OK, so Facebook’s new Chief Security Officer, Alex Stamos, didn’t actually say, “Death to Flash.”
But he did say end-of-life, which is surely a synonym for death, and he used kill- in an imperative way.
And, OK, strictly speaking, he didn’t actually say it.
But he tweeted it over the weekend – and with close to 10,000 followers, that’s like saying it through the PA system in a jolly large auditorium:
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
Stamos, who was with Yahoo until the end of June 2015, very recently stepped into the vacant shoes of Facebook’s outcumbent CSO, Joe Sullivan, who exited Facebook in April 2015 to become the first ever CSO of controversial not-a-taxi-company Uber.
So, what does the rest of the world think about Flash?
One of Naked Security’s acquaintances couldn’t resist quipping, upon seeing Stamos’s tweet:
And the people said, "Amen."
Flash has certainly been under the pump in the last few weeks, with numerous zero-days being reported and exploited in quick succession in the past week or so, including several extracted from the detritus of the recent breach at security company Hacking Team.
Zero-day, or 0-day with a digit if you want to be 31337, is the slang term for a security hole that crooks knew how to exploit, and actively started exploiting, before an official patch came out.
The “zero” part is a reminder that there were zero days you could possibly have been patched in advance.
But not everyone agrees with Stamos, who certainly stirred up a bit of a hornets’ nest.
We seem to do that, too, every time we suggest on Naked Security that you even consider uninstalling Flash, or at least turning the plugin off inside your browser.
For everyone who has learned to live without Flash, or to turn it on only occasionally when it is genuinely necessary, there seems to be someone else who is convinced that it’s impossible to move forward…
…not least because that means leaving the past behind.
The horns of a dilemma
On one hand, for Facebook to tell Adobe – a big, reputable, and successful player in the IT marketplace, just like Facebook itself – to put one of its products to the sword smacks of arrogance.
On the other hand, it might be just the encouragement, or even endorsement, that Adobe needs to let go of Flash to concentrate on more forward-looking things.
After all, HTML5, the greatly-expanded dialect of HTML that most modern browsers understand, is the open-standard path forward for just the sort of interactive web content that used to rely on Java applets or Flash.
→ To be fair to Adobe, HTML5 only became official, and even then only as a “recommendation” by the World Wide Web Consortium, in late 2014. The previous major version of HTML came out in 1997, so officially superseding Flash has not been a quick or simple exercise.
Indeed, Apple’s iPhones and iPads have managed without Flash for several years, apparently without causing any great digital lifestyle anxiety for their users.
Android, too, abandoned Flash about three years ago – and that was Adobe’s call.
Having said that, any rumours about, or even wishes for, the death of Flash seem highly unlikely to come true.
Adobe’s own roadmap for Flash was last updated less than a month ago, and still looks forward to browsers that use Flash as a vehicle for “adding features that are key for the gaming and video markets.”
Of course, Alex Stamos and Facebook could have things their own way right now in their own universe, simply by discontinuing the use of Flash entirely throughout Facebook’s web properties.
(In Firefox for example, Facebook videos still play via Flash if you have it installed, even though they don’t need to.)
Indeed, Facebook’s web pages could go one step further, by detecting if you have Flash installed and reminding you – for example while playing a video – that Flash isn’t being used, and thus making it clear that all of Facebook’s pages work fine without it.
What do you think?
If Adobe decides to call Facebook’s bluff, and kill off Flash, how long should Flash give the world before “setting the killbit,” as Stamos puts it, and pulling the pin on Facebook and everyone else?
Peter J
Don’t agree with: “(In Firefox for example, Facebook videos still play via Flash if you have it installed, even though they don’t need to.)”
I tried uninstalling Flashplayer (and rebooting). YouTube videos played without Flash, but BBC iPlayer and Facebook both required Flashplayer for videos (or audio, in BBC case) to work.
I would rather not have to use Flashplayer, but until BBC updates iPlayer, I have little choice…
Kasun
Simply install UA Control add-on for Firefox. In that you can customize user agent for each site. Just set it as Safari for Facebook and say Good bye to Flash in Facebook.
Aoddhan Murray
Wonderful! Mitigate one vulnerability and open up several more by using Firefox.
Paul Ducklin
That’s *worse* than my conclusion, of course, about Facebook being a little ahead of itself over the how redundant Flash is :-) But it doesn’t match my experience with OS X + Firefox 39.0 + Flash 18.0.0.203 + Facebook videos. With Flash set to “never activate,” FB videos play fine. Set to “Always ask” and the Flash plugin does get used instead of HTML5. YMMV, but that was mine.
Kasun
‘Never Activate’ Flash in Firefox does not play videos(in Linux). It asks us to install Flash and does not play the video.
Peter J
I think the OS might be the difference? Paul is using OS X (and it behaves), Kasun is using Linux (and it doesn’t), and I am using Vista (I know, please don’t shoot me!) and that doesn’t work either.
On a related tangent: the reason I loaded AdBlockPlus in Chrome was mainly because of the Flash adverts on eBay — having multiple tabs open, the Flash adverts on top of Chrome’s high memory use just made it unusable.
Mark Stockley
Flash is a tool for reminding you that your laptop has a fan.
Bob Hannah
Flash is very active in Facebook and other apps. If you believe that it is not, then you really ought to take a look at MS Task Manager. Facebook has two copies of it running when it Facbook is open. I am highly aware that a number of Websites use Flash to stream video’s. I actually wonder how much it break if Flash is removed. This is not to say that I approve of the vulnerabilities that Falsh has. These should be fixed, and fixed correctly, not through spit and bailing wire.
Paul Ducklin
My point is that if Facebook really thinks Flash should vanish, it would make that point more strongly if it not only supported people who don’t have Flash but also didn’t bother with Flash even for those who do.
As mentioned, my experience is that FB mostly works without Flash (but I suspect there are plenty of corners where that is not the case) but will use Flash in preference to HTML5 if you have it.
Which is why we gave the poll…let’s say Afobe turned the tables and announced it was dropping Flash today. How quickly could Facebook (and you, and I) actually do without it?
Anonymous
That new Facebook CSO is a complete idiot ! All the best Facebook Games are made in Flash… and Flash is still better then HTML5 and with less code. HTML5 you got to mix CSS, HTMl , Javascript and is sometimes a nightmare. + Your code is open souce , very easy to hack and find exploits.
Laurence Marks
Anonymous wrote: “HTML5 you got to mix CSS, HTMl , Javascript and is sometimes a nightmare. + Your code is open souce , very easy to hack and find exploits.”
Only bad coders are ashamed of their code and want to hide it.
Mark Stockley
Document structure, presentation and logic are not the same. Muddling them up is a recipe for disaster and keeping them separate, and using specialist languages for each, sounds like good architecture to me.
As to exploits, Flash is an interpreter with a terrible record on vulnerabilities. The equivalent interpreters for HTML5 are not HTML, CSS and Javascript but Chrome, Safari, Internet Explorer, Firefox, Opera and Tor (amongst others). I’d take any of those over Flash, even IE.
kurtd
How are we supposed to manage VMware Vcenter or Horizon View without flash?
JR
It is exactly this sort of issue, along with all the corporate intranet apps, that makes the IT folks in the trenches infuriated with this elitist mentality of dropping Flash support. If you are just a web browsing weenie, hey no problem.
Paul Ducklin
You *could* argue this the other way around (and keep the military metaphor) and say it’s the elitist attitude of IT folks at General HQ far behind the lines that leaves the users in the trenches at risk of getting shot at, blown up or poisoned :-)
Calling users “web browsing weenies” when at least some of the websites they visit are part of the organisational infrastructure…you can see why they might be annoyed at that.
Anonymous
if the criteria for not using software was a history of “zero day” exploits, we wouldn’t use Windows, IE, Firefox, or Chrome. Just look at the last two to three years of bug bounty contests. It is intellectually dishonest to say Adobe Flash is a security risk and that is the reason why companies don’t want to support it. They don’t want to support it because they can’t fully control it. They never seem to want to block their own software for being a security risk to help the security of their customers.