www.ikea.com/us/en/planner/besta-planner/
I'm wondering if the IT team which produced that pice of software is gone since years.
Edit: I somehow missed that my spell checker replaced "have facepalmed" with "gave poisoned"...
What are you talking about?
Disclaimer: I am an Adobe employee, but have no insider information about this.
Flash was a true enabler and was supposed to be replaced by HTML5 which has never fulfilled its intended purpose.
Security was never a problem as that could be dealt with by having access source code and fixing the bugs in it, and that didn't stop Google from continue to ship it years after it got deprecated.
Its even more amazing how Mozilla couldn't succeed or abandoned their effort to create a flashplayer, yet ruffle.rs is creating a Flashplayer in both the Rust language and the web assembly system created by Mozilla.
It apparently never occurred to Mozilla that they could write the Flashplayer in C and compile it in Web Assembly.
Expected behaviour from a company ever so reluctant to bite the hand that feeds it.
There are 893 vulnerabilities listed of severity 9.0 or greater, such as remote code execution and similarly dire problems. Flash may have been innovative, but from a security perspective it's hot garbage and it's long past time to get rid of it.
At work we have to shut down two of our older web tools because of this. We're too small to put resources in fixing. They were old and he didn't port to javascript. (It wasn't non-trivial, you could draw a box around some points and it would pass that data along via ajax.)
Browser gaming has never recovered.
Flash was created during the PC era – for PCs and mice. Flash is a successful business for Adobe, and we can understand why they want to push it beyond PCs. But the mobile era is about low power devices, touch interfaces and open web standards – all areas where Flash falls short.
The avalanche of media outlets offering their content for Apple’s mobile devices demonstrates that Flash is no longer necessary to watch video or consume any kind of web content. And the 200,000 apps on Apple’s App Store proves that Flash isn’t necessary for tens of thousands of developers to create graphically rich applications, including games.
New open standards created in the mobile era, such as HTML5, will win on mobile devices (and PCs too). Perhaps Adobe should focus more on creating great HTML5 tools for the future, and less on criticizing Apple for leaving the past behind.
[1]: https://web.archive.org/web/20100501010616/https://www.apple...