I made it my new year's resolution in 2015 to have Flash disabled. For my use case, it works great. Longer battery, less heat, and the internet still works.
I do turn it on (enable) every now and then for some sites, but very few/infrequently and turn it off right after.
I have all plugins disabled by default on my Chrome. I assume it's mostly Flash. It's very little disruption, actually:
* Plugins can be enabled using one click;
* The "Copy shortcut" widgets are disabled by default. Too bad, 2 clicks instead of one.
* Some videos are disabled on some news website. Too bad they won't be able to auto-play.
* I very rarely encounter websites (less than once in a month) where invisible plugins are required, so I need to restart the page with all plugins activated. I think Google's Not-a-robot Captcha has difficulties with that, if I remember well.
Why on earth should Firefox ship a different HTML5 engine for Linux than for the other OSes? To me, it doesn't make a lot sense to assume Firefox provides a better HTML5 implementation for all other operating systems.
With all due respect, this comment seems to be more of an overall anti-Linux sentiment.
Actually, Firefox uses the platform decoders to decode patented codecs like H264 or AAC. So the operating system does play a role. I also think it's not unreasonable to believe that hardware accelerated H264 decoding works less well on Linux.
Good catch. So replacing "HTLM5" with "video codes", this may have a point.
But I'm still wondering, as we have very good decoders from projects like FFmpeg and VLC. (Not sure which of all those decoders are used by Firefox.) These are platform independent and to my experience better than the platform specific libraries.
For example, I often hear that people install VLC under Windows because it decodes lots of video formats better than the natively available Windows Media Player. So the native Windows libraries probably aren't that good.
Also, at least the FFmpeg project explicitly states that they don't care about patent FUD, so we can safely assume they don't cripple their decoders in the fear of violating patents: https://www.ffmpeg.org/legal.html
Firefox can actually use ffmpeg as a decoder. It would be a great option for supporting a lot of these formats. However, Mozilla can't ship it enabled, because the patent problem is very real. See, for example, all of the Play Store apps that got C&D letters from Dolby for using ffmpeg's implementation of AC3.
Firefox does ship a lot of other video and audio codecs though, such as vorbis, opus, theora, vp8, and vp9. It's recommended to use these for HTML5 when possible because they can be easily supported everywhere.
Just a minor nitpick: Under Linux, people don't download from Mozilla but have it installed by default. If not, they install via package manager and not via download from Mozilla.
So it's not Mozilla making that decision, but the respective Linux distros. But of course they have the same problem.
I believe a good compromise would be to check if ffmpeg is installed on the system, and use it only when available. So the user would have to install ffmpeg directly.
That would be a very different situation from including code from ffmpeg directly into some app.
When all browsers disable Flash, a ton of old artistic content will become unaccessible. I'm thinking specifically about Homestuck animations and minigames, but other people will have their own favorites. Is there a good transition plan?
However, it will also make it more secure by making it less of a target for hackers. If you have to enable it only for certain content … then great. That’s how it should be at this point.
Seems like only a temporary block. Mozilla isn't brave enough to put it out of its misery like it belongs. Still some big sites using it though, like Twitch.
My firefox has been blocking flash for a while (I've not updated it, so it doesn't load the old version.). The only site I switch to Chrome for has been twitch.
For anything else html5 video has been generally working. I've noticed a lot fewer annoying adverts too which is a bonus.
If Mozilla finally managed to implement the encoding Twitch uses for mobile devices, I'd finally be able to uninstall that pile of shit. Sadly it's a licensing issue.
I've been trying to solve this on Ubuntu 14.10. There does not seem to be an update path. I've installed the deb on https://get.adobe.com/flashplayer/ which does not resolve it.
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."
Good new for you. In September 2015 Google going to completely remove NPAPI support from Chrome. So Unity3D plugin will no longer work in Chrome and likely noone will use it for new projects.
I find amusing that visiting that same page triggers the 'Firefox has prevented the outdated plugin "Adobe Flash" from running on support.mozilla.org.' warning.
he could meant JDK, the server runtime many things in Java. and I know the thread Im posting. you do not need to tell me. You do not need to mention it like that.
Flash always have security issues and Adobe do their best to fix them.
On the consumer side of things, flash is not so bad. Sure search engines couldn't read it but there is amazing content generated through it. The content is,what matters and unfortunately the Web is littered with abusive flash objects auto playing videos, audio, full screen ads and those won't simply go away with flash.
At least with flash I can easily disable it. But those auto playing html5 videos and audios ads are just as annoying. Now I need plug ins to disable native capability.
It's only a matter of time until all ads move to the medium and we find ourselves complaining.
It's not really a matter of ads, ads move the internet so they will always be there. It's a matter of security, flash has always been a source of flaws to be exploited. Like.. always, sometimes "trying their best" was really not effective.
One option was to go down the Click-to-Play route which offers a HORRIBLE UX. Especially on Youtube which still uses Flash by default.
Disabling Flash however, Youtube actually seamlessly falls back to HTML video. Well done. But I can't help but think, outside the Youtube world (BBC for e.g.). LOTS is going to break. I wouldn't take this tact with my parents or clients.
This is something that Safari on OS X gets so right, that I've long been amazed (and annoyed when I have to use other browsers) that the other browsers don't copy the functionality.
In Safari, if you tab out a new page, it will load the content but pause it until you show the page. So you can tab out a bunch of video pages and they each only autoplay when you tab through them.
Wanting the same functionality on Chrome seemed to involve plugins or clicking (which has now turned into right clicking and choosing play).
If you disable Flash completely then Youtube works fine with HTML5 video. However, when Flash is set as click to play then Youtube still prompts to enable Flash. Annoying.
You can use this page to see if your browser will use HTML5 by default, and set a cookie to try HTML5 instead of Flash if it's not the default. https://www.youtube.com/html5
I'm late to respond to this, but this is really not true (speaking as a several-year (and current) user of click to play Flash).
I would suggest checking the https://www.youtube.com/html5 page sp332 suggested to see if you have checks in all those boxes and making sure you're using a recent version of whatever browser you're running[1]. Only if your browser doesn't support the needed html5 video features does it switch back to flash.
Unfortunately in this case avoiding the problem won't make it go away.
Many old sites will stop working (my first site was done in flash) as well as many games that are still heavily played today by millions of people. Also flash IDE provides a good introduction to programming for self-taught kids these days: many of them still do their first code in flash after clicking on "that strange icon next to photoshop".
Overall this is a good example of prolonged trusting a binary blob. IMO we will always tend to do what is more comfortable and we should strive for openness and transparency in the tools that most people rely for everyday.
The problem persists as long as there are people installing the plugin or "enabling" it.
We need a real open-source alternative to flash player.
> We need a real open-source alternative to flash player.
We quietly built the alternative to Flash over the last 10 years. It's called the web.
A standard document in the web browser can play audio, video, display vector graphics, utilise OpenGL, supports direct drawing via Canvas, and it is deeply scriptable with a mature, open programming language.
Why? Copy FROM clipboard would be, sure. Copy TO clipboard... OK, I can come up with scenarios where it'd be a problem, but they're pretty far-fetched.
Run a timer overwriting your clipboard every 10ms. Prevent you from copying anything off a webpage and instead replacing it with a copyright notice. Etc., etc., etc.
Flash has offered these same clipboard APIs for years and these clipboard "attacks" have never been a problem before. I don't see how replacing Flash clipboard APIs with HTML clipboard APIs will change web developers' behavior.
I need all of those things to look exactly the same in each and every browser, instead of corrupted icons or broken navigation because the developer tested it in Chrome for Windows but neglected, say, Iceweasel for Debian.
I have yet to find a non-flash game capable of doing that. And if the alternative is "we should discard this closed binary that works in every platform in favor of this free-but-browser-dependant stack", I find that odd.
Well then you don't want an open source Flash, because that will undoubtedly be different to the official one in the same way that browsers are different to each other.
The age old test of any platform is the ability to run games, and HTML5 just isn't there when put next to Flash or native apps. And I'm not talking the bleeding edge stuff, but simple things like getting sound to work between browsers (a task that Flash did very well). Although to be fair the gatekeepers of browsers are Apple and Google who want you to pay the app store tax.
That's like saying “The ‘Web’ can't display images, the ‘Web’ needs plug-ins to do so. Plug-ins like libjpeg or giflib”.
Right now, you can put a <video> or <audio> tag on a page and it will work in something like 95% of the browsers in use. That's already better than Flash and going up as IE8 users upgrade to newer versions of IE or install Chrome/Flash.
Sure, you can't rely on users not recompiling their browser to disable it but you also can't rely on 100% support for anything on the web – users disable image loading, plugins, stylesheets or JavaScript, install incredibly overzealous ad-blockers, use ISPs which tamper with page contents, etc.
When i wanted to start programming one of the things I tried was flash. I absolutely couldn't figure out what the fuck was going on even with tutorials, it's garbage.
That's strange, I found Flash programming very accessible. There's a huge amount of good learning material out there, and plenty of shortcuts and components you can use to do quite complex things.
Flash components were really interesting, and made it easier for non-programmers, or designers to manipulate a user-friendly "API" of sorts within Flash. This was very powerful. Hugely underrated and conventionality forgotten by the Flash-haters.
In terms of accessibility, my first two "serious" coding projects in high school were an interactive library map and a Latin flashcard quiz game written in Flash and Perl, respectively. At the end of the projects, I decided to focus my efforts on the more intuitive of the two languages, Perl.
Granted, it's just an anecdote, but I wonder what I missed that made others find Flash so accessible.
In my experience at least, when I talk about "Flash programming" I'm not just referring to Actionscript, but the whole package, the whole Flash suite including manipulating the timeline and multimedia objects programmatically.
Sounds like you favour Perl over Actionscript. From what I know of both, they are not commonly compared! But as with many things in this business, it all depends on your needs, likes, and the project requirements.
I uninstalled Flash a few days ago, because I didn't want to deal with the updates anymore. Since Flash was unbundled from Mac OS X it has become a pain to update. I simply don't understand why I need to go to the Adobe site to get the updates.
Flash isn't super relevant anymore anyway, the main thing it's used for on my computer is Flash tracking cookies, and I can do without those. I do wonder how some of the tracking and retargeting companies will deal with the decline of Flash though. We asked a partner to stop using Flash for tracking, their response was that it's the best way to doing user tracking. Hopefully they'll change their mind soon.
The only other place where I've found that flash is relevant is in auto-play videos, so now with flash installed but disabled is basically removing the auto-play 'feature', which is really neat.
The update process is horrendous. Redirect to Adobe's website, follow a 3-step 'wizard' - where Step 2 is a placebo 10-second loading bar saying it is "initialising" - and Step 3 is an advertisement for installing other crap from Adobe.
After all that you have to download a DMG, close all your applications and reinstall from scratch. Why not just build in an auto-update in the background and be done with it...
On Windoze, I always go to google for "flash player distribution3" and install the MSI packages for enterprise deployment. That keeps me from the malware bundle.
On the Mac, it's easy, I use Chrome as my Flash jail. I use Safari all the time and the few times I need Flash I fire up Chrome and it's there. Don't have to worry about Flash hacks or Chrome battery drainage.
I have Chrome with flash installed (not that it gave me any choice), but other than that I haven't had flash for maybe two years. If I need to play Flash, I just open Chrome for that. Facebook is one of the last common offenders with its flash videos on desktop version. I can't comprehend why...
Bugs are always bad (and security bugs even more so) - but I've always felt that Flash gets a disproportional amount of hate/hype in the media. To some degree it should be normal that the more widespread a technology is - the more it gets targeted for security exploits.
If you run the popular browsers/plugins against the National Vulnerability Database, you'd get the following results (as of January 2014):
- Internet Explorer 366 total vulnerability issues (314 high severity)
- Google Chrome 235 total vulnerability issues (154 high severity)
- Adobe Flash 207 total vulnerability issues (169 high severity)
- Mozilla Firefox 190 total vulnerability issues (86 high severity)
- Oracle Java 161 total vulnerability issues (69 high severity)
Yes, but Flash alone doubles the attack vector of a browser - that's nothing to be sneezed at. I think it's particularly poignant when you look at the high severity metric.
I am not sure the attack vector argument is 100% valid here, as flash replacement technologies constantly add attack vectors to modern browsers, too. Many traditional Flash features are now covered by webGL accelerated browser functionality, like accelerated 2D canvas elements. My guess would be that this browser-gpu bridge creates a whole zoo of GPU driver related security issues which attackers might focus on once flash is completely obsolete. (My money is on a remote code execution vulnerability in the Firefox Adobe DRM module.)
So Flash is second in terms of number of high severity bugs and first in terms of the percentage of bugs that are high severity, only being beaten by Internet Explorer. By your evidence the hate for Flash is quite justifiable.
Flash bugs are more important because the are crossbrowser. I will still use Flash though on older computers, because it needs less resources for video.
Remote code execution exploits were found in Firefox at least once per month during the first half of 2015. The only reason we didn't hear about these cataclysmic exploits is because it wasn't Flash.
Hackers search for remote code execution exploits in Flash first and foremost because they know a successful Flash exploit will reach the highest number of targets (90% or more on the desktop) whereas only 44% of desktop machines are running Chrome and 15% are running Firefox.
Hackers seeking out and exploiting RCE bugs in Firefox is unheard of for the same reason malware targeting Macs has been virtually unheard of over the past decade: It's not that OS X is more secure; it's simply that Windows is a more lucrative target.
Mozilla seems to take anywhere from 1 to 3 months to fix these severe bugs. Adobe takes days.
Source for this complete and utter FUD? Certainly not the links you gave:
Jan 11, 2015: Originally reported to Mozilla as a low-severity DoS, which turned out to be already patched in trunk
Jan 13, 2015: Firefox 35.0 shipped with patch
It's hard to get dates out of the others because the bugs are still hidden, but the "fixed in" is often a security fix update after a release, which means it can't possibly have been > 6 weeks.
They do get more bad press than perhaps others should. There is already a perception about Flash that it is not a great product, which feeds into this. Reasons are varied.
- Performance has not been good on Macs (my 2007 Macbook Pro literally burned my legs when running anything flashy)
- Flash updates mechanism seems a little spammy.
- Long-term perception of Adobe as a maker of a somewhat buggy, somewhat bloated software
- Steve Jobs' public denigration
- Backlash against proprietary standards being used on the web
The best thing about click to play Flash is it puts a stop to autoplay videos on the less reputable sites I occasionally and shamefully glance at for sports news.
I don't think the hate comes from bugs or exploits.
I think people hate flash because it is laggy, slow, make things move in your screen you don't want, widely use for ads or to shit on the user experience, etc.
Granted most of it might be bad programming, but I still think he comes from here rather than exploits.
Turing-complete machine running untrusted code is a nightmare for security. There always be bugs and exploits, it's just a matter of time and effort to find them.
JavaScript enabled by default is already bad enough. We don't need Flash, Java, ActiveX or anything similar turned on by default. So it's a good move from security viewpoint. Less attack surface.
I have a lot of experience of end users and they are forever telling me that they get so many different "Update this", "Update that" windows that they can no longer distinguish real from fake. Some of them have been tricked by fake web site pop-ups as a result, others ignore legitimate update messages. I do not blame them.
Internet Explorer and Google Chrome get updated in a way that most end users find to be simple to understand, particularly with Chrome. Firefox is also quite good in this regard. All of them are reliable - it is rare, IME, to come across a Windows Update, Firefox or Chrome instance which is silently failing to update. Or not even bothering to prompt to update.
Flash, however often I install it, just doesn't seem to auto-update reliably. Quite often it only does so after a user log on/reboot, which doesn't happen much in the days of standby. Even on brand new, fresh Windows installs (so we know the OS/Flash isn't broken), I test Flash from time to time and it just doesn't prompt to update at all on some occasions. This is what makes Adobe's poor track record exponentially worse - that their software update mechanism is crap at best.
I was gobsmacked when Microsoft declared they were going to start updating Flash via Windows Update. Gobsmacked and so very relieved. It felt like they'd walked into Adobe's office, grabbed their fire extinguishers and told them "You are so useless that when there's a fire, WE will come and put it out, since you don't seem able to. We are sick of our offices getting burned down because of your idle incompetence."
I won't even address Oracle's Java. Bundling malware with their updater is tantamount to crime.
Flash also comes with McAffee (or some other bundleware). I wouldn't be surprised if the reason why they haven't made a proper auto-updater is because of that. That they'd miss out on those miniscule profits they get from that.
Yeah, I've been wondering why Adobe sticks to a "visit our website and manually download the new version" update model in this day and age. I think you found the answer.
If you keep ignoring the update prompt, Flash will quietly update itself after 45 days. That's long enough for every interested party to pwn your machine.
This right here pretty much kills any sympathy I had for Adobe in this matter. They sit on their hands for far too long when vulns are announced, and when they do get updates out, they use a completely backwards and useless update model in the name of extracting a few pennies per user.
I have a lot of experience of end users and they are
forever telling me that they get so many different "Update
this", "Update that" windows that they can no longer
distinguish real from fake. Some of them have been tricked
by fake web site pop-ups as a result, others ignore
legitimate update messages. I do not blame them.
One solution to this is to use AdBlock Plus. When a site permits adverts that threaten a computer's security, it is time to add it to the blocklist.
It seems to work ok if you install it for them - I now tend to do that for non tech users who I help out. Though usually uBlock rather than AdBlock Plus. It's scary if you go to a download site these days how many fake download buttons there are near the real one if you don't do something like that.
One notable exception is Major Geeks. However, it's important to donate them a few bucks for staff and bandwidth because they are giving up a ton of money by not bundling crapware and confusing people.
http://www.majorgeeks.com/mg/topdownloads/index.html
I have had multiple non-technical friends, in one case on a fresh install I'd done myself, run into the Flash update window simply showing a gray background that never does anything.
The best solution for this, from Adobe's own forum? Find the corporate-deployment version, download that (ignoring the messages that say it isn't what you want) and run it. This works flawlessly, but even less automatically.
Both the Flash and Java updates almost feel like "Pay Attention To Me!" Just like all those discount cards that exist in part so you carry around a fetish with the corporate logo.
Yes! I admin my parents' computers and after trying to explain which 'update' windows are genuine, I realised that there just isn't a good way to tell them apart.
Silent auto-updates are really the right way to go for non-techies. Even the post-upgrade 'announcement' popups are confusing. For instance, I've installed Ghostery on their computers and the 'ghostery has been updated' popup is just confusing for them, leading to confusion and phone calls to me.
Flash also doesn't seem to auto-update for them, despite me setting it up. I don't understand it either, as they turn off & on the machine regularly. Why can't Adobe get this right?
That's the real reason they don't want a auto-update. Google pays them a lot for bundling Chrome(I think it's around $1 per install). They keep breaking the auto-update on purpose so that they can make a ton of money by bundling other software. Same with Java updates.
Shock, the only browser that still uses NPAPI is the descendant of the one that invented it!
Really, at this point I think Mozilla is more interested in just getting rid of plugins than trying to implement an alternative to NPAPI - why put all the effort in to support something like PPAPI when plugins should be dead within the decade anyway?
Cost/benefit seems higher for Flash/Java than browsers. You really need a browser, but you don't really need a [fancy thing that can't be done in JS]. As another commenter said, it doubles your attack surface and for little benefit.
Flash game enthusiasts would probably disagree, but most of us can probably do without it given the risk.
As an enthusiast for a handful of flash games, it is increasingly tempting to make a VM just for running them. Even then, with all the progress in Javascript, it's questionable whether I should bother.
Yes but Flash vulnerabilities are incremental vulnerabilities.
So just counting high severity vulnerabilities, the chart is
IE: 314. IE with Flash: 483.
Chrome: 154: Chrome with Flash: 323.
Firefox: 86. Firefox with Flash: 255.
And of course, you can add a third column for Java and a fourth column for browser with Flash and Java.
I have no idea what their bugs-per-line-of-code are, perhaps they have the finest code on the planet. But from a surface area perspective, installing Flash makes you more vulnerable, period. And it really is not necessary, whereas it’s not like you can browse the web in pure Flash and not install a browser.
>But from a surface area perspective, installing Flash makes you more vulnerable, period.
So does turning on Javascript. Yet the popular opinion these days is that disabling Javascript makes you a luddite. Mozilla even hid the option for it in Firefox.
> If you run the popular browsers/plugins against the National Vulnerability Database...
That's misusing statistics, you can't determine how secure something is by just summing up the number of vulnerabilities - equally weighing/comparing browsers with a plugin etc.
By the way, Apple's opinion on Flash in 2010:
Third, there’s reliability, security and performance.
Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.
Also, considering the track record of Flash on Android, your opinion is not supported by historical fact. It is very clear that Adobe is not on the ball to anyone who pays attention.
Flash was never "blocked" on Apple devices. Rather, Safari on iOS simply doesn't support plugins. You can't install Java, Silverlight, or Unity 3D plugins either.
Sure, and one of those business reasons is keeping bloated, buggy software that is ill-suited to mobile devices away from their phone's user experience.
Another point that hasn't been raised yet: Flash is a much smaller software than a browser, how come it has more bugs ? It certainly speaks for it's internal code quality.
In general, plugins are supposed to improve a product by adding or enhancing existing features. Flash however enables websites to break out of the HTML, CSS and JS environments and their security constraints, which should mean that flash have a larger responsibility regarding security. If Flash lived under the constraints of the browser own security, then flash bugs would barely register as news worthy.
I uninstalled/disabled flash on all my systems a few months ago, and have noticed barely any impact on my browsing. The only site I can think of that doesn't work is BBC News.
God will Flash just die already. Firefox is my primary browser and I run it without Flash. On the very odd occasion I need it I have IE in protected mode which has Flash built in. If a site does use Flash I will seek an alternative though as I hate it that much.
On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
5 to 7 years ago I would have said the same thing, I hated Flash with a passion. But now, when it's almost gone for good, I see that it had its reasons. For example the new Google Street View is many times slower and lags so much as to give me motion sickness (when it's not blocking my browser) compared to the previous version, which was Flash-based, and which used to work like a charm.
The new Google Maps is also dramatically slower, laggier, and buggier than the old version which was a regular web app built to work on browsers from 2005.
I think the terribleness of recent Google web front-ends (not only Maps and Street View but also Search, Mail, Groups, Gplus, etc.) is mostly a product of incompetent management process internal to Google, rather than an indictment of web technology generally.
I've gone back to a desktop mail client (Thunderbird) and moved away from the web for this sort of thing myself.
As far as the web goes, I am very impressed at openstreetmap. That is fast, accurate and has more useful mapping data than anything else rather than fancy overlays and imaging.
While on vacation recently, I had to switch from Google Maps to OSMAnd. OSM map data was just as good for my purposes at least (arguably better), but the real motivating factor was just how fucking pathetic Google Maps on Android has become.
Just having it find my location became a chore. I'd be walking down the street looking at my phone the whole block, waiting for it to get my location. Many times it would show my location (with several miles of uncertainty) as being somewhere that I had not been for more than several hours. Other times it would just never find the location at all, not even having any idea what country, let alone city, I was in.
I downloaded OSMAnd and the province map data, and it was able to find my location within mere seconds every time. It was able to do it fast enough that if I clicked the power button as I was pulling my phone out of my pocket, it would have my position before my phone was in front of my face.
Unfortunately OSMAnd does not do transit routing, so I was attempting to use both at the same time. This gave me a direct comparison between how fast both were able to find my position, and how accurately. OSMAnd blows Google Maps away. I often resorted to typing in my "from" location in Google Maps, just so that I could use it to find routes for me while it was stalling on finding my location itself.
My location permissions were all correct. I tried wiping the application settings, with no luck. On the last day of my vacation I uninstalled all the google maps updates on my phone, and tried the version that shipped with it. It worked just fine.
If anybody else ever gets annoyed at Google Maps being unable to find their location in a timely manner, I highly recommend they try OSMAnd. It saved my vacation. As a bonus, it even behaves sensibly when on a boat.
Could never reproduce it consistently, and I'm always hesitent to file a bug without decent repro steps. Also, it seems to have been fixed in latest... maybe. Again, if I can't reproduce it consistently, I can't say if it's fixed or not.
So what I do in these situations is go to about:crashes, click on the appropriate crash id and look under the Related Bugs section. If there’s been a bug filed with the same signature then it’ll appear there. Alternatively, if it’s not been filed already you could click on ‘More Reports’ and look at the number of crashes. If it looks like a few you might want to file it with just the signature and no steps to reproduce; sometimes a signature and backtrace alone is enough to diagnose and fix (e.g. this one I filed recently: https://bugzilla.mozilla.org/show_bug.cgi?id=1163945 ).
The first version they bought and re-branded. The second version was developed in house using the purchased technologies. It's sad the stuff developed in house seems to be worse.
Flash should still have its legitimation as an authoring tool. I think the direct approach in which you can throw together a scene or an animation has its value. The tools you use influence design decisions. Of course, technology wise, we should be happy without it. But if you always start a project with coding first, it limits your thinking. I fancy all the nice webgl demos and data visualizations, but they mostly lack a meaningful human perspective. Authoring tools like Flash and Director did provide a different feedback loop, not a data point of view but a narrative one.
The company I work for makes interactive/animated training media. While I work as a coder doing mostly server-side stuff, I can vouch for the power that the Flash authoring environment provided. It was rather similar to something like Unity, with a tightly integrated scenegraph and coding environment. For our team of animators who (by necessity, not by choice) picked up some coding chops on the job, it was a huge blessing.
Moving everything over to web technology has been extremely painful for exactly one reason: lack of a decent authoring workflow for interactive animations. There's nothing that can even touch Flash in this regard.
Every video on Facebook still relies on Flash though. So I'm not sure why they haven't put their money where their mouth is about it yet? Would make Facebook a lot more accessible in most cases for me not having to rely on Flash whatsoever just to view a video. I usually end up not watching a number of videos after I realize it wont let me watch them without Flash.
Facebook is migrating from Flash to HTML5 video. As of last week, they are serving HTML5 video to users running Windows 7+, including Firefox users. Firefox supports H.264 video on Windows Vista+ and OS X because those platforms ship H.264 decoders.
Tidal and Deezer are others which require flash. Both have desktop apps, however.. Tidal's desktop app is awful and laggy to the extent I prefer using the web interface; Deezer's Windows app lacks some features compared to the web player.
For browsers that support EME, they can use the "Clear Key" key system that is part of the EME standard. It's not as secure as other DRM (because the decryption key is briefly exposed on the client), but it does not require any third-party license server like Google Widevine, Microsoft PlayReady, or Adobe Primetime. For a streaming music service, it is probably an adequate deterrent for ripping streams.
> On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
That is primarily because of the flash ads being dumped. An ad/flash/js blocker achieves much the same and then some by further reducing the latency to collect everything needed to render.
Will someone actually go ahead and implement the required features in the browsers? Last I checked there is still no cross-platform way to do video publishing without flash. The option we now all have is multiple platform specific implementations.
Unfortunately Flash still fills a couple gaps in browser support: live video streaming and adaptive bit rate streaming (live or recorded).
I posted a similar comment about it the other day: [0]
Personally I would like to see HTTP Live Streaming (HLS) [1] implemented in the all the browsers, it's a nice lightweight protocol and would be the path of least resistance since it's already used heavily in the mobile space.
Agreed. I was looking into this streaming/live video issue as well and there really is no cross platform method of doing this without having a Flash fallback.
For everything else however (like pre-recorded video, games via WebGL), Flash should be phased out.
Even for pre-recorded video you still need Flash if you want to implement adaptive bitrate streaming in order to provide multiple quality levels and have the client automatically switch between them rather than buffer.
Mozilla performance dev here: Our data backs this up. 4 out of 10 of our top most frequent janks are due to Flash initialization. I'm working to make that all work asynchronously until the time comes when we can kill NPAPI altogether.
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."
This implies that it will be reactivated soon and this isn't a permanent block. It looks like the same mechanism that blocks old and vulnerable versions of plugins like Silverlight.
That said, I've not installed flash in years. I use Firefox as my main browser with no plugins and IE/Chrome have it embedded (both auto-update with no system restart required).
I've been maintaining the FreeBSD port of the Flash 11 linux software for a year or so.
The one thing I have learned during that time is:
How to write a good VuXML entry.
I agree with the general sentiment of removing Flash, and will do my part in convincing others that FreeBSD (and, derived, PC-BSD and FreeNAS) should probably consider setting an expiration date for Flash, then at that date delete it.
If only that were the case, but they're abandoning Silverlight. It was actually much more stable for me under Linux than Flash ever was sadly, but they stopped developing Moonlight as well.
397 comments
[ 2.7 ms ] story [ 321 ms ] threadI do turn it on (enable) every now and then for some sites, but very few/infrequently and turn it off right after.
* Plugins can be enabled using one click;
* The "Copy shortcut" widgets are disabled by default. Too bad, 2 clicks instead of one.
* Some videos are disabled on some news website. Too bad they won't be able to auto-play.
* I very rarely encounter websites (less than once in a month) where invisible plugins are required, so I need to restart the page with all plugins activated. I think Google's Not-a-robot Captcha has difficulties with that, if I remember well.
Did you mean any specific codec for video playback, or something else?
Outside HTML5 scope, though.
Why on earth should Firefox ship a different HTML5 engine for Linux than for the other OSes? To me, it doesn't make a lot sense to assume Firefox provides a better HTML5 implementation for all other operating systems.
With all due respect, this comment seems to be more of an overall anti-Linux sentiment.
But I'm still wondering, as we have very good decoders from projects like FFmpeg and VLC. (Not sure which of all those decoders are used by Firefox.) These are platform independent and to my experience better than the platform specific libraries.
For example, I often hear that people install VLC under Windows because it decodes lots of video formats better than the natively available Windows Media Player. So the native Windows libraries probably aren't that good.
Also, at least the FFmpeg project explicitly states that they don't care about patent FUD, so we can safely assume they don't cripple their decoders in the fear of violating patents: https://www.ffmpeg.org/legal.html
Firefox does ship a lot of other video and audio codecs though, such as vorbis, opus, theora, vp8, and vp9. It's recommended to use these for HTML5 when possible because they can be easily supported everywhere.
Just a minor nitpick: Under Linux, people don't download from Mozilla but have it installed by default. If not, they install via package manager and not via download from Mozilla.
So it's not Mozilla making that decision, but the respective Linux distros. But of course they have the same problem.
I believe a good compromise would be to check if ffmpeg is installed on the system, and use it only when available. So the user would have to install ffmpeg directly.
That would be a very different situation from including code from ffmpeg directly into some app.
If it's because you enjoy the Adobe Flash tooling, then Adobe is doing exporting to both Canvas and WebGL now.
http://www.adobe.com/inspire/2014/02/flash-html5-canvas.html
https://helpx.adobe.com/flash/how-to/flashpro-export-webgl.h...
There are plenty of PC Emulators aviable that run Windows XP and flash just fine. You shouldn't connect them to the internet though.
Look at what happened to Java applets.
It would be very sad to see this become the state of all the old flash games/animations.
For anything else html5 video has been generally working. I've noticed a lot fewer annoying adverts too which is a bonus.
There's no updated version yet.
There is support: http://pipelight.net/cms/installation.html
For me on debian it was install and it worked without even restarting the browser.
http://blog.chromium.org/2014/11/the-final-countdown-for-npa...
I chuckled when I saw this: http://i.imgur.com/CHqRSEZ.png
:)
On the consumer side of things, flash is not so bad. Sure search engines couldn't read it but there is amazing content generated through it. The content is,what matters and unfortunately the Web is littered with abusive flash objects auto playing videos, audio, full screen ads and those won't simply go away with flash.
At least with flash I can easily disable it. But those auto playing html5 videos and audios ads are just as annoying. Now I need plug ins to disable native capability.
It's only a matter of time until all ads move to the medium and we find ourselves complaining.
Disabling Flash however, Youtube actually seamlessly falls back to HTML video. Well done. But I can't help but think, outside the Youtube world (BBC for e.g.). LOTS is going to break. I wouldn't take this tact with my parents or clients.
My browsing workflow involves a lot of middle-clicking links to open them up in background tabs. Autoplaying video is major annoyance in this context.
In Safari, if you tab out a new page, it will load the content but pause it until you show the page. So you can tab out a bunch of video pages and they each only autoplay when you tab through them.
Wanting the same functionality on Chrome seemed to involve plugins or clicking (which has now turned into right clicking and choosing play).
No since January[1]. Maybe you have an old cookie set or something?
[1] http://youtube-eng.blogspot.com/2015/01/youtube-now-defaults...
I would suggest checking the https://www.youtube.com/html5 page sp332 suggested to see if you have checks in all those boxes and making sure you're using a recent version of whatever browser you're running[1]. Only if your browser doesn't support the needed html5 video features does it switch back to flash.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=778617 for the ongoing Firefox bug, but you should be good with MSE in recent Firefox on Youtube in particular (see last comment in that bug)
Many old sites will stop working (my first site was done in flash) as well as many games that are still heavily played today by millions of people. Also flash IDE provides a good introduction to programming for self-taught kids these days: many of them still do their first code in flash after clicking on "that strange icon next to photoshop".
Overall this is a good example of prolonged trusting a binary blob. IMO we will always tend to do what is more comfortable and we should strive for openness and transparency in the tools that most people rely for everyday.
The problem persists as long as there are people installing the plugin or "enabling" it.
We need a real open-source alternative to flash player.
We quietly built the alternative to Flash over the last 10 years. It's called the web.
A standard document in the web browser can play audio, video, display vector graphics, utilise OpenGL, supports direct drawing via Canvas, and it is deeply scriptable with a mature, open programming language.
What else do you need?
(Github project pages have a flash application to handle this)
However the API is god awful.
To be fair, it's basically a proprietary IE5 API that's now been standardised (like quite a few others).
Amazing, thanks.
I need all of those things to look exactly the same in each and every browser, instead of corrupted icons or broken navigation because the developer tested it in Chrome for Windows but neglected, say, Iceweasel for Debian.
I have yet to find a non-flash game capable of doing that. And if the alternative is "we should discard this closed binary that works in every platform in favor of this free-but-browser-dependant stack", I find that odd.
Bad example, because Flash for Linux has been discontinued in all flavours except PPAPI so it wouldn't work in Iceweasel.
The 'Web' can't play video or audio, the 'Web' needs plug-ins to do so. Plug-ins like H264 decoders and Flash.
Right now, you can put a <video> or <audio> tag on a page and it will work in something like 95% of the browsers in use. That's already better than Flash and going up as IE8 users upgrade to newer versions of IE or install Chrome/Flash.
Sure, you can't rely on users not recompiling their browser to disable it but you also can't rely on 100% support for anything on the web – users disable image loading, plugins, stylesheets or JavaScript, install incredibly overzealous ad-blockers, use ISPs which tamper with page contents, etc.
https://www.as.cmu.edu/application/pref_1.gif
* Adaptive bit rate video streaming (recorded or live)
Nice to have but not required:
* Full H.264/AAC support across all browser.
Unfortunately Flash is the only viable solution for the above right now.
Flash components were really interesting, and made it easier for non-programmers, or designers to manipulate a user-friendly "API" of sorts within Flash. This was very powerful. Hugely underrated and conventionality forgotten by the Flash-haters.
Granted, it's just an anecdote, but I wonder what I missed that made others find Flash so accessible.
Sounds like you favour Perl over Actionscript. From what I know of both, they are not commonly compared! But as with many things in this business, it all depends on your needs, likes, and the project requirements.
Flash isn't super relevant anymore anyway, the main thing it's used for on my computer is Flash tracking cookies, and I can do without those. I do wonder how some of the tracking and retargeting companies will deal with the decline of Flash though. We asked a partner to stop using Flash for tracking, their response was that it's the best way to doing user tracking. Hopefully they'll change their mind soon.
After all that you have to download a DMG, close all your applications and reinstall from scratch. Why not just build in an auto-update in the background and be done with it...
If you run the popular browsers/plugins against the National Vulnerability Database, you'd get the following results (as of January 2014):
[source] https://nvd.nist.gov/January 20, 2015: https://community.rapid7.com/community/metasploit/blog/2015/...
February 25, 2015: https://msisac.cisecurity.org/advisories/2015/2015-018.cfm
March 1, 2015: https://www.mozilla.org/en-US/security/advisories/mfsa2015-3...
April 22, 2015: https://msisac.cisecurity.org/advisories/2015/2015-046.cfm
May 12, 2015: https://www.mozilla.org/en-US/security/advisories/mfsa2015-5...
Hackers search for remote code execution exploits in Flash first and foremost because they know a successful Flash exploit will reach the highest number of targets (90% or more on the desktop) whereas only 44% of desktop machines are running Chrome and 15% are running Firefox.
Hackers seeking out and exploiting RCE bugs in Firefox is unheard of for the same reason malware targeting Macs has been virtually unheard of over the past decade: It's not that OS X is more secure; it's simply that Windows is a more lucrative target.
Source for this complete and utter FUD? Certainly not the links you gave:
Jan 11, 2015: Originally reported to Mozilla as a low-severity DoS, which turned out to be already patched in trunk Jan 13, 2015: Firefox 35.0 shipped with patch
It's hard to get dates out of the others because the bugs are still hidden, but the "fixed in" is often a security fix update after a release, which means it can't possibly have been > 6 weeks.
This leak was the best thing that happened to the web.
Granted most of it might be bad programming, but I still think he comes from here rather than exploits.
JavaScript enabled by default is already bad enough. We don't need Flash, Java, ActiveX or anything similar turned on by default. So it's a good move from security viewpoint. Less attack surface.
Internet Explorer and Google Chrome get updated in a way that most end users find to be simple to understand, particularly with Chrome. Firefox is also quite good in this regard. All of them are reliable - it is rare, IME, to come across a Windows Update, Firefox or Chrome instance which is silently failing to update. Or not even bothering to prompt to update.
Flash, however often I install it, just doesn't seem to auto-update reliably. Quite often it only does so after a user log on/reboot, which doesn't happen much in the days of standby. Even on brand new, fresh Windows installs (so we know the OS/Flash isn't broken), I test Flash from time to time and it just doesn't prompt to update at all on some occasions. This is what makes Adobe's poor track record exponentially worse - that their software update mechanism is crap at best.
I was gobsmacked when Microsoft declared they were going to start updating Flash via Windows Update. Gobsmacked and so very relieved. It felt like they'd walked into Adobe's office, grabbed their fire extinguishers and told them "You are so useless that when there's a fire, WE will come and put it out, since you don't seem able to. We are sick of our offices getting burned down because of your idle incompetence."
I won't even address Oracle's Java. Bundling malware with their updater is tantamount to crime.
If you keep ignoring the update prompt, Flash will quietly update itself after 45 days. That's long enough for every interested party to pwn your machine.
Ugh (damn capitalism!), I think I shall move to ublock origin today then.
Thank you for letting me know about it :)
The best solution for this, from Adobe's own forum? Find the corporate-deployment version, download that (ignoring the messages that say it isn't what you want) and run it. This works flawlessly, but even less automatically.
Both the Flash and Java updates almost feel like "Pay Attention To Me!" Just like all those discount cards that exist in part so you carry around a fetish with the corporate logo.
Silent auto-updates are really the right way to go for non-techies. Even the post-upgrade 'announcement' popups are confusing. For instance, I've installed Ghostery on their computers and the 'ghostery has been updated' popup is just confusing for them, leading to confusion and phone calls to me.
Flash also doesn't seem to auto-update for them, despite me setting it up. I don't understand it either, as they turn off & on the machine regularly. Why can't Adobe get this right?
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it!"
That's the real reason they don't want a auto-update. Google pays them a lot for bundling Chrome(I think it's around $1 per install). They keep breaking the auto-update on purpose so that they can make a ton of money by bundling other software. Same with Java updates.
Even Windows has Flash via the updater.
Just about the only browser that use the old API is Firefox.
Really, at this point I think Mozilla is more interested in just getting rid of plugins than trying to implement an alternative to NPAPI - why put all the effort in to support something like PPAPI when plugins should be dead within the decade anyway?
Also, getting rid of the constant update dialogs and crapware installed with Flash will improve the overall user experience.
Flash game enthusiasts would probably disagree, but most of us can probably do without it given the risk.
I've since found a few work-related apps that need it. Hiss.
So just counting high severity vulnerabilities, the chart is
IE: 314. IE with Flash: 483.
Chrome: 154: Chrome with Flash: 323.
Firefox: 86. Firefox with Flash: 255.
And of course, you can add a third column for Java and a fourth column for browser with Flash and Java.
I have no idea what their bugs-per-line-of-code are, perhaps they have the finest code on the planet. But from a surface area perspective, installing Flash makes you more vulnerable, period. And it really is not necessary, whereas it’s not like you can browse the web in pure Flash and not install a browser.
So does turning on Javascript. Yet the popular opinion these days is that disabling Javascript makes you a luddite. Mozilla even hid the option for it in Firefox.
That's misusing statistics, you can't determine how secure something is by just summing up the number of vulnerabilities - equally weighing/comparing browsers with a plugin etc.
By the way, Apple's opinion on Flash in 2010:
Third, there’s reliability, security and performance. Symantec recently highlighted Flash for having one of the worst security records in 2009. We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.
Source: https://www.apple.com/hotnews/thoughts-on-flash/
Also, considering the track record of Flash on Android, your opinion is not supported by historical fact. It is very clear that Adobe is not on the ball to anyone who pays attention.
Which prevents a lot of autoplaying videos, and also pages sometimes taking a long time to load on slow connections.
https://bugzilla.mozilla.org/show_bug.cgi?id=886792#c41
Which is a reasonable question in this context:
https://bugzilla.mozilla.org/show_bug.cgi?id=886792#c1
On a side note Firefox without Flash is so much smoother. IMHO it is the fastest and most stable browser when it doesn't have Flash bogging it down.
5 to 7 years ago I would have said the same thing, I hated Flash with a passion. But now, when it's almost gone for good, I see that it had its reasons. For example the new Google Street View is many times slower and lags so much as to give me motion sickness (when it's not blocking my browser) compared to the previous version, which was Flash-based, and which used to work like a charm.
I think the terribleness of recent Google web front-ends (not only Maps and Street View but also Search, Mail, Groups, Gplus, etc.) is mostly a product of incompetent management process internal to Google, rather than an indictment of web technology generally.
I've gone back to a desktop mail client (Thunderbird) and moved away from the web for this sort of thing myself.
As far as the web goes, I am very impressed at openstreetmap. That is fast, accurate and has more useful mapping data than anything else rather than fancy overlays and imaging.
Just having it find my location became a chore. I'd be walking down the street looking at my phone the whole block, waiting for it to get my location. Many times it would show my location (with several miles of uncertainty) as being somewhere that I had not been for more than several hours. Other times it would just never find the location at all, not even having any idea what country, let alone city, I was in.
I downloaded OSMAnd and the province map data, and it was able to find my location within mere seconds every time. It was able to do it fast enough that if I clicked the power button as I was pulling my phone out of my pocket, it would have my position before my phone was in front of my face.
Unfortunately OSMAnd does not do transit routing, so I was attempting to use both at the same time. This gave me a direct comparison between how fast both were able to find my position, and how accurately. OSMAnd blows Google Maps away. I often resorted to typing in my "from" location in Google Maps, just so that I could use it to find routes for me while it was stalling on finding my location itself.
My location permissions were all correct. I tried wiping the application settings, with no luck. On the last day of my vacation I uninstalled all the google maps updates on my phone, and tried the version that shipped with it. It worked just fine.
If anybody else ever gets annoyed at Google Maps being unable to find their location in a timely manner, I highly recommend they try OSMAnd. It saved my vacation. As a bonus, it even behaves sensibly when on a boat.
Despite Google's claim to the contrary, they obviously no longer care about performance for some of their web-products.
I did go through the crash reporter.
I don't have much problems with Firefox, it seems to work smooth. May be it's Google's fault?
The company I work for makes interactive/animated training media. While I work as a coder doing mostly server-side stuff, I can vouch for the power that the Flash authoring environment provided. It was rather similar to something like Unity, with a tightly integrated scenegraph and coding environment. For our team of animators who (by necessity, not by choice) picked up some coding chops on the job, it was a huge blessing.
Moving everything over to web technology has been extremely painful for exactly one reason: lack of a decent authoring workflow for interactive animations. There's nothing that can even touch Flash in this regard.
I've heard Facebook video and last.fm streaming don't work without Flash for eg.
Regarding Facebook video, I fail to see how that is a bad thing ;)
http://www.html5rocks.com/en/tutorials/eme/basics/#clear-key
That is primarily because of the flash ads being dumped. An ad/flash/js blocker achieves much the same and then some by further reducing the latency to collect everything needed to render.
I posted a similar comment about it the other day: [0]
Personally I would like to see HTTP Live Streaming (HLS) [1] implemented in the all the browsers, it's a nice lightweight protocol and would be the path of least resistance since it's already used heavily in the mobile space.
[0] - https://news.ycombinator.com/item?id=9874338
[1] - https://tools.ietf.org/html/draft-pantos-http-live-streaming...
For everything else however (like pre-recorded video, games via WebGL), Flash should be phased out.
"All versions of Adobe’s Flash Player plugin are currently deactivated by default, until Adobe releases an updated version to address known critical security issues."
This implies that it will be reactivated soon and this isn't a permanent block. It looks like the same mechanism that blocks old and vulnerable versions of plugins like Silverlight.
That said, I've not installed flash in years. I use Firefox as my main browser with no plugins and IE/Chrome have it embedded (both auto-update with no system restart required).
The one thing I have learned during that time is:
How to write a good VuXML entry.
I agree with the general sentiment of removing Flash, and will do my part in convincing others that FreeBSD (and, derived, PC-BSD and FreeNAS) should probably consider setting an expiration date for Flash, then at that date delete it.