Adobe’s Flash will face a double setback tomorrow, 1 September 2015.
Amazon’s outright ban on Flash ads kicks in.
And Google’s Chrome browser will start blocking Flash, too.
Well, sort of.
Like Amazon, Google’s anti-Flash stance is neither altruistic nor security-focused.
Ironically, it’s aimed at making your ad experience better for advertisers, amongst other things, rather than making your browser more secure, though it will no doubt do both.
Google’s original end-of-Flash announcement was headlined Bringing Better Performance to Rich Media on Chrome, and by “performance,” Google was referring to shorter runtimes and lower power usage, rather than to reduced attack surface area:
Video and interactive media bring consumers rich, engaging experiences on the web - but they can also impact browser speed and battery life... As soon as September, this setting will be turned on by default so Chrome users can enjoy faster performance and view more content before charging their batteries.
It’s not so much to stop you getting owned as to keep you immersed in all those rich, engaging experiences – which, of course, includes seeing lots of lovely ads.
Indeed, Chrome won’t ban Flash altogether tomorrow, or even enable click-to-play by default for everything.
But click-to-play will kick in automatically from tomorrow, it seems, for what Google calls “content that’s peripheral to the main page.”
In other words, games and videos that rely on Flash ought still to work, but ads and suchlike probably won’t.
Given that the Google switchover is accompanied by a ban on Flash ads served via AdWords, it’s a pity that Google didn’t go all the way and simply turn on click-to-play altogether by default in Chrome, or even set Flash off by default.
→ There’s an important difference between Ask to Activate Flash and Never Activate, to borrow Mozilla’s terminology. With Ask to Activate, or click-to-play, websites are told that your browser supports Flash, so most servers then use it in preference to HTML5. This produces a click-to-play prompt that understandably convinces many users that Flash is still not only widespread but also necessary. Perhaps a “Reload this page without Flash” option would be a handy way of getting past that hurdle?
Nevertheless, with Google automtically converting AdWords ads to HTML5 where it can, and blocking Flash ads where it can’t, even Flashophiles may start to accept that there really is life beyond Flash.
So, perhaps Google’s change, along with Amazon’s, will help to get us to a point at which Adobe can realistically do what Facebook’s CSO rather peremptorily suggested, and announce an end-of-life date for Flash.
It can’t be much fun maintaining Flash any more.
While we’re about it, and taking into account the abovementioned anti-Flash rant from Facebook’s CSO, it would be great to see the social networking giant following the lead of Amazon and Google, and dropping Flash from Facebook altogether.
Even if the motivation is to get more ads in front of us, having one less plugin to patch would surely help.
Laurence Marks
I’ve been blocking Flash in Chrome for a few months now, following Naked Security’s advice to simply set “Plug-Ins” to “Ask before running.” The browser experience is greatly improved. If there’s something I care to see, I simply click the puzzle-piece icon and allow it.
The only downside is that I also have to click to allow the internal PDF viewer, also a plug-in. I imagine that a switch to HTML5 will actually degrade my browsing performance and experience.
Paul Ducklin
You may need an ad-blocker…admittedly another plugin, but you can’t have everything.
Of course, ad blockers *could* cost the world $22,000,000,000 this year. But you can’t have everything :-)
https://nakedsecurity.sophos.com/2015/08/12/adobe-and-pagefair-claim-ad-blockers-will-cost-business-22-billion-in-2015/
4caster
It wouldn’t cost $22 billion. It would make that amount available for consumers to spend on more worthwhile goods and services. I don’t recall ever buying anything because I saw it advertised.
Paul Ducklin
I wasn’t saying it would cost $22B. I was saying that it was claimed (by Adobe, oh, the irony) that it could cost that much. Thus the smiley above.
Bart
I do the same with Flash. Will I need to do anything new after this change?
rebane2001
I would like to see browsers block flash by default, but make you able to enable it (per-website/only once, for flash-only pages and those old game sites)
JR
I guess it is time to abandon Chrome. Blocking Flash and Java. Frankly, I don’t understand why Adobe and Oracle haven’t filed a lawsuit. Don’t hand me the security garbage, there are plenty of Intranet apps now affected by a dumb policy.
Paul Ducklin
1. Google isn’t dropping Flash for security reasons, as explained in the article. 2. Oracle itself now ships Java with the broser plugin part turned off by default, so for Oracle to sue a browser vendor for not using by default a feature that isn’t there by default would be kind of weird. 3. Your intranet apps aren’t affected, because [a] they will probably run by default, if they are the primary reason for the page (i.e. they aren’t 3rd party content) [b] you can just click-to-play and they will work anyway.
I can think of a couple of reasons not to use Chrome (my main reason is that I’ve simply never much liked its look and feel) but this is not a good one to pick IMO.
Bob Hannah
There is a slight problem with this. They are going to lose a lot people because most games and videos still use flash player especially on Facebook. Also most of the websites that you can stream video’s through are also still using flash player. I suspect there will be huge howl about this.
Paul Ducklin
Firstly, video streaming – where that is the main purpose of the page – will probably still work.
Secondly, if you want to see the video, just click-to-play.
Thirdly, most of the sites I use to watch videos (e.g. YouTube, Vimeo, Facebook) or listen to podcasts (e.g. Naked Security, Soundcloud) work just fine without Flash. They’ll all use Flash player if you invite them to. But if you turn it off completely, or uninstall it altogether, all those aforementioned sites work almost indistinguishably from when Flash is there.
I’d be interested to hear which of your “most sites” don’t work without Flash. (Which is not the same as “still using” it, if you see what I mean.)
Jones
the sites i need flash for are www.cbc.ca and www.sportsnet.ca they make up about 90% of my web browsing, (Naked Security is probably the other 10%)
“All video content at CBC.ca is provided in Flash video format and you will need the latest version of the Flash Player plug-in installed on your computer”
from: http://www.cbc.ca/player/help.html
After uninstalling Flash a few months ago, I was only able to get sportsnet.ca to work using google chrome, but the quality wasn’t the same. Everything looked a little choppy/blocky. So I re-installed flash and then it looked great.
I’m wondering if it has anything to do with the Sandboxing that Krebs talks about here: http://krebsonsecurity.com/2012/02/forcing-flash-to-play-in-the-sandbox/
Even though I didn’t have the flash player installed on my system, there was still a built in version in chrome that was running in a sandbox… Is that correct?
Paul Ducklin
Hmmm.
I just tried those sites without Flash, and they worked.
On CBC.CA I went for a video entitled “Incredible underwater images of cod near Battle Harbour in southern Labrador” (preceded by a 15″ ad for CBC’s election coverage).
On SPORTSNET.CA I went for a video offering me: “There’s more to Justin Smoak than hitting bombs and being a vacuum at first base, like what genre of music he likes and the best part about his job.”
I have absolutely no idea what that’s about – I assume it’s to do with baseball – and I didn’t watch past the ad for a certain well-known dairy spread named after a large East Coast city in the USA famous for Rocky Balboa.
So. No Flash. Two videos. Two ads :-)
In other words, neither of those sites seems to *require* Flash. That’s why we say, in the article, that click-to-play can mislead people into thinking a site actually needs Flash just because it will use it if you have it available.
In any case, Chrome’s default click-to-play doesn’t prevent Flash from playing. It merely asks for permission first, and isn’t supposed to kick in anyway for videos that are effectively part of the site you are visiting (e.g. arent’t third-party ads).
Jones
I use an add on that blocks HTML 5 and Flash until you click an icon. If it’s HTML 5 content you click a “V” if it’s flash you have to click an “F”.
On CBC it’s the National News that I can’t watch without flash installed.
If you’re able to watch without flash then perhaps I have something misconfigured…
(Despite the fact that their own website says that all video requires flash, I have seen some HTML5 content on certain stories and pages)
Anyway, thanks for checking out the links and for the feedback… I always enjoy reading your articles.
Roy
In my +20 yrs of using PCs & browsing the web I’m having a really difficult time trying to think of any software more annoying, problematic & (your choice of expletive deleted[s]) than Flash. Good riddance to bad rubbish!
www.esadude.com
Adobe are part to blame for taking their eye of the ball and never properly pushing an AS4 type model to bring it up-to date. But you can’t blame Flash for a lot of bad programming and for a lot of the problems associated with Flash. Too few people understand the correct way to compress and work Flash to a fluid integrated output before rushing projects off. Event.Listeners are half the problem and not enough people online take care of the events to nullify system drain.
I’ve been using flash for nearly 20 years and whilst I embrace all new technologies the truth is that HTML5 doesn’t come close to the potential Flash provides to even a basic programmer/designer.
Joomla, wordpress and the promise of a cheap widget based websites for people who without skill can create their own sites has also played a large part similarly in bringing on a anti-flash mentality, as true innovative web design is being left behind as the market resorts to losing 20 years of creative potential which when used properly has no equal.
People seem all to quick to forget that html, java and php based viral mechanisms have long pre-dated any security breaches by Flash and yet they are still being used.
It’s a backward step for creativity and true on-line innovation.
Paul Ducklin
Note that in Google Chrome’s case, Flash is not actually banned or discontinued. Indeed, in theory, a Flash object that is an integral part of your page (however Google determines that – presumably not being hosted on a different server would help) will still play by default. Otherwise, you will have to click-to-play.
It’s a small inconvenience, but does help to draw your attention to probably-uneeded and possibly-unwanted “extra Flash stuff.”
www.esadude.com
I agree Paul, it’s just for years people have been trying to eradicate the best medium for innovative content rich on-line media and there’s no need to punish those who do use it for the benefit of the masses.
I appreciate all web-tech and love nothing more than tools which help take the internet beyond the depressing static 1990’s template mentality however there has to be action from Adobe to pre-empt the present negativity and to provide security and safer standards with regards to these concerns.
Bad websites are bad websites, it’s down to the people to choose if they want to get caught in a advert fuelled website, this is their problem, not the designers using it.
There’s nothing worst than arriving at a website and having your screen freeze because salvo’s of sh*te adverts are kicking in.
Yahoo do it and I loathe using their news feed because it’s ruins your experience and even when you set the stupid preferences to remember not to auto play, they over-ride it when you next go back.
Solution, don’t go back. And they aren’t flash ads, they are the same standard embed ones ruining it for html but this is acceptable is it!?
All for trimming down the on-line fat but this is just bad practice on most part. Not bad Flash, just appalling design conceptualisation.
You can easily track memory in flash to ensure that it’s fluid, has no problems and runs to more than astonishing file size when done properly, and this is another problem.
Nurul nisa
Cool. What is CSO?
Paul Ducklin
CSO = Chief Security Officer.
A senior manager who represents computer security in the upper echelons of management, as the CFO oversees finance and the CTO represents the technical direction of the company.