Google last week announced that it would minimize use of Adobe’s Flash Player in its Chrome Web browser by the end of the year by turning off its default status.
When Chrome encounters a Web page, it will report the presence of Flash Player only if a user has indicated that the domain should execute Flash or if the site is in one of the top 10 domains using Flash, said Anthony LaForge, technical program manager for Google Chrome.
When a Web surfer using Chrome encounters a site offering HTML5, the change in Google’s browser will make that the primary experience, he said.
“We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site,” LaForge said.
“While Flash historically has been critical for rich media on the Web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption,” he added. “This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience.”
The Whitelist Hedge
“This is part of a 10-year effort by the industry to get rid of Flash,” said Patrick Moorhead, principal analyst at Moor Insights & Strategy.
“This is the next step in that process as people move to HTML5 and H.265 video,” he told TechNewsWorld.
After the proposed change, “if you’re not a top 10 website and you use Flash, you’re going to have trouble with people who visit you and are running Chrome,” Moorhead noted.
Google’s change in Chrome creates a “whitelist” of 10 domains where Flash will be turned on by default. They are YouTube.com, Facebook.com, Yahoo.com, VK.com, Live.com, Yandex.ru, OK.ru, Twitch.tv, Amazon.com and Mail.ru. However, Google intends to get rid of even that whitelist after a year.
The company’s support of a whitelist may be an indication of just how tough it’s going to be to purge Flash from the Web. “Getting rid of Flash is going to be an onerous task due to its pervasive influence on the Internet,” said Rahul Kashyap, chief security architect withBromium.
“Already Google is resorting to poking holes in their strategy by whitelisting popular websites to minimize user impact,” he told TechNewsWorld. “This is going to be a long and slow process, and Google’s timeline is definitely aggressive.”
Dead by 2018
Google’s move could give competing browsers a helping hand. “Potentially, there’s an opportunity for people to move to other browsers if they’re not happy with Google’s move,” Moorhead said.
Nevertheless, “I don’t see why Flash would be in existence in 2018, unless you didn’t care about people coming to your website and watching your videos,” he added.
Even Adobe is resigned to Flash’s phase-out. “Google’s initiative is part of an industry-wide transition to open Web standards,” said Adobe spokesperson Russell Brady.
“At Adobe we are working closely with Google, Microsoft, Facebook and others to facilitate the adoption of these standards, including HTML5. At the same time, given that Flash continues to be used in areas such as education, Web gaming and premium video, the responsible thing for Adobe to do is to continue to support Flash with updates and fixes, as we help the industry transition,” he told TechNewsWorld. “Looking ahead, we encourage content creators to build with new Web standards.”
Among the advantages of the standards supplanting Flash is better security.
“The industry is moving to new technologies, which provides higher security,” said Jim McGregor, principal analyst at Tirias Research.
Google’s move is more forgiving than the way others have treated Flash, he told TechNewsWorld. The technology still will be supported in Chrome, although it will have to be turned on manually for many sites.
“While this may be a bit of discomfort to some users, all users are better off using the latest software to minimize security threats,” McGregor said.
Eye to Eye on Flash
Vulnerabilities can appear in almost any type of software, but Flash has become a popular target of hackers. According to Symantec’s latest “Internet Security Threat Report,” four of the five most exploited zero-day vulnerabilities in 2015 were found in Adobe Flash.
“Once discovered, the zero days are quickly added to cybercriminal toolkits and exploited,” noted Kevin Haley, director of security response at Symantec.
“At that point,” he told TechNewsWorld, “millions will be attacked and hundreds of thousands infected if a patch is not available, or if people have not moved quickly enough to apply the patch.”
In 2010, Steve Jobs defended Apple’s decision not to support Flash on the iPhone. “Flash was created during the PC era — for PCs and mice. Flash is a successful business for Adobe, and we can understand why they want to push it beyond PCs. But the mobile era is about low-power devices, touch interfaces and open Web standards — all areas where Flash falls short.”