What happened with Flash?

I mean here we have a program universally used across most browsers, with regular updates, and owned by a big company. Then suddenly it’s a security risk vulnerable to all sorts of exploits and all the browsers now shun it or warn you to use it at your own risk. But isn’t that what patches are for? Why didn’t Adobe plug all the holes and keep Flash secure? It must have been a huge earner for them. What does HTML5 have that Flash hasn’t?

When the company owns it says that they are discontinuing it, that pretty much says it.

I’m sure there are consumers that wish that Zima was still being produced as well.

The general impression of people in the industry was that Adobe would need to rewrite Flash from the ground up to fix it’s problems. At the same time HTML+javascript were increasing capabilities (or at least the roadmap was somewhat clear).

My guess is that Adobe saw the writing on the wall and figured that even if a rewrite was successful, the need for Flash was diminishing in favor of capabilities via HTML+javascript.

An open standard, for one thing.

That plus the near-impossibility of actually fixing the 20-year-old ball of crap that Flash was without a line-one rewrite made it clear that it simply wouldn’t be worth it to continue supporting Flash.

“Mr. Watson seems to have answered his own question.” Seymour Cray

The decision may also have been influenced by the fact that Steve Jobs was adamant that Apple would never support Flash, on Macs, iPhones or any other product. That drove a lot of web sites to use alternatives to Flash. (I don’t think Apple’s stance changed after Jobs died but I’m not positive about that.)

HTML5 has most of the things you said Flash has. It isn’t owned by a single big company, which is an advantage, but otherwise it’s a completely equivalent replacement at this point.

Contrariwise, Flash hasn’t been widely supported for years now, hasn’t been universally used for longer, and nobody cares about the updates because of the previous two facts.

So what happened to Flash? Browsers can do everything Flash did without needing an external plugin. It’s a much cleaner solution.

Flash has always been available on Macs, but iPhones were a non-starter because Flash is such a resource hog and would’ve burned through the batteries in no time. I suspect it may also require too many permissions to be properly sandboxed for iOS. That would be why it’s such a security risk to begin with. If it can’t function without getting its hooks deep into the system, then it’s also an easy vector for other things to sneak in too.

So what happens when Flash is gone?

Mass hysteria. Human sacrifice. Dogs and cats living together.

Some bits of the internet disappear or stop working - not many important bits, but some of the flash animations and games that haven’t been redone in another format, stop being available.

I know of a major UK retailer that uses Flash not only for their public facing website, but also for the ecommerce portal that they make all of their suppliers use. I hope they’re busy developing the replacement for that.

(I have no idea why they would choose to try to develop an ecommerce portal in flash - I’m guessing they just asked the wrong people to do it - maybe the people who developed the public website. When all you have is a hammer, everything looks like a nail.

Ming the Merciless finally conquers Earth!

Alternately, Wally West finally gets to wear the red suit.

The problem was not really one that was patchable. Flash is a complete programming environment, and it is a fundamental theorem of computer science that in any complete programming environment, it’s possible to write programs for which it can’t be predicted what they will do. So any website creator could embed a Flash program that would do whatever they wanted, and it’s not, in principle, possible to filter out all of the bad programs.

There are only two ways to fix this. The first is to make Flash a less-than-complete programming environment. But this would make it useless for the vast majority of what it’s used for (indeed, HTML5 and the other replacements are also complete programming environments). The second is to very strictly sandbox Flash: That is, put it into a virtual environment where it can do whatever it wants in that environment (like a kid playing in a sandbox), but where it can’t do anything at all outside of that box. And the only real way to make such a secure sandbox is to design it to be a secure sandbox right from the ground up.

I don’t know that it’s not theoretically possible. Example: refuse to run arbitrary code; only run proof-carrying code with a valid certificate conforming to a specified security policy.

That has nothing to do with ActionScript specifically, and may be beyond the scope of Flash.

The fact ActionScript was a Turing-equivalent programming language wasn’t the problem (as you say, HTML5 includes JavaScript which is almost exactly the same), the problem was that Adobe’s implementation of Flash was crap and they were not competent to fix it for a long time: ZDNet article on the subject from 2010.

But that was only one aspect: Even as Flash slowly improved, browsers did, too. And putting this stuff in the browser just makes sense. The integration is smoother, because it isn’t two programs trying to talk to each other but one program doing it all, and it consumes fewer resources. The security story gets better when you don’t have a third party involved, and the number of spaces bugs can hide out goes down. Browser makers had every reason to do what they did, and Flash was squeezed out entirely.

Is it possible to have perfect plug-ins which don’t cause problems? Yes. You need to throw enough resources at it to make it happen, which basically amounts to time and good team organization, but it’s possible. Flash was a long way from perfect.

Note: a lot of things are Turing complete but that doesn’t make them security risks if certain things are not accessible, like the HD on the browsing end.

Javascript is Turning complete. No one thinks that’s intrinsically insecure and has to go away. You could strip out a ton of stuff out of Javascript and still have it be Turing complete. It takes surprisingly little to be Turing complete: integer variables (actually only need 3, at most), assignments, loops, a test.

So Flash being Turing complete is irrelevant here.

It was a crap program with an unforgivable number of errors in it.

(There’s just one site I use regularly that still uses Flash. A crossword program. But I only use it to print out the puzzles and none of the “real” Flash features. I hope it doesn’t go away rather than upgrade to HTML5.)

Pedantic Nit: Nothing is Turing complete if it is running on a machine with only finite memory. :stuck_out_tongue:

As for Flash, it just wasn’t made with security in mind, and it is very hard to bolt security on as an afterthought. Still it wouldn’t have been impossible to do, but the great improvements in HTML/CSS and JavaScript engines making it possible to do most of the same things without Flash, (and with better integration with the browser) made putting in the effort to make Flash secure not worth it.

Right, Javascript isn’t dangerous, because it was built from the ground up to be properly sandboxed.

Javascript programs are not sandboxed. This is a misuse of the term.

It is limited in certain ways. But it can do all sorts of things that a sandboxed app would not be able to do.

This does lead to security issues with improperly written scripts. E.g., cross-site scripting (XSS) is a big danger. A programmer for a sandboxed environment could never screw something up and have to worry about something like XSS.