Next Flash Version Will Support Private Browsing

An anonymous reader writes "The world rolled its eyes when the problem of Flash cookies came to light several months ago. Even if you're careful about cookies or even if you use your browser's private surfing feature, sites can still track you through cookies stored by Flash. However, soon enough the next version of Flash, 10.1, will support private browsing and will integrate with browsers to turn it on when the browser itself is in private browsing mode. Browsers still store data during a private browser session, but they will delete it all at the end of the session. The same will be true of Flash private browsing."

Remind me why

Remind me why Flash needs to be stateful, again?

Re:Remind me why

[fuzzyfuzzyfungus]

Because Advertisers are the customers that matter, and they love having something that survives a naive "clear cookies" attempt by the pitiful consumer?

Re:Remind me why

[broken_chaos]

Online games are a major user (as opposed to abuser) of storing data with Flash. There are some that actually are complex and long enough (and fun, too!) to warrant a save function. It can also be mildly-to-moderately helpful for some other Flash 'applications', like a video/audio player storing settings like volume levels.

Re:Remind me why

[Wingman+5]

I can give one good legitimate example, flash games. It allows you to save your game and allow a more complex game that that could need more than one sitting to beat.

Re:Remind me why

[Cryacin]

When spoken in the context of Flash, then yes, it makes perfect sense to not have those pesky 'shared objects' aka cookies on your machine.

However, with the advent of Flex (now Flashbuilder to confuse and confound more), there are many applications out there that legitimately store information on the client.
There has been a large mention of games already, but to that mix, I would add business software. There are many RIA's out there that manage data and distribution using Flex, and hence, pull a large amount of information from servers. Yes, sure, you could reload the data every time that you navigate away from a particular flash harness page, or you could store data within the shared object and not need to spend the vendor's bandwidth, nor stuff the client's pipe with information that was just sent a few minutes ago.

With the introduction of P2P channels in Flex 4, this opens up a whole range of possibilities to send data to a cluster of peers on a destination network, rather than clogging up outgoing pipes with information. There are a range of business cases for this technology.

That said, however, there is a need to curb the wild west attitude to data storage. There should be an option to default allow/deny/question whether Shared Objects should be allowed. Currently it is auto accept up to 100kb which falls outside of many legitimate applications anyway. Most importantly, there should be an option to always allow shared objects from a particular website.

We can't let the abuse of a technology proclude us from legitimate use when there are perfectly valid and reasonable strategies to manage and distinguish between positive and negative use cases.

Re:Remind me why

[sopssa]

That really adds unnecessary complexity. There are tons of those flash games sites and they would all need to generate same kind of database scheme or make a standard on how you pass the data between the site and flash applet.

Instead more controls about it is the way to go. Personally I would also like an option to globally disallow all cookies, but let it ask me if I want to save data.

I noticed earlier today that theres beta of 10.1 out and interestingly it also supports hardware accelerated video with NVidia cards. Lowered dramatically CPU usage when playing video in full-screen. Seems that this private browsing thing isn't included yet tho.

Re:Remind me why

[DragonWriter]

However, with the advent of Flex (now Flashbuilder to confuse and confound more), there are many applications out there that legitimately store information on the client.
There has been a large mention of games already, but to that mix, I would add business software. There are many RIA's out there that manage data and distribution using Flex, and hence, pull a large amount of information from servers. Yes, sure, you could reload the data every time that you navigate away from a particular flash harness page, or you could store data within the shared object and not need to spend the vendor's bandwidth, nor stuff the client's pipe with information that was just sent a few minutes ago.

Doesn't HTTP define a whole slew of metadata headers and specified caching behavior to specifically address this kind of thing? Why build "rich" web apps that don't leverage HTTP features that specifically address the need you are dealing with?

Re:Remind me why

[Rejemy]

Flash cookies are shared by all browsers.

Re:Remind me why

[davester666]

> Because Advertisers are the customers, and they....

Fixed that for you. People with the flash player aren't customers of Adobe's, because they aren't paying Adobe anything.

Just like, up until very recently, cell phones were designed for the needs of the manufacturers customers, namely wireless carriers, and as such, were designed [and/or redesigned] to meet the desires of the wireless carriers. If actual end-users liked the design and/or specific features, those features had to be removed :-)

Re:Remind me why

Sorry for comment hijacking.

Adobe provides Flash Settings Manager to allay your privacy concerns. Of course, it is not very user-friendly for average Joe but average Joe probably can't be bothered about privacy anyway. And there is "Delete All" button as well, for paranoids.

Re:Remind me why

[abulafia]

Doesn't HTTP define a whole slew of metadata headers and specified caching behavior to specifically address this kind of thing? Why build "rich" web apps that don't leverage HTTP features that specifically address the need you are dealing with?

HTTP page caching doesn't have semantics for things not of 'document' granularity. Think database records. People want to use these things as front ends to corporate directories and whatnot, be able to futz around with them on a plane, and have them sync when they're back in touch with the mothership. HTTP doesn't try to provide anything at all close to record level caching.

Re:Remind me why

[digitalunity]

Your example of cell phones is apt in this case. Innovation in the cell phone industry has been limited to what carriers will allow. I hope Google starts a trend to buck the subsidized phone business.

Cell phones have been capable of so much more for a long time, but in this case the true customers are the carriers - not the end users.

Flash is in an almost identical situation. Allowing even savvy end users to manage their privacy would hamper advertisers efforts to track us. Flash is a dominant force because everyone uses it. If there is fragmentation, Adobe will lose it's power, mindshare and eventually its revenue.

Re:Remind me why

[Rossman]

"There should be an option to default allow/deny/question whether Shared Objects should be allowed."

There is: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html

You can also whitelist and blacklist sites in that same Flash Global Settings Manager :)

Horay!

[Wingman+5]

Now I can plan that birthday party without anyone knowing.

Crontab to Delete Flash Cookies

[baez]

So I've been using this line in my crontab for a long time now without any problems (well no more problems than I usually experience with Flash under Linux):

* * * * * rm -fr /home/me/.macromedia

I think this solves the problem, but maybe I'm mistaken...?

Re:Crontab to Delete Flash Cookies

sudo chown 0:0 .macromedia
sudo chmod 0000 .macromedia

That's simply not an adequate response

Sorry Adobe, but it's time for HTML5.

Re:That's simply not an adequate response

[Rejemy]

By which you mean "it's time for HTML5 in 3 years when IE9 penetration is high enough, assuming IE9 supports HTML5 when and if it comes out".

Firefox extensions

[pydev]

Get FlashBlock or NoScript to turn off flash altogether.

Get BetterPrivacy to automatically delete Flash cookies on exit; it seems to work well.

Better Privacy extension

[harmonise]

This feature is here now for Firefox users with the Better Privacy extension.

Burn All Flashes

[Renderer+of+Evil]

Remember this site? http://burnallgifs.org

We need a similar campaign for Adobe Flash. It's dinosaur technology built for the internet stone age. Time to get rid of it for good.

Re:Burn All Flashes

[BoppreH]

I'm not sure about you, but I prefer playing Flash games instead of downloading suspicious .exe files.

If you don't play Flash games, it's not a good reason to forbid everyone else to do so.

Apostophe usage problem

[sych]

"The world rolled its eyes when the problem of Flash cookies came to light several months ago.[...]"

There, fixed that for you.

Re:Apostophe usage problem

[noidentity]

I think the original was just missing quotes. I read it as

The world rolled, "It's eyes!" when the problem of Flash cookies came to light several months ago.

where they were using the 19th definition of rolled: 19. To make a sustained, trilling sound, as certain birds do. In other words, it was another way of saying they Tweeted it. Clearly they were referring to the fact that these cookies flashed a bright light, and were answering the question of the thing they affect. Their answer was "it is eyes!". Simple, really.

Surf with VM and revert to snapshot

[OnTheEdge]

Surf using a virtual machine and revert to a stored snapshot upon close. Problem solved.

And after that..

[Peter+Cooper]

After that feature, could they make Flash respect the "Block Pop Up Windows" features in Safari and Firefox? I expect NO popups when I have this set.. yet Flash seems to be able to open them still!

Overreacting?

[BoppreH]

The website knows that I'm the same person as before. So what?

Can someone explain me how can this be used against me if the cookies are stored in my personal computer?

Re:Overreacting?

The reason is that third party ad sites use Flash ads.

You visit site A which is about midget pr0n, third party site drops a cookie there.
You reset your IP address.
You visit site B which is about beer bongs, same third party sees the cookie it dropped when you were at site A, stores that info combined with your IP in a database.
You visit site C which is about fart lighting, same third party fetches the LSO and knows that you have been to the above two sites even though you had "pr0n mode" active on your browser which clears cookies.

On some sites, every page you click on, ad servers check the LSO and can build a definite profile on you that follows you even if the browser clears cookies, and even when you change IPs.

Later on, you enter some username/password information in on a site. *bam* They now have a name to the profile and browser history. This now can be sold to anyone who wants it, be it an estranged spouse, a would-be employer, or an adversary in a lawsuit who will use the information in front of a jury to humilate.

This is a great boon for data miners, not a good thing for consumers.

Re:Overreacting?

[base3]

Yeah, but the advertising networks that advertise on the midget pr0n site, the beer bong site, the church site, etc. are all pushing Flash ads from the same domain and know what sites their ads were served from, so his hypothesis isn't all that flawed.

On OS X...

On OS X just delete all the downloaded content & local shared objects, then lock the folders:

~/Library/Caches/Adobe/Flash\ Player/AssetCache
~/Library/Preferences/Macromedia/Flash\ Player

Flash thinks it can save local shared objects, so things like Pandora work (if you're in to that -- I'm not), but nothing is actually saved.

Using the "locked" flag on the folders is better than using restrictive permissions since apps and installers often require you temporarily grant them admin privileges to reinstall or fix their folders if they don't like the permissions. They usually don't, however, look for the locked flag, nor know how to change it / work around it.

Please don't tell Adobe you can do this.

Re:This doesn't really solve the problem...

[BoppreH]

It's a different issue, but localhost is considered a domain, thus making all local Flash files share cookies.

HTML5 is not an adequate response

[Dr.Syshalt]

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Does HTML5 allows you to play video with some advertisement in a running text over it?

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Re:HTML5 is not an adequate response

Does HTML5 provides for the same level of rich client platform development as Flash/Flex? With numerous widgets just like in Motif/MFC, just easier to use? (MXML just shines in GUI development, far beyond of what Motif/MFC/AWT/Swing offer).

Sure. HTML combined with CSS and Javascript / AJAX will do 80-90% of what Flash is used for.

Does HTML5 allows you to play video with some advertisement in a running text over it?

Sure. Just use a CSS layer.

Does HTML5 protects your video site from hotlinking? I.E. can you make sure that nobody can embed your videos into their pages and make sales while you pay for the bandwidth?

This is a HTTP issue and server side security issue. It is trivial to grep a Flash file for the raw SWF download location most times.

Sorry, HTML5 'video', 'audio' tags and other dings and wistles... you have your place (probably on YouTube), but you ain't gonna replace Flash anytime soon. Especially not on commercial sites (like pr0n tubes), not for RCP development either. World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution. And they did it quite well, despite of some quirks. Sun with JavaFX has failed... would you like MS to take over with their Windows-only Silverlight technology?

Hardcore Flash games I can see and some super heavy duty flash "applications", but so often this can be done in HTML with CSS / AJAX. The designers are normally just clueless and have no wish to learn code or how stuff works after taking their 1-week Adobe course and getting accreditation as a "web developer".

Re:HTML5 is not an adequate response

[h4rr4r]

Not everything should be done in the webbrowser.

Get off my lawn!

Re:HTML5 is not an adequate response

[naz404]

Does HTML5 allows you to play video with some advertisement in a running text over it?
Sure. Just use a CSS layer.

Not if you're embedding 3rd-party videos on stuff like blogs, forums, etc the way people embed Youtube et al right now. Flash is great because it gives you a little widget that shows you a whole lot of options like contextual links, etc when embedded in 3rd party websites, giving the viewer the ability to check out related videos,etc.

Hardcore Flash games I can see and some super heavy duty flash "applications", but so often this can be done in HTML with CSS/AJAX.

You obviously are not a game developer and are talking out of your ass. "Easy to port HARCORE Flash Games often to CSS" my ass. CSS/AJAX has no equivalent for the timeline-based animation which makes putting animated stuff in Flash games so easy. Also, Flash has an excellent multi-channel sound API, something which is very rudimentary on HTML/Javascript. Sound is an important part of many games these days for the user experience, and Flash gives developers and the user good access to this.

Also, doing stuff in Javascript/CSS bloats the hell out of downloads since the interpreted Javascript code is in plaintext, unlike Flash which compresses it down to bytecode. Moreover, games built on the Flash platform can be made in a single SWF package which you can redistribute and embed to a whole bunch of different sites, unlike a DHTML-based game. Sure, you can build arcade games with Javascript/CSS, but they will not match the richness and features of Flash games.

Other stuff HTML5 doesn't have: support for microphone, webcam, multi-touch, accurate percentage loaded (down to single bytes) of assets (for preloaders which are important to the user so they can see accurate download progress and see when they can start using the apps), or client peer-to-peer support. Flash does. Let's see you try running relatively complex animated true-3D polygon models with texture mapping *at decent framerates* in DHTML too.

Yeah? That's what I thought. Flash is NOT YET dead.

Re:HTML5 is not an adequate response

[ytpete]

I'm sorry, but whenever I read comments like this I have to ask – how much AJAX web development have you really done? It's easy to build a couple pop-up menus and accordion controls and then decide that DHTML + CSS is all-powerful. But, frankly, it's not even close yet.

I spent years doing bleeding-edge AJAX development, and DHTML is by far the shabbiest development "platform" I have ever used. Frameworks like Dojo help, some. HTML5 will help, some. But it's all wallpaper overtop one core flaw: HTML was fundamentally never designed as an interactive-content development platform. Its programming language is embarrassing. It lacks any mechanism for reusing markup code (componentization). It lacks declarative data binding. It makes animated transitions far too hard. Its layout model is absurdly complex. And that's not even getting into the issues with browser and API fragmentation, backwards-compatibility, etc.

One other question for you: have you ever tried using Adobe Flex? Don't knock it till you try it. It is imperfect, for sure, but it positively screams maturity when you try it after years of banging your head on AJAX development. And sorry, but I just don't see HTML5 turning that around any time soon.

Re:HTML5 is not an adequate response

[dreamchaser]

"All of which assumes that we want them in the first place."

Apparently a lot of people do, given the growing popularity of fairly advanced flash based games.

Re:HTML5 is not an adequate response

[Hurricane78]

Sure. HTML combined with CSS and Javascript / AJAX will do 80-90% of what Flash is used for.

No. XHTML5+CSS3+JS2+AJAX+DOM3+SVG+Video/Audio will not only do 100% of what Flash does. It will do more. Like being able to seamlessly embed everything that Flash does with the rest of the page.
And there is no reason why JavaScript can’t be as fast or faster than ActionScript. After all it’s pretty much the same language.

Here are some examples: http://people.mozilla.com/~prouget/demos/ (Try the movement tracker.)

Re:You said you prefer suspicious .exe files

[larry+bagina]

A buddy of mine got a virus from a single white female. He has all kinds of exploits, though ... drinking, fucking, disorderly conduct, etc.

FlashBlock

[shovas]

Someone mentioned it in passing but I'll say it directly: FlackBlock

I'm not one to turn off the web with NoScript or not contribute to sites I'm visiting by using AdBlock. FlashBlock is a great compromise. Normal ads, no stupid flash instability. Click on the flash when actually want it to run for where it's actually needed. You'll be surprised how well it works.

Can also use this Flash program.

[antdude]

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html to control your Flash player settings.

Re:use 'shred' not 'rm'. or encrypt your hard driv

[caluml]

He has no wireless card, never plugs an ethernet cord into the slot, and never gives his compy to anyone else.

Meh. I hacked his computer twice. Once over Bluetooth, and then again over Infrared. All I found were secret plans of his to dominate the world - nothing unusual.

Cross Platform ?!?

[DrYak]

World needs a full-blown rich client platform for the browsers and so far Adobe has been the only one who were able to provide a cross-platform, browser-independent solution.

Sorry what do you mean by "Cross-Platform and Browser-Independent" solution ?
The damn thing only runs mostly correctly on Windows and Mac OS X, and is half broken on Linux. And that's only 32bits support - the 64bits support is currently catastrophic.
In the 90s, when Windows and Mac OS were the only platforms, your sentence would have had made sense.
In 2010, where smartphones are pervasive, when every single gadget seems to be internet-enabled, Flash is a big problem because it only runs on a fraction of what a modern user may find.
The iPhone has no official Adobe Flash support, for exemple.

Either Flash should die and get replaced by modern standards such as HTML5/CSS/Javascript/etc. (that's my preferred solution)
Or, Adobe should open their Flash and release some freely accessible specifications (and grant free use for any submarine patents) so people like the Gnash dev team could provide 100% compatible support for any platform under the sun.

But the current situation is far from the cross-platform heaven we need.