Unintended Consequences Of Slowly Strangling Flash To Death

The long road to the final death knell for Flash has gotten slightly shorter.

Intent to implement: HTML5 by Default

From the post:

Later this year we plan to change how Chromium hints to websites about the presence of Flash Player, by changing the default response of Navigator.plugins and Navigator.mimeTypes. If a site offers an HTML5 experience, this change will make that the primary experience. We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site (see the proposal for the mock-ups).

To reduce the initial user impact, and avoid over-prompting, Chrome will introduce this feature with a temporary whitelist of the current top Flash sites(1). This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.

Chrome will also be adding policy controls so that enterprises will be able to select the appropriate experience for their users, which will include the ability to completely disable the feature.

Any move away from Flash is good news but the unintended consequences of this news tempers my joy.

First, the Flash whitelist signals that delivery of Flash malware should concentrate on the top ten sites:

  1. YouTube.com
  2. Facebook.com
  3. Yahoo.com
  4. VK.com
  5. Live.com
  6. Yandex.ru
  7. OK.ru
  8. Twitch.tv
  9. Amazon.com
  10. Mail.ru

Second, offering users the option to run Flash, in spite of warnings, guarantees Flash will remain an expressway into your computer for years to come.

Third, as Flash usage drops, what is the likely curve of funding for fixing new bugs found in Flash? (That’s what I think as well.)

I don’t have a better alternative to offer, except to suggest that enterprises that care about security should offer cash bonuses to departments that abandon Flash altogether.

PS: Adobe should notify the community when the last copy of the source code for Flash is erased. To avoid some future computer archaeologist digging it up and becoming infected.

Comments are closed.