What’s an obvious, practical step we can take to put a stop to this, and in one stroke greatly improve global information security?
It’s simple. All the important browser vendors need to agree to “flashblock” by default. What is flash blocking? Basically, it just means you need one extra click to watch (some) internet videos.
If you’re reading this in a desktop browser, stop right now and follow one of these links:
Flash block for:
Firefox
Google Chrome
Internet Explorer
Safari
If you’re an IT manager, there is no excuse for not deploying these across your organization right now. If you’re a technology enthusiast, help evangelize flash blocking, and install it on the computers of friends and relatives.
But even though these exist, it’s not good enough. It’s really time for the vendors to come to a rough consensus and agree to do this by default.
I think the Internet Explorer model is actually the best; make it per-user, per-domain. All Microsoft has to do is toggle that switch in their code. But the incentive for them to do it is low if users are going to complain that on (some other browser) they need one less click to watch that video.
So consensus needs to be built. Mozilla, Microsoft, Google, and Apple need to agree to take action. Apple is trying but they can’t do it alone.
The work that’s been going on to replace Flash with HTML 5 is great, and now is the right time to start actively deprecating Flash on the Web.
The cost is so low. Just one extra click. The benefit is millions of consumer computers being notably more secure, again by default.
Further reading on simple, effective tips for improving your security are in this lifehacker post.
(This post was brought to you by years of having to de-virus my family’s computers)
Colin Walters 
Flashblock for Firefox doesn’t quite prevent all Flash from loading, as I understand it — or so Giorgio Maone of NoScript fame tells me (although of course he’s hardly a disinterested observer as a competitor). But your point about not running vulnerable code by default is well taken.
But your hope that browser vendors could band together is unrealistic. For one, it’s a prisoner’s dilemma while Flash is still widely used. For another, this may border on cartel-like behavior, of the sort regulators might look askance at if implemented. It’s kind of, sort of, almost sad that this isn’t possible, but to be brutally honest, I’m also rather glad nobody in the browser world has that sort of power (possibly any more, even — Microsoft may have had it in the days of 95% market share). The analogous situations where entities *do* have that power, that come to mind spur-of-the-moment (and which aren’t necessarily exact fits, but they’re at least somewhat evocative), are mobile platform curators like Apple or Microsoft and the social site Facebook, with its far-reaching control of app APIs, privacy controls, and so on.
It’d be nice to wave a wand, but it’s not going to happen. I don’t think there’s a silver bullet to solve technological entrenchment of deficient technology, either. So I think we just have to wait, now, and let competition and bad publicity wear Flash down by attrition.
Jeff,
I don’t see a prisoner’s dilemma here; we’re not talking about breaking Youtube or Farmville, just making them require an extra click. One click!
As for the cartel comment, the point is pretty much everyone except Adobe roughly agrees; no collusion involved.
And I am not selling this idea as a silver bullet, or even original. It is I believe a realistic, practical step.
The latest Opera 11 alpha and now Chromium too have a option to block all plugins and enable them “on demand” – similar to what Flashblock does but for all plugins (this include Java applets for example)
So that option is now starting to come in browsers too.
“If you’re an IT manager, there is no excuse for not deploying these across your organization right now”
Not sure what world you live in but 95%+ managers don’t care about this kind of stuff.
How do you propose monetizing content webpages without Flash atm? Neither HTML 5 or even *gasp* Silverlight is capable of fully replacing Flash atm.
I work in the advertising industry, and what pays the bills for many publishers is the richer Flash ads that you see today. Sure, its possible to use HTML 5 to replace them. But currently, the browsers that people are using right this very second would easily use up to 100% of processor doing a simple animation and maybe a video (no audio of course), and we’d have to pay to host the video twice (once in H.264, a second in Ogg Theora), and you’d have to pay the download the content completely (there’s no way to stream HTML 5 video currently like with Flash (RTMP)). With Flash, this isn’t a problem.
Sorry, but Flash can’t be deprecated until the majority of browsers can implement HTML 5 with performance on par with Flash.
But it’s not really browser’s task to allow websites to monetise their content. If it’s in the user’s immediate best interest to default to block flash, then let it be done. Any second or third tier effect, such as less ad-supported web content, is not really of concern. Advertisers will adapt, or there will be more for-pay content.
Internet contents must remain free. Ads are the only way to achieve this. Are you ready to pay for any content on the internet?
One solution: who uses flash block have to pay content for the money not earned in flash ads. Otherwise must be sent out from the site.
This is pretty much it.
This is no different than the RIAA/MPAA needing to rethink their business after digital distribution came to rise.
So far as the idea that people need to pay for content, that’s ridiculous to label as a real problem. The vast majority of the useful content on the Web is hosted on personal sites, blogs, or university sites, none of which have ads today. Then there’s news sites and the like, which I actually do subscribe to in a few cases specifically because subscribers don’t get ads and because subscribers get extra content (LWN, Phoronix, and Ars Technica, as examples). Finally, for media content sites and services like Hulu or NetFlix, I would and in fact do pay ~$10/month… the only reason those irritate me at all is that I still get bombarded with obnoxious ads.
Advertising is a huge tool for business that can make or break any product or service, and I realize that as a working professional. As a home consumer, though, advertising is the single most obnoxious invention of mankind that I can think of, and I would much rather see a bunch more failed products and services that I frankly don’t really need if that meant no more advertising clogging up every single movie, magazine, highway, website, park, and product there is.
I think advertisers are going to have to retool, basically. As far as video codecs, you’ll end up with h.264 and webm most likely.
Retool with what? There’s no replacement in HTML 5 even provisioned for the reasons advertisers use Flash. Flash allows for custom typography, streaming video without using inefficient HTTP downloading, simple to complex animation without killing the browser, and the ability for complicated reporting of the results, while keeping file size under 30 KB (sounds tiny, but its what I as an advertising technology vendor have to make possible!)
Advertisers will probably want to keep using the stuff they are accustomed to, so are you willing to waste more of your precious potentially capped bandwidth to make that achievable using HTML 5?
Advertisers probably won’t switch from Flash to HTML 5 until:
1. All browsers support hardware acceleration in all environments or browsers don’t die under load without it.
2. There’s an option to stream video instead of having the user download all of it instantly
3. There’s a single video codec supported everywhere
4. Ability to use custom typography everywhere without requiring the user to download a huge font file
@Justin: If you want to continue to show ads, then you’ll have to adjust. If you are unwilling, then you’ll miss out on more and more users not seeing your ads. Which seems fine to me actually 🙂
I don’t agree that all of those are blockers. For example, IE 6 wouldn’t get flashblocked, because yes, it doesn’t do animation or video.
I thought custom fonts were widely deployed these days?
Well regardless, I definitely still think the world would be much better off this way, even if web advertisers have to go back to animated .gifs in some cases.
Pingback: Why HTML 5 can’t replace Flash just quite yet… | Justin's Blog
The cool thing about Chromes Flashblock is that you can whitelist stuff too. So you don’t need a second click on pages you trust (like youtube for example).
I am totally on your side with this blogpost by the way 🙂
Flashblock (for FF) allows the same thing, you can white-list any source, so for example if I white-list youtube all videos from youtube will always load regardless of the domain of the web page loaded.
Hard to say – but clearly not having a huge, complex plugin in the picture has made it a lot easier for e.g. Chrome to do its sandboxing.
I agree that flashblock is a good idea. The standard Android web browser already has a configuration option to load plugins alway/on demand/never, the on demand part practically being something like flashblock. Maybe this shouldn’t be a flash-only thing, it could also be useful against exploits for the adobe reader plugin or silverlight or whatever.
Also, the flashblock firefox extension indeed doesn’t seem to a security kind of addon, but more of an annoyance avoiding addon. See http://netticat.ath.cx/Misc/overrideflashblockdemo.htm
Oh, crap! That does rather obviate the point of my post, or at least for Firefox. I’ll have to dig to see if the sameis true of Chrome.
The IE model looks secure, right? I guess this does need to be built right into the browser, or at least you need a specific hook for out.
Good article, thank you. I just want to mention that there exists a FlashBlock clone created by Hemiola Sun. It is safer than FlashBlock (some code updates and improvements done by me), has a nicer flash replacement and provides more options (e.g. is able to block audio and other media). I think Hemiolas good work deserves some more attention.
https://addons.mozilla.org/en-US/firefox/addon/1765/
The occasional security flaws in Flash seem somewhat inconsequential when you look at the larger picture. All the recent news this week over FireSheep is a good example. It’s not just flash one needs to worry about. The ENTIRE WEB is a security risk. Every browser out there treats plain text HTTP as if it were secure, and web sites everywhere blatently ignore the risks involved with using it.
Firefox is happy to be anal about me using a self-signed certificate on my own private server, but is quite happy to act like typing my password on any site that transmits over plain text is an ok thing to do. Perhaps they all need to take a stand now and start being more preventive against storing insecure cookies set over HTTPS, and retransmitting cookies over HTTP.
> The work that’s been going on to replace Flash
> with HTML 5 is great, and now is the right time
> to start actively deprecating Flash on the Web.
Well… one day until the Fedora 14 release and we still can’t watch WebM content out-of-the-box. Nor many content available (YouTube conversion is still work in progress). Nor many tools to create the content.
Sorry to say but some sites use “hidden” flash objects to store cookies and reguire this for funcionality. One site that does this is kijiji.
So with Flashblock blocking kijiji, the site’s forms won’t function properly. If Flashblock is enabled by default, the user will wonder why kijiji is not woking, and if he does discover the little Flashblock (F) hiding in the corner of the page clicking to temporarily enable it won’t work either because it is reset on form submission/redirection.
I’m not saying that kijiji’s use of flash this way is a good thing. What I am saying is this type of flash use is widespread and Flashblock just can’t handle it… a problem “just one extra click” can’t solve.
Pingback: Flash and Java: the end of obsolete technologies - Frederik's Blog