397 comments

[ 2.7 ms ] story [ 321 ms ] thread
I made it my new year's resolution in 2015 to have Flash disabled. For my use case, it works great. Longer battery, less heat, and the internet still works.

I do turn it on (enable) every now and then for some sites, but very few/infrequently and turn it off right after.

I have all plugins disabled by default on my Chrome. I assume it's mostly Flash. It's very little disruption, actually:

* Plugins can be enabled using one click;

* The "Copy shortcut" widgets are disabled by default. Too bad, 2 clicks instead of one.

* Some videos are disabled on some news website. Too bad they won't be able to auto-play.

* I very rarely encounter websites (less than once in a month) where invisible plugins are required, so I need to restart the page with all plugins activated. I think Google's Not-a-robot Captcha has difficulties with that, if I remember well.

Linux still struggles with HTML5 and flash
Flash - sure, since Adobe doesn't really care that much. But HTML5? That's in browser's hands and support depends on your browser choice only.

Did you mean any specific codec for video playback, or something else?

EME is not present on Linux yet I think. I don't really mind this however it does mean no Netflix without Google Chrome..
EME is there, but you don't have the CDM.

Outside HTML5 scope, though.

What does this have to do with HTML5?

Why on earth should Firefox ship a different HTML5 engine for Linux than for the other OSes? To me, it doesn't make a lot sense to assume Firefox provides a better HTML5 implementation for all other operating systems.

With all due respect, this comment seems to be more of an overall anti-Linux sentiment.

Actually, Firefox uses the platform decoders to decode patented codecs like H264 or AAC. So the operating system does play a role. I also think it's not unreasonable to believe that hardware accelerated H264 decoding works less well on Linux.
Good catch. So replacing "HTLM5" with "video codes", this may have a point.

But I'm still wondering, as we have very good decoders from projects like FFmpeg and VLC. (Not sure which of all those decoders are used by Firefox.) These are platform independent and to my experience better than the platform specific libraries.

For example, I often hear that people install VLC under Windows because it decodes lots of video formats better than the natively available Windows Media Player. So the native Windows libraries probably aren't that good.

Also, at least the FFmpeg project explicitly states that they don't care about patent FUD, so we can safely assume they don't cripple their decoders in the fear of violating patents: https://www.ffmpeg.org/legal.html

Firefox can actually use ffmpeg as a decoder. It would be a great option for supporting a lot of these formats. However, Mozilla can't ship it enabled, because the patent problem is very real. See, for example, all of the Play Store apps that got C&D letters from Dolby for using ffmpeg's implementation of AC3.

Firefox does ship a lot of other video and audio codecs though, such as vorbis, opus, theora, vp8, and vp9. It's recommended to use these for HTML5 when possible because they can be easily supported everywhere.

> However, Mozilla can't ship it enabled

Just a minor nitpick: Under Linux, people don't download from Mozilla but have it installed by default. If not, they install via package manager and not via download from Mozilla.

So it's not Mozilla making that decision, but the respective Linux distros. But of course they have the same problem.

I believe a good compromise would be to check if ffmpeg is installed on the system, and use it only when available. So the user would have to install ffmpeg directly.

That would be a very different situation from including code from ffmpeg directly into some app.

Mozilla does not allow Firefox trademark use for distro customized builds.
False. It's allowed as long as Mozilla approves the changes. This is how Ubuntu ships Firefox.
Firefox actually does do this. It can also use whatever gstreamer codecs you have installed (e.g. gstreamer-ffmpeg/libav).
When all browsers disable Flash, a ton of old artistic content will become unaccessible. I'm thinking specifically about Homestuck animations and minigames, but other people will have their own favorites. Is there a good transition plan?
Nope. no reasonable alternative to flash has proven viable. Which is crazy.
Canvas, WebGL, Javascript?

If it's because you enjoy the Adobe Flash tooling, then Adobe is doing exporting to both Canvas and WebGL now.

http://www.adobe.com/inspire/2014/02/flash-html5-canvas.html

https://helpx.adobe.com/flash/how-to/flashpro-export-webgl.h...

If I make an animation or game using these technologies today, will it work unchanged ten years from now?
Do modern web browsers still render standard compliant web content from 10 years correctly today? (Yes they do)
(comment deleted)
I dont like the tooling, but the fact is trying to do some of the things flash currently doe will turn a macbook pro into a melting mess
Shumway?
Shumway actually works pretty well on a lot of the old avm1/2 animations. Few run perfectly, but it shows that it is a practical way forward.
Flash has become subject to retrocomputing.

There are plenty of PC Emulators aviable that run Windows XP and flash just fine. You shouldn't connect them to the internet though.

However, it will also make it more secure by making it less of a target for hackers. If you have to enable it only for certain content … then great. That’s how it should be at this point.

Look at what happened to Java applets.

Java Applets are hard to run on many machines (apple machines are especially bad in this respect), even for technically skilled users.

It would be very sad to see this become the state of all the old flash games/animations.

I've seen countless Flash animations turned into Youtube videos, which means the quality has dropped considerably.
This is the biggest issue IMO. Seeing flash go the way of DOS and etc. would be very sad.
Someone could write an Adobe Air application to play old Flash content outside of a browser.
Seems like only a temporary block. Mozilla isn't brave enough to put it out of its misery like it belongs. Still some big sites using it though, like Twitch.
My firefox has been blocking flash for a while (I've not updated it, so it doesn't load the old version.). The only site I switch to Chrome for has been twitch.

For anything else html5 video has been generally working. I've noticed a lot fewer annoying adverts too which is a bonus.

If Mozilla finally managed to implement the encoding Twitch uses for mobile devices, I'd finally be able to uninstall that pile of shit. Sadly it's a licensing issue.
Yes, Twitch is using HLS, which is patented. The rest of the industry is moving to DASH-via-JS-and-MSE. Even Steam Broadcasts use MSE now.
I've been trying to solve this on Ubuntu 14.10. There does not seem to be an update path. I've installed the deb on https://get.adobe.com/flashplayer/ which does not resolve it.
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."

There's no updated version yet.

AddOns->Plugins->Ask to Activate
I hope this will be another push for content creators to abolish flash in the long term.
I hope this will not make more content creators choose that annoying unity3D plugin thing that doesn't support linux for games.
Didn't they ditch that in favor of full HTML5?
I think the plugin is still available as an export target - at least the website doesn't say anything different.
> that doesn't support linux for games.

There is support: http://pipelight.net/cms/installation.html

For me on debian it was install and it worked without even restarting the browser.

I tried it once, it also allowed the latest Flash, but then full screen got broken, and also Flash showing file dialogs got broken.
this is not support, its basicly running the plugin inside wine, with all the attendant issues that invokes.
I had no issues. It simply worked.
I find amusing that visiting that same page triggers the 'Firefox has prevented the outdated plugin "Adobe Flash" from running on support.mozilla.org.' warning.
The Flash plugin update fixing the RCE bugs is scheduled to be released tomorrow by Adobe, after which the block will be lifted.
I just noticed notice in the browser window. I didn't recall seeing it earlier so when I saw this headline, I clicked on the link.

I chuckled when I saw this: http://i.imgur.com/CHqRSEZ.png

:)

Do you want to enable 'Adobe Flash' for the site adobe.com? [Never for this site]
What about Java?
Java plugin you mean right the one that runs on browsers?. Java itself is a huge topic including JDK, compilers, runtimes, server side etc.
Of course he means that, do you know the thread you are posting to?
he could meant JDK, the server runtime many things in Java. and I know the thread Im posting. you do not need to tell me. You do not need to mention it like that.
Flash always have security issues and Adobe do their best to fix them.

On the consumer side of things, flash is not so bad. Sure search engines couldn't read it but there is amazing content generated through it. The content is,what matters and unfortunately the Web is littered with abusive flash objects auto playing videos, audio, full screen ads and those won't simply go away with flash.

At least with flash I can easily disable it. But those auto playing html5 videos and audios ads are just as annoying. Now I need plug ins to disable native capability.

It's only a matter of time until all ads move to the medium and we find ourselves complaining.

It's not really a matter of ads, ads move the internet so they will always be there. It's a matter of security, flash has always been a source of flaws to be exploited. Like.. always, sometimes "trying their best" was really not effective.
One option was to go down the Click-to-Play route which offers a HORRIBLE UX. Especially on Youtube which still uses Flash by default.

Disabling Flash however, Youtube actually seamlessly falls back to HTML video. Well done. But I can't help but think, outside the Youtube world (BBC for e.g.). LOTS is going to break. I wouldn't take this tact with my parents or clients.

I much rather click to play over autoplay of videos, including on Youtube.

My browsing workflow involves a lot of middle-clicking links to open them up in background tabs. Autoplaying video is major annoyance in this context.

This is something that Safari on OS X gets so right, that I've long been amazed (and annoyed when I have to use other browsers) that the other browsers don't copy the functionality.

In Safari, if you tab out a new page, it will load the content but pause it until you show the page. So you can tab out a bunch of video pages and they each only autoplay when you tab through them.

Wanting the same functionality on Chrome seemed to involve plugins or clicking (which has now turned into right clicking and choosing play).

> Especially on Youtube which still uses Flash by default

No since January[1]. Maybe you have an old cookie set or something?

[1] http://youtube-eng.blogspot.com/2015/01/youtube-now-defaults...

From the link: "and in beta versions of Firefox" Maybe he's still using a Firefox stable version a few months old?
If you disable Flash completely then Youtube works fine with HTML5 video. However, when Flash is set as click to play then Youtube still prompts to enable Flash. Annoying.
You're right. :)
You can use this page to see if your browser will use HTML5 by default, and set a cookie to try HTML5 instead of Flash if it's not the default. https://www.youtube.com/html5
I'm late to respond to this, but this is really not true (speaking as a several-year (and current) user of click to play Flash).

I would suggest checking the https://www.youtube.com/html5 page sp332 suggested to see if you have checks in all those boxes and making sure you're using a recent version of whatever browser you're running[1]. Only if your browser doesn't support the needed html5 video features does it switch back to flash.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=778617 for the ongoing Firefox bug, but you should be good with MSE in recent Firefox on Youtube in particular (see last comment in that bug)

Unfortunately in this case avoiding the problem won't make it go away.

Many old sites will stop working (my first site was done in flash) as well as many games that are still heavily played today by millions of people. Also flash IDE provides a good introduction to programming for self-taught kids these days: many of them still do their first code in flash after clicking on "that strange icon next to photoshop".

Overall this is a good example of prolonged trusting a binary blob. IMO we will always tend to do what is more comfortable and we should strive for openness and transparency in the tools that most people rely for everyday.

The problem persists as long as there are people installing the plugin or "enabling" it.

We need a real open-source alternative to flash player.

> We need a real open-source alternative to flash player.

We quietly built the alternative to Flash over the last 10 years. It's called the web.

A standard document in the web browser can play audio, video, display vector graphics, utilise OpenGL, supports direct drawing via Canvas, and it is deeply scriptable with a mature, open programming language.

What else do you need?

Copy to clipboard, apparently.

(Github project pages have a flash application to handle this)

Good news, we're getting there. In Chrome 43 and (probably) Firefox it's supported: http://caniuse.com/#search=clipb (see note 3)

However the API is god awful.

Isn't this like a huge security risk?
Why? Copy FROM clipboard would be, sure. Copy TO clipboard... OK, I can come up with scenarios where it'd be a problem, but they're pretty far-fetched.
Run a timer overwriting your clipboard every 10ms. Prevent you from copying anything off a webpage and instead replacing it with a copyright notice. Etc., etc., etc.
There's a permission prompt for first use and I think Mozilla considers making it https only.
Flash has offered these same clipboard APIs for years and these clipboard "attacks" have never been a problem before. I don't see how replacing Flash clipboard APIs with HTML clipboard APIs will change web developers' behavior.
> However the API is god awful.

To be fair, it's basically a proprietary IE5 API that's now been standardised (like quite a few others).

Is that why I keep getting notifications that github wants to use flash player? Good to know.
> What else do you need?

I need all of those things to look exactly the same in each and every browser, instead of corrupted icons or broken navigation because the developer tested it in Chrome for Windows but neglected, say, Iceweasel for Debian.

I have yet to find a non-flash game capable of doing that. And if the alternative is "we should discard this closed binary that works in every platform in favor of this free-but-browser-dependant stack", I find that odd.

Well then you don't want an open source Flash, because that will undoubtedly be different to the official one in the same way that browsers are different to each other.
> because the developer tested it in Chrome for Windows but neglected, say, Iceweasel for Debian.

Bad example, because Flash for Linux has been discontinued in all flavours except PPAPI so it wouldn't work in Iceweasel.

The age old test of any platform is the ability to run games, and HTML5 just isn't there when put next to Flash or native apps. And I'm not talking the bleeding edge stuff, but simple things like getting sound to work between browsers (a task that Flash did very well). Although to be fair the gatekeepers of browsers are Apple and Google who want you to pay the app store tax.
> We quietly built the alternative to Flash over the last 10 years. It's called the web.

The 'Web' can't play video or audio, the 'Web' needs plug-ins to do so. Plug-ins like H264 decoders and Flash.

That's like saying “The ‘Web’ can't display images, the ‘Web’ needs plug-ins to do so. Plug-ins like libjpeg or giflib”.

Right now, you can put a <video> or <audio> tag on a page and it will work in something like 95% of the browsers in use. That's already better than Flash and going up as IE8 users upgrade to newer versions of IE or install Chrome/Flash.

Sure, you can't rely on users not recompiling their browser to disable it but you also can't rely on 100% support for anything on the web – users disable image loading, plugins, stylesheets or JavaScript, install incredibly overzealous ad-blockers, use ISPs which tamper with page contents, etc.

Yup. Remember back when you actually needed helper applications to display certain image types?

https://www.as.cmu.edu/application/pref_1.gif

Or when GIF required a license to implement so people actually had to disable it until the Unisys patents expired. That was fun…
* Streaming of live video using a single protocol across all browsers. (Some browsers don't even support a live streaming protocol)

* Adaptive bit rate video streaming (recorded or live)

Nice to have but not required:

* Full H.264/AAC support across all browser.

Unfortunately Flash is the only viable solution for the above right now.

When i wanted to start programming one of the things I tried was flash. I absolutely couldn't figure out what the fuck was going on even with tutorials, it's garbage.
That's strange, I found Flash programming very accessible. There's a huge amount of good learning material out there, and plenty of shortcuts and components you can use to do quite complex things.

Flash components were really interesting, and made it easier for non-programmers, or designers to manipulate a user-friendly "API" of sorts within Flash. This was very powerful. Hugely underrated and conventionality forgotten by the Flash-haters.

In terms of accessibility, my first two "serious" coding projects in high school were an interactive library map and a Latin flashcard quiz game written in Flash and Perl, respectively. At the end of the projects, I decided to focus my efforts on the more intuitive of the two languages, Perl.

Granted, it's just an anecdote, but I wonder what I missed that made others find Flash so accessible.

In my experience at least, when I talk about "Flash programming" I'm not just referring to Actionscript, but the whole package, the whole Flash suite including manipulating the timeline and multimedia objects programmatically.

Sounds like you favour Perl over Actionscript. From what I know of both, they are not commonly compared! But as with many things in this business, it all depends on your needs, likes, and the project requirements.

I uninstalled Flash a few days ago, because I didn't want to deal with the updates anymore. Since Flash was unbundled from Mac OS X it has become a pain to update. I simply don't understand why I need to go to the Adobe site to get the updates.

Flash isn't super relevant anymore anyway, the main thing it's used for on my computer is Flash tracking cookies, and I can do without those. I do wonder how some of the tracking and retargeting companies will deal with the decline of Flash though. We asked a partner to stop using Flash for tracking, their response was that it's the best way to doing user tracking. Hopefully they'll change their mind soon.

The update process is horrendous. Redirect to Adobe's website, follow a 3-step 'wizard' - where Step 2 is a placebo 10-second loading bar saying it is "initialising" - and Step 3 is an advertisement for installing other crap from Adobe.

After all that you have to download a DMG, close all your applications and reinstall from scratch. Why not just build in an auto-update in the background and be done with it...

On Windoze, I always go to google for "flash player distribution3" and install the MSI packages for enterprise deployment. That keeps me from the malware bundle.
If you're on Windows and are not careful you risk ending up with McAffee as a drive-by!
On the Mac, it's easy, I use Chrome as my Flash jail. I use Safari all the time and the few times I need Flash I fire up Chrome and it's there. Don't have to worry about Flash hacks or Chrome battery drainage.
Been doing the same for years now. Don't see why people are still discussing it.
HSTS subdomain tracking is probably the best method of tracking, because it works in private mode and there's no easy way to clear those "cookies".
I uninstalled Flash about a year ago and haven't looked back since. Funnily enough only Facebook used to give me issues.
I have Chrome with flash installed (not that it gave me any choice), but other than that I haven't had flash for maybe two years. If I need to play Flash, I just open Chrome for that. Facebook is one of the last common offenders with its flash videos on desktop version. I can't comprehend why...
Bugs are always bad (and security bugs even more so) - but I've always felt that Flash gets a disproportional amount of hate/hype in the media. To some degree it should be normal that the more widespread a technology is - the more it gets targeted for security exploits.

If you run the popular browsers/plugins against the National Vulnerability Database, you'd get the following results (as of January 2014):

  - Internet Explorer 366 total vulnerability issues (314 high severity)

  - Google Chrome 235 total vulnerability issues (154 high severity)

  - Adobe Flash 207 total vulnerability issues (169 high  severity)

  - Mozilla Firefox 190 total vulnerability issues (86 high severity)

  - Oracle Java 161 total vulnerability issues (69 high severity)
[source] https://nvd.nist.gov/
Yes, but Flash alone doubles the attack vector of a browser - that's nothing to be sneezed at. I think it's particularly poignant when you look at the high severity metric.
I am not sure the attack vector argument is 100% valid here, as flash replacement technologies constantly add attack vectors to modern browsers, too. Many traditional Flash features are now covered by webGL accelerated browser functionality, like accelerated 2D canvas elements. My guess would be that this browser-gpu bridge creates a whole zoo of GPU driver related security issues which attackers might focus on once flash is completely obsolete. (My money is on a remote code execution vulnerability in the Firefox Adobe DRM module.)
(comment deleted)
So Flash is second in terms of number of high severity bugs and first in terms of the percentage of bugs that are high severity, only being beaten by Internet Explorer. By your evidence the hate for Flash is quite justifiable.
It's second to IE in both those metrics, but "percentage of bugs that are high severity" seems like a strange thing to be measuring in any case.
Perhaps it's intended as a proxy for overall quality.
Flash bugs are more important because the are crossbrowser. I will still use Flash though on older computers, because it needs less resources for video.
Remote code execution exploits were found in Firefox at least once per month during the first half of 2015. The only reason we didn't hear about these cataclysmic exploits is because it wasn't Flash.

January 20, 2015: https://community.rapid7.com/community/metasploit/blog/2015/...

February 25, 2015: https://msisac.cisecurity.org/advisories/2015/2015-018.cfm

March 1, 2015: https://www.mozilla.org/en-US/security/advisories/mfsa2015-3...

April 22, 2015: https://msisac.cisecurity.org/advisories/2015/2015-046.cfm

May 12, 2015: https://www.mozilla.org/en-US/security/advisories/mfsa2015-5...

Hackers search for remote code execution exploits in Flash first and foremost because they know a successful Flash exploit will reach the highest number of targets (90% or more on the desktop) whereas only 44% of desktop machines are running Chrome and 15% are running Firefox.

Hackers seeking out and exploiting RCE bugs in Firefox is unheard of for the same reason malware targeting Macs has been virtually unheard of over the past decade: It's not that OS X is more secure; it's simply that Windows is a more lucrative target.

Mozilla seems to take anywhere from 1 to 3 months to fix these severe bugs. Adobe takes days.

Source for this complete and utter FUD? Certainly not the links you gave:

Jan 11, 2015: Originally reported to Mozilla as a low-severity DoS, which turned out to be already patched in trunk Jan 13, 2015: Firefox 35.0 shipped with patch

It's hard to get dates out of the others because the bugs are still hidden, but the "fixed in" is often a security fix update after a release, which means it can't possibly have been > 6 weeks.

You're right, I misinterpreted the timeline there.
You probably missed out on the hacking team leaks. These actions are triggered by the leaks. HT was sitting on a lot of flash 0-day exploits.

This leak was the best thing that happened to the web.

They do get more bad press than perhaps others should. There is already a perception about Flash that it is not a great product, which feeds into this. Reasons are varied.

    - Performance has not been good on Macs (my 2007 Macbook Pro literally burned my legs when running anything flashy)

    - Flash updates mechanism seems a little spammy.

    - Long-term perception of Adobe as a maker of a somewhat buggy, somewhat bloated software

    - Steve Jobs' public denigration

    - Backlash against proprietary standards being used on the web
The best thing about click to play Flash is it puts a stop to autoplay videos on the less reputable sites I occasionally and shamefully glance at for sports news.
... and makes pages load faster.
I don't think the hate comes from bugs or exploits. I think people hate flash because it is laggy, slow, make things move in your screen you don't want, widely use for ads or to shit on the user experience, etc.

Granted most of it might be bad programming, but I still think he comes from here rather than exploits.

Clearly all this crap will still happen in a flash free world.
Turing-complete machine running untrusted code is a nightmare for security. There always be bugs and exploits, it's just a matter of time and effort to find them.

JavaScript enabled by default is already bad enough. We don't need Flash, Java, ActiveX or anything similar turned on by default. So it's a good move from security viewpoint. Less attack surface.

I have a lot of experience of end users and they are forever telling me that they get so many different "Update this", "Update that" windows that they can no longer distinguish real from fake. Some of them have been tricked by fake web site pop-ups as a result, others ignore legitimate update messages. I do not blame them.

Internet Explorer and Google Chrome get updated in a way that most end users find to be simple to understand, particularly with Chrome. Firefox is also quite good in this regard. All of them are reliable - it is rare, IME, to come across a Windows Update, Firefox or Chrome instance which is silently failing to update. Or not even bothering to prompt to update.

Flash, however often I install it, just doesn't seem to auto-update reliably. Quite often it only does so after a user log on/reboot, which doesn't happen much in the days of standby. Even on brand new, fresh Windows installs (so we know the OS/Flash isn't broken), I test Flash from time to time and it just doesn't prompt to update at all on some occasions. This is what makes Adobe's poor track record exponentially worse - that their software update mechanism is crap at best.

I was gobsmacked when Microsoft declared they were going to start updating Flash via Windows Update. Gobsmacked and so very relieved. It felt like they'd walked into Adobe's office, grabbed their fire extinguishers and told them "You are so useless that when there's a fire, WE will come and put it out, since you don't seem able to. We are sick of our offices getting burned down because of your idle incompetence."

I won't even address Oracle's Java. Bundling malware with their updater is tantamount to crime.

Flash also comes with McAffee (or some other bundleware). I wouldn't be surprised if the reason why they haven't made a proper auto-updater is because of that. That they'd miss out on those miniscule profits they get from that.
Yeah, I've been wondering why Adobe sticks to a "visit our website and manually download the new version" update model in this day and age. I think you found the answer.

If you keep ignoring the update prompt, Flash will quietly update itself after 45 days. That's long enough for every interested party to pwn your machine.

This right here pretty much kills any sympathy I had for Adobe in this matter. They sit on their hands for far too long when vulns are announced, and when they do get updates out, they use a completely backwards and useless update model in the name of extracting a few pennies per user.
ah yes good point! I've used a different install method for so long I forgot that. So again, tantamount to crime.

  I have a lot of experience of end users and they are 
  forever telling me that they get so many different "Update 
  this", "Update that" windows that they can no longer 
  distinguish real from fake. Some of them have been tricked 
  by fake web site pop-ups as a result, others ignore 
  legitimate update messages. I do not blame them.
One solution to this is to use AdBlock Plus. When a site permits adverts that threaten a computer's security, it is time to add it to the blocklist.
This is not a feasible solution for the average end user.
It seems to work ok if you install it for them - I now tend to do that for non tech users who I help out. Though usually uBlock rather than AdBlock Plus. It's scary if you go to a download site these days how many fake download buttons there are near the real one if you don't do something like that.
i also use ublock (but ublock origin) because of that whitelist deal that adblock did with er people what make ads.
Not ABP, ublock origin. Faster and not-for-profit: https://github.com/gorhill/uBlock#performance
Ah, and apparently (one other commenter mentioned it) ABP did a deal with advertisers.

Ugh (damn capitalism!), I think I shall move to ublock origin today then.

Thank you for letting me know about it :)

I have had multiple non-technical friends, in one case on a fresh install I'd done myself, run into the Flash update window simply showing a gray background that never does anything.

The best solution for this, from Adobe's own forum? Find the corporate-deployment version, download that (ignoring the messages that say it isn't what you want) and run it. This works flawlessly, but even less automatically.

Both the Flash and Java updates almost feel like "Pay Attention To Me!" Just like all those discount cards that exist in part so you carry around a fetish with the corporate logo.

Yes! I admin my parents' computers and after trying to explain which 'update' windows are genuine, I realised that there just isn't a good way to tell them apart.

Silent auto-updates are really the right way to go for non-techies. Even the post-upgrade 'announcement' popups are confusing. For instance, I've installed Ghostery on their computers and the 'ghostery has been updated' popup is just confusing for them, leading to confusion and phone calls to me.

Flash also doesn't seem to auto-update for them, despite me setting it up. I don't understand it either, as they turn off & on the machine regularly. Why can't Adobe get this right?

Given other comments here, i find myself once more reminded of Upton Sinclair.

"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"

Flash bundles things like Chrome, Mcafee etc.

That's the real reason they don't want a auto-update. Google pays them a lot for bundling Chrome(I think it's around $1 per install). They keep breaking the auto-update on purpose so that they can make a ton of money by bundling other software. Same with Java updates.

ah yes good point! I've used a different install method for so long I forgot that. So again, tantamount to crime.
And that's downright weird, given that Chrome use a different plugin API and thus get Flash bundled.

Even Windows has Flash via the updater.

Just about the only browser that use the old API is Firefox.

Shock, the only browser that still uses NPAPI is the descendant of the one that invented it!

Really, at this point I think Mozilla is more interested in just getting rid of plugins than trying to implement an alternative to NPAPI - why put all the effort in to support something like PPAPI when plugins should be dead within the decade anyway?

It's not a secret. The replacement for NPAPI is the Web APIs. The port of Flash to the new NPAPI--the Web APIs--is called Shumway.
So by disabling Flash by default, Mozilla can theoretically reduce vulnerabilities by half :-) Seems like a good choice to me!

Also, getting rid of the constant update dialogs and crapware installed with Flash will improve the overall user experience.

Cost/benefit seems higher for Flash/Java than browsers. You really need a browser, but you don't really need a [fancy thing that can't be done in JS]. As another commenter said, it doubles your attack surface and for little benefit.

Flash game enthusiasts would probably disagree, but most of us can probably do without it given the risk.

As an enthusiast for a handful of flash games, it is increasingly tempting to make a VM just for running them. Even then, with all the progress in Javascript, it's questionable whether I should bother.
There are a couple flash games I'd like to keep as well, but mentioning that didn't seem to strengthen my point :)

I've since found a few work-related apps that need it. Hiss.

Yes but Flash vulnerabilities are incremental vulnerabilities.

So just counting high severity vulnerabilities, the chart is

IE: 314. IE with Flash: 483.

Chrome: 154: Chrome with Flash: 323.

Firefox: 86. Firefox with Flash: 255.

And of course, you can add a third column for Java and a fourth column for browser with Flash and Java.

I have no idea what their bugs-per-line-of-code are, perhaps they have the finest code on the planet. But from a surface area perspective, installing Flash makes you more vulnerable, period. And it really is not necessary, whereas it’s not like you can browse the web in pure Flash and not install a browser.

>But from a surface area perspective, installing Flash makes you more vulnerable, period.

So does turning on Javascript. Yet the popular opinion these days is that disabling Javascript makes you a luddite. Mozilla even hid the option for it in Firefox.

> If you run the popular browsers/plugins against the National Vulnerability Database...

That's misusing statistics, you can't determine how secure something is by just summing up the number of vulnerabilities - equally weighing/comparing browsers with a plugin etc.

By the way, Apple's opinion on Flash in 2010:

Third, there’s reliability, security and performance. Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.

Source: https://www.apple.com/hotnews/thoughts-on-flash/

Flash is blocked on Apple devices due to business reasons, nothing more.
Flash is not blocked, it is simply not present.

Also, considering the track record of Flash on Android, your opinion is not supported by historical fact. It is very clear that Adobe is not on the ball to anyone who pays attention.

Flash was never "blocked" on Apple devices. Rather, Safari on iOS simply doesn't support plugins. You can't install Java, Silverlight, or Unity 3D plugins either.
Sure, and one of those business reasons is keeping bloated, buggy software that is ill-suited to mobile devices away from their phone's user experience.
Another point that hasn't been raised yet: Flash is a much smaller software than a browser, how come it has more bugs ? It certainly speaks for it's internal code quality.
In general, plugins are supposed to improve a product by adding or enhancing existing features. Flash however enables websites to break out of the HTML, CSS and JS environments and their security constraints, which should mean that flash have a larger responsibility regarding security. If Flash lived under the constraints of the browser own security, then flash bugs would barely register as news worthy.
The bigger question is how many of those were 0-days: vulnerabilities that were public before a version of the software with the fix had shipped.
I uninstalled/disabled flash on all my systems a few months ago, and have noticed barely any impact on my browsing. The only site I can think of that doesn't work is BBC News.
I have that setting already set - Flash is set to "Ask to Activate", which means it only runs on sites that I actually want it to run on.

Which prevents a lot of autoplaying videos, and also pages sometimes taking a long time to load on slow connections.

God will Flash just die already. Firefox is my primary browser and I run it without Flash. On the very odd occasion I need it I have IE in protected mode which has Flash built in. If a site does use Flash I will seek an alternative though as I hate it that much.

On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.

> God will Flash just die already.

5 to 7 years ago I would have said the same thing, I hated Flash with a passion. But now, when it's almost gone for good, I see that it had its reasons. For example the new Google Street View is many times slower and lags so much as to give me motion sickness (when it's not blocking my browser) compared to the previous version, which was Flash-based, and which used to work like a charm.

The new Google Maps is also dramatically slower, laggier, and buggier than the old version which was a regular web app built to work on browsers from 2005.

I think the terribleness of recent Google web front-ends (not only Maps and Street View but also Search, Mail, Groups, Gplus, etc.) is mostly a product of incompetent management process internal to Google, rather than an indictment of web technology generally.

I genuinely agree with you here.

I've gone back to a desktop mail client (Thunderbird) and moved away from the web for this sort of thing myself.

As far as the web goes, I am very impressed at openstreetmap. That is fast, accurate and has more useful mapping data than anything else rather than fancy overlays and imaging.

While on vacation recently, I had to switch from Google Maps to OSMAnd. OSM map data was just as good for my purposes at least (arguably better), but the real motivating factor was just how fucking pathetic Google Maps on Android has become.

Just having it find my location became a chore. I'd be walking down the street looking at my phone the whole block, waiting for it to get my location. Many times it would show my location (with several miles of uncertainty) as being somewhere that I had not been for more than several hours. Other times it would just never find the location at all, not even having any idea what country, let alone city, I was in.

I downloaded OSMAnd and the province map data, and it was able to find my location within mere seconds every time. It was able to do it fast enough that if I clicked the power button as I was pulling my phone out of my pocket, it would have my position before my phone was in front of my face.

Unfortunately OSMAnd does not do transit routing, so I was attempting to use both at the same time. This gave me a direct comparison between how fast both were able to find my position, and how accurately. OSMAnd blows Google Maps away. I often resorted to typing in my "from" location in Google Maps, just so that I could use it to find routes for me while it was stalling on finding my location itself.

My location permissions were all correct. I tried wiping the application settings, with no luck. On the last day of my vacation I uninstalled all the google maps updates on my phone, and tried the version that shipped with it. It worked just fine.

If anybody else ever gets annoyed at Google Maps being unable to find their location in a timely manner, I highly recommend they try OSMAnd. It saved my vacation. As a bonus, it even behaves sensibly when on a boat.

FWIW, Google Maps are generally noticeably slower and laggier in Firefox when compared to Chrome.
Still, old one was faster.
The old Google Maps were orders of magnitudes faster than the current one in all browsers.

Despite Google's claim to the contrary, they obviously no longer care about performance for some of their web-products.

Maps straight-up crashes ff for me when zooming.
Have you filed a bug with Mozilla about that? Speed issues are one thing, but crashing is another.
Could never reproduce it consistently, and I'm always hesitent to file a bug without decent repro steps. Also, it seems to have been fixed in latest... maybe. Again, if I can't reproduce it consistently, I can't say if it's fixed or not.

I did go through the crash reporter.

So what I do in these situations is go to about:crashes, click on the appropriate crash id and look under the Related Bugs section. If there’s been a bug filed with the same signature then it’ll appear there. Alternatively, if it’s not been filed already you could click on ‘More Reports’ and look at the number of crashes. If it looks like a few you might want to file it with just the signature and no steps to reproduce; sometimes a signature and backtrace alone is enough to diagnose and fix (e.g. this one I filed recently: https://bugzilla.mozilla.org/show_bug.cgi?id=1163945 ).
Same with Inbox and Sheets. It's really getting annoying, since I prefer Firefox.
The first version they bought and re-branded. The second version was developed in house using the purchased technologies. It's sad the stuff developed in house seems to be worse.
Flash should still have its legitimation as an authoring tool. I think the direct approach in which you can throw together a scene or an animation has its value. The tools you use influence design decisions. Of course, technology wise, we should be happy without it. But if you always start a project with coding first, it limits your thinking. I fancy all the nice webgl demos and data visualizations, but they mostly lack a meaningful human perspective. Authoring tools like Flash and Director did provide a different feedback loop, not a data point of view but a narrative one.
Strongly agree.

The company I work for makes interactive/animated training media. While I work as a coder doing mostly server-side stuff, I can vouch for the power that the Flash authoring environment provided. It was rather similar to something like Unity, with a tightly integrated scenegraph and coding environment. For our team of animators who (by necessity, not by choice) picked up some coding chops on the job, it was a huge blessing.

Moving everything over to web technology has been extremely painful for exactly one reason: lack of a decent authoring workflow for interactive animations. There's nothing that can even touch Flash in this regard.

The problem is the long tail of sites or site features that don't work without flash and users who rely on those sites or site features.

I've heard Facebook video and last.fm streaming don't work without Flash for eg.

Maybe you missed this ? But this whole discussion on the death of Flash was started by Facebook: http://thenextweb.com/facebook/2015/07/13/flash-aah-aah-its-...
Every video on Facebook still relies on Flash though. So I'm not sure why they haven't put their money where their mouth is about it yet? Would make Facebook a lot more accessible in most cases for me not having to rely on Flash whatsoever just to view a video. I usually end up not watching a number of videos after I realize it wont let me watch them without Flash.
I wonder if they're trying to wait out Firefox on the MP4 vs. WebM/Ogg issue. They've already gone HTML5 on the mobile versions.
Facebook is migrating from Flash to HTML5 video. As of last week, they are serving HTML5 video to users running Windows 7+, including Firefox users. Firefox supports H.264 video on Windows Vista+ and OS X because those platforms ship H.264 decoders.
Guess Linux gets excluded once again? Cause they keep pushing Flash to me, even though I have H.264?
> I've heard Facebook video and last.fm streaming don't work without Flash

Regarding Facebook video, I fail to see how that is a bad thing ;)

I was surprised about last.fm not working without flash but it turned out to be ad blocker problem.
Tidal and Deezer are others which require flash. Both have desktop apps, however.. Tidal's desktop app is awful and laggy to the extent I prefer using the web interface; Deezer's Windows app lacks some features compared to the web player.
These music streaming sites use Flash because they want DRM.
Is there alternative to Flash which also gives you DRM?
For browsers that support EME, they can use the "Clear Key" key system that is part of the EME standard. It's not as secure as other DRM (because the decryption key is briefly exposed on the client), but it does not require any third-party license server like Google Widevine, Microsoft PlayReady, or Adobe Primetime. For a streaming music service, it is probably an adequate deterrent for ripping streams.

http://www.html5rocks.com/en/tutorials/eme/basics/#clear-key

The spotify web player unfortunately requires flash as well.
> On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.

That is primarily because of the flash ads being dumped. An ad/flash/js blocker achieves much the same and then some by further reducing the latency to collect everything needed to render.

Will someone actually go ahead and implement the required features in the browsers? Last I checked there is still no cross-platform way to do video publishing without flash. The option we now all have is multiple platform specific implementations.
Unfortunately Flash still fills a couple gaps in browser support: live video streaming and adaptive bit rate streaming (live or recorded).

I posted a similar comment about it the other day: [0]

Personally I would like to see HTTP Live Streaming (HLS) [1] implemented in the all the browsers, it's a nice lightweight protocol and would be the path of least resistance since it's already used heavily in the mobile space.

[0] - https://news.ycombinator.com/item?id=9874338

[1] - https://tools.ietf.org/html/draft-pantos-http-live-streaming...

Agreed. I was looking into this streaming/live video issue as well and there really is no cross platform method of doing this without having a Flash fallback.

For everything else however (like pre-recorded video, games via WebGL), Flash should be phased out.

Even for pre-recorded video you still need Flash if you want to implement adaptive bitrate streaming in order to provide multiple quality levels and have the client automatically switch between them rather than buffer.
Mozilla performance dev here: Our data backs this up. 4 out of 10 of our top most frequent janks are due to Flash initialization. I'm working to make that all work asynchronously until the time comes when we can kill NPAPI altogether.
From the page:

"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."

This implies that it will be reactivated soon and this isn't a permanent block. It looks like the same mechanism that blocks old and vulnerable versions of plugins like Silverlight.

That said, I've not installed flash in years. I use Firefox as my main browser with no plugins and IE/Chrome have it embedded (both auto-update with no system restart required).

I've been maintaining the FreeBSD port of the Flash 11 linux software for a year or so.

The one thing I have learned during that time is:

How to write a good VuXML entry.

I agree with the general sentiment of removing Flash, and will do my part in convincing others that FreeBSD (and, derived, PC-BSD and FreeNAS) should probably consider setting an expiration date for Flash, then at that date delete it.

(comment deleted)
Overall, it's a good thing. Flash is a proprietary technology from the past. Lets move on guys...
Let's move on to Silverlight!
If only that were the case, but they're abandoning Silverlight. It was actually much more stable for me under Linux than Flash ever was sadly, but they stopped developing Moonlight as well.
To what? Last I checked the browsers haven't implemented a proper means of doing cross-platform video publishing (video + audio) reliably yet.