Flash is one of those things that I will be almost sorry to see go. Not because I enjoyed it, but because I could safely ignore it most of the time: I can disable it, meaning that method of attack/annoyance is completely shut off. When I see my browser showing me something that failed to run because Flash was not turned on, I'm fairly confident that it was something I didn't need to see. Sort of like how our spam filters have been trained well enough that nobody in this day and age still gets e-mails with shady .exe attachments--they're predictable, and Gmail and Outlook's spam filters will catch them.
On the other hand, once Flash is dead, I worry that the invasive crap that made Flash so obnoxious will simply be re-engineered in HTML5 and Javascript, resulting in the same problems of garish pop-ups and autoplaying videos in an implementation that is more difficult to block.
You are so correct it's painful. Everything I hated about flash and myspace has been re-engineered as native browser code.
Just look at today's HTML5 transitions and animations. It's not enough to have a normal webpage. Now when you scroll down things have to fade in and out of visibility, images have to rotate and come into view, videos start to autoplay when they come into visibility, parallax diarrhea slows down your computer.
I can't wait till "parallax scroll blocker" and "visual diarrhea disabler" are released as chrome plugins.
For YouTube, there are several click-to-play extensions that work with the HTML5 player. There's a Firefox preference media.autoplay.enabled that works for most HTML5 video other than YouTube; ideally that could be allowed on a per-site basis. For ads, use an ad blocker; they know how to block HTML5 ads just fine.
Particularly for mobile, the latest video-ad rendering is happening in JS [0]. This is because autoplay video is disabled by default on mobile, but video rendering in ASM JS / WebGL bypasses such restrictions. Yahoo [1] is doing this, for instance.
Disable JS. I have it off by default and the web is much better. If I cant see a page, I decide either to hit the JS enable keybinding (for this page only if you use suckless's surf), or to just close the tab.
Facebook is the last major site I visit that still pushes Flash on me. When they clean up their own act, then they can start talking about what Adobe and the rest of the Web should be doing.
Seriously. Before calling out Adobe, Facebook should announce when they'll be Flash-free. Otherwise it sounds pretty silly: "Tell us when we have to stop using this insecure, resource-intensive software."
I can't understand how one piece of software (Flash) can be so horribly broken over so many years.
I mean, they had one simple thing to do: prevent code from escaping the sandbox. So how is it possible that they have repeatedly failed at that one task?
<wear-tinfoil-hat>Never attribute to malice what can be explained by incompetence, as the saying goes. But after so many years, I'm beginning to wonder: is it really incompetence, or has some TLA agency convinced them not to do a good job? </wear-tinfoil-hat>
First, to be fair, "Flash" is 2 complete Virtual Machines: ActionScript 2 and ActionScript 3. I expect it to have an increased attack surface.
Second, many things that Flash does (graphics, 3D, video decoding, audio decoding, etc) pretty quickly get you to unmanaged APIs in the OS.
Third, Flash can be suprisingly tricky to escape. Mark Dowd did an absolutely insane series of steps to have code that was valid bytecode, that retained control of a pointer, and to properly setup the memory space for jumping. This isn't necessarily "easy" by any stretch. The full write up is here: http://www.inf.fu-berlin.de/groups/ag-si/compsec_assign/Dowd...
This isn't to give Adobe a complete pass, but there is a lot going on here. Still, the time for Flash is past and I cannot wait for it to die
They now have an html5 video player, which I think they just introduced a week ago. BBC is about the only site I've seen that requires flash video, but I'm sure they'll get with the program soon.
So far I know NPR and Spiegel (german tabloid). All these sites work fine without flash if you set your useragent to that of a iDevice. Somebody implemented the switch between html video and flash in a foolish way.
I don't even have it on my system. I wonder if it's some sort of UA detection thing? I tried appearing as Chrome 41 on Windows 7, but no luck. (firefox nightly on linux user here, with h.264/aac support provided by gstreamer)
If Flash was implemented in JavaScript, which sounds slightly crazy but not entirely impractical, it probably wouldn't have nearly as many vulnerabilities.
When's the last time a JavaScript exploit was found? I know the Pwn2Own contests manage to bust out of the sandbox now and then, but this seems exceedingly rare compared to the near monthly super critical Flash updates.
I wouldn't say Shumway has failed, it's still an active and new project. I can pretty much use any "traditional" vector animated flashes on them. Video is still a problem due to codec patent issues, which is a bit sad because it's a legal obstacle, not a technical one.
The primary uses that I see, day to day, for Flash are:
1. Video players (which should be done natively)
2. Ads (which is an awful use case)
3. Fancy, but broken, font replacement (less so lately)
4. Weird, unnecessary utility, like copying text to the clipboard.
I don't see any reason to reimplement Flash in Javascript when all of these use cases can be better done in native HTML/Javascript already (1-3), or just not done at all (4). It seems like a huge amount of engineering effort to maintain an old technology that even its creator is migrating away from.
The reason is similar to why people build emulators for old game systems: To be able preserve history.
There's a lot of Flash games and applications out there that would be completely inaccessible to people were it not for the Flash player.
For example, the Homestar Runner site is built entirely on Flash, and while movie rips of this exist, there's small, subtle interactive elements only possible in the Flash version. http://www.homestarrunner.com/
When Flash is dead a large part of the web goes dark, and that's a tragedy.
> But then it would be even worse on battery life.
I'd claim the opposite: There's (at least) one less runtime needed when executing Flash within JS. Also, no extra graphic, audio, video, … stack that is executed alongside the browser stack.
There's a lot of legacy stuff that will never be reimplemented. For this content, you can use e.g. Mozilla's Shumway[1].
> 4. Weird, unnecessary utility, like copying text to the clipboard.
The JavaScript document.execCommand() clipboard APIs are available in Firefox 41+, Chrome, Safari, and IE. More discussion (in the issue tracker for ZeroClipbboard, a popular Flash clipboard utility):
Did you hear about any of those Firefox RCE exploits? Probably not.
We only hear about Flash RCE exploits because those are the ones which happen to get exploited in the wild the most. This is not because browsers are always more secure than Flash; it is because hackers know that if they succeed in finding a RCE exploit in Flash, they will be able to target the 97% of desktop users with Flash installed rather than just the 44% who use Chrome or the 15% who use Firefox. It's the same reason Windows users have always had far more exploits actively used against them than Mac users. Should we set a kill date for Windows because of that?
As long as we are making asinine suggestions, how about browsers set a kill date for Facebook, after which no one can access the site? Facebook's rampant video piracy problem harming small publishers on YouTube [1] is orders of magnitude more financially damaging to its victims than MegaUpload ever was. At bare minimum, it would be appropriate to warn users that they are about to visit a malicious piracy hub with a red full-screen "Are you sure you want to go here?" page, and perhaps provide a list of suggestions of alternative social networks to switch to.
Kill it? We must be close already because my first thought on seeing the headline I wondered why someone at Facebook wanted The Scarlet Speedster dead when we haven't seen him in a movie yet.
On the other hand, once Flash is dead, I worry that the invasive crap that made Flash so obnoxious will simply be re-engineered in HTML5 and Javascript, resulting in the same problems of garish pop-ups and autoplaying videos in an implementation that is more difficult to block.