The Agonizingly Slow Decline of Adobe's Flash Player

harrymcc writes: Security and performance issues with Adobe's Flash Player have led to countless calls for its abandonment. But a significant percentage of major sites still use it--and many of those companies aren't eager to explain why. Over at Fast Company, Jared Newman investigates why Flash won't disappear from the web anytime soon. From the article: Despite the pressure from tech circles, the sites I spoke with said they simply weren’t able to start moving away from Flash until recently, when better technology become available. And even now, it’s going to take time for them to finish building the necessary tools. "Originally, Flash was necessary to solve a couple problems," says Adam Denenberg, chief technical officer for streaming music service iHeartRadio. "Streaming was difficult, especially for live stations, and there were no real http-supported streaming protocols that offered the flexibility of what was required a few years back."

I think it's hilarious and ironic Facebook

[pecosdave]

called for an end-of-life date on Flash, and wants Adobe to commit to it, yet they're one of the worst offenders for requiring Flash to play videos when h.264 and WebM exist......

Re:I think it's hilarious and ironic Facebook

[SJ]

Not quite sure what you're referring to as I don't have Flash Player installed and videos play perfectly fine...

Re:I think it's hilarious and ironic Facebook

[AmiMoJo]

That's how business works. Can't justify spending money to replace Flash when it isn't going away any time soon. The moment Adobe put an EOL date on it Facebook can justify spending the money and telling all other companies that provide content for them (mostly PTW games) that they have to as well.

It's stupid but Facebook has shareholders now.

Re:I think it's hilarious and ironic Facebook

[MobileTatsu-NJG]

Videos on Facebook play back just fine on my non-Flash-enabled PC and on my iOS devices.

Re:I think it's hilarious and ironic Facebook

[RingDev]

Interesting, on my home PC, just upgraded to Windows 10 and Edge, I disabled Flash. Youtube works fine playing HTML 5 videos, but clicking on videos in Facebook opens up the modal interface and the "get Flash!" logo shows up.

Opening facebook with Chrome or Firefox, both of which have the FF add-on, videos play fine.

-Rick

Re:I think it's hilarious and ironic Facebook

[morgauxo]

Maybe it detects that Flash is installed and tries to use it but then can't. i've noticed that that is how Youtube seems to work. If there is Flash I get one interface (complete with Full Screen support). If there is no Flash I get a different one (still no Full Screen damnit!)

Re: I think it's hilarious and ironic Facebook

One word: tracking.

Html by itself cannot set persistent cookies.

Re:I think it's hilarious and ironic Facebook

[Billly+Gates]

That is because of zombie cookies.

Facebook LOVES FLASH because the cookies are permanently stored in flash and can never be deleted. Advertisers and tracking companies including Facebook love this. Yet another reason to ditch this. However, reality is easier said than done. Man the pc is like the mainframe now where it is old and creaky and no one wants to dare touch or change them or do anything different on them. That is what phones are for etc.

Re:I think it's hilarious and ironic Facebook

[LifesABeach]

I have no pity for the "best and brightest" that Adobe hired under the H1B, only to see the iPhone slip away. It wasn't important then, so what changed?

hope there's a "no videos" flag in HTML5's future

[xxxJonBoyxxx]

I don't mind ads (I really don't) as long as they stay in the side of the page and don't try to play audio or video. I run Flashblock in all browsers to avoid this type of thing and have started to run ad-blockers just to kill off the videos that are starting to come through HTML5. If there was a common browser option to never play audio/video unless specifically requested (similar to Flashblockers - if you click on it you really want to see it) then I'd be perfectly happy.

Re: hope there's a "no videos" flag in HTML5's fut

[cps42]

This. Especially the audio, but in general, any auto-playing video is unwanted.

Translation

[IamTheRealMike]

Web browser makers are incentivised to make everyone use HTML5, regardless of whether it's a better fit than Flash or not.

Website developers are incentivised to add new features, rather than rewrite their existing codebase from scratch for no gain.

Surprise?

If it ain't broken (for you)

[arielCo]

For many site owners, Flash isn't really broken - their video / audio players, animations, interactive displays and games work with enough users that they don't feel pressured to do them over again. Even video sites that support mobile browsers by serving HTML5 video and direct links to the .mp4 keep their Flash players alive in the full pages.

Re: If it ain't broken (for you)

[arielCo]

Assuming it's true and representative of most companies holding onto Flash, who knows.

I'd simply say it's not a priority for us right now, plus HTML5 based solutions have only recent become usable (YouTube still has some snags that require reloading the page).

Re:If it ain't broken (for you)

[phantomfive]

Unfortunately Google will probably never do that.

I don't have expectations of Google ever doing things that would annoy their advertisers. Remember, they are the ones who swore they would ignore "do not track" if it were enabled by default.

Re:hope there's a "no videos" flag in HTML5's futu

[The+MAZZTer]

It is trivial to monitor a document for tags and remove an autoplay attribute, add a controls attribute, or otherwise manipulate it to block items.

Re:hope there's a "no videos" flag in HTML5's futu

media.autoplay.enabled = false in firefox, don't know about chrome.

real-time adaptive video playback

[lkcl]

i don't know if anyone's really noticed, but flash's real-time adaptive video CODECs are actually incredibly good. i created a video chat site a few years back [tried red5 as the back-end server, and finally got to actually put some reality behind why i detest java. up until then i'd only known *theoretically* why java is a piss-poor language compared to the alternatives...]

anyway, leaving the back-end alone as it's a red herring, i was deeply impressed at how little bandwidth each video window could be given yet still remain audible and actually convey useful video information. i restricted each user to a paltry 10k-bytes (!) of bandwidth - that's for video *and* audio, limited the window size to 240x180, and was absolutely amazed to find that the video would easily recover from drop-outs.

basically what would happen is that during a drop-out, audio would be prioritised, and video would pause. recovery of the video stream (which could be done *precisely because* i had set the bandwidth so low) would literally "unfold" before my eyes, in exactly the same way that you see those 1980s pop video and children's programs "pixellation" effects.

basically they would transmit a crude video image, then send the improvements as a second round, then a third, and so on. now, here's the thing: i have looked for "adaptive video" algorithms in the past, and, whilst there exists an effort to create such a standard as a public standard, it's simply completely behind the times.

adobe managed it *years* ago... yet no open standard exists in common usage which comes even remotely close to successfully replicating this.

i appreciate that technically, it's incredibly challenging to get right. even the team behind skype - when they sold and created a real-time video streaming company "joost" - failed after a few years and gave up.... but what people forget is that *adobe already succeeded*. ... what has been substituted in its place? well, sure, we can do real-time video browser-to-browser.... but the assumption is that there is "perfect conditions". perfect bandwidth. perfect connections. no drop-outs. no brown-outs. zero latency.

adobe's solution isn't perfect: i know from experience that after a few hours, the real-time adaptive video stream *can* get out-of-sync (by over a minute in some cases), and will "recover" in a flurry of fast-forward stop-motion frames. really quite hilarious to witness. but, the only other alternative that i know of which is even *remotely* close to replicating what adobe did is *another* proprietary video codec, behind "zoom.us". it's developed by a former developer behind cisco's real-time video system. which uses flash in some places, and java in others. and is dreadful and unreliable, and has latency often of up to 1..5 seconds. unlike zoom.us which works incredibly well, and has very little latency.

so i'm going to call this article out, as entirely missing the point, namely that there *really* aren't any good alternatives to the core of what flash does really really well, but the problem is that they should have released the entire client and server as software libre under the LGPL a long, _long_ time ago because it just doesn't make them any money, and they just don't have the manpower to keep on fixing the security issues any more.

Re:real-time adaptive video playback

[gsslay]

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Have some capital letters on me. You seem to have run out.

Re:VCenter

[DougOtto]

Never said it was hard. I said it was a pain in the ass.

I don't want to be tracked

[sjbe]

I don't mind ads (I really don't) as long as they stay in the side of the page and don't try to play audio or video.

But you are ok with them tracking your browsing? Personally I find most ads to be intrusive, annoying and sometimes downright creepy but the tracking is the worst aspect of the whole thing. And the people doing the advertising can't help themselves in trying to track what I'm doing which is why I have AdBlock Plus, BetterPrivacy, PrivacyBadger, Flashblock, etc all installed at the same time. They started this arms race and I'll be damned if I'm going to lose.

I have NO problem paying for a site or service I find valuable and I do pay for some. If they base their business model on pushing annoying ads at me that I can block then that is their problem, not mine.

Re:I don't want to be tracked

[xxxJonBoyxxx]

>> are ok with them tracking your browsing?

Pretty much comes with the territory if you browse from your home or cell phone.

>> AdBlock Plus, BetterPrivacy, PrivacyBadger, Flashblock, etc all installed at the same time

Remember, they also track by IP address and browser attributes, which often allows advertisers to watch you even if you don't store any cookies. And your browsing is often personally identifiable if you browse from a fixed home location (with registered ownership or renter information they can correlate from other sources) or your cell phone (which is also probably registered to you).

Re:I don't want to be tracked

[mlts]

They have already won that battle. Try visiting EFF's Panopticlick, and almost invariably, any browser will be unique, because of the order of add-ons installed, the browser's ID, or fonts.

I also use the above mentioned tools (as well as a customized hosts file), but I also run the browser in a VM, just so if something bad gets past the add-ons, it cannot touch the bare metal of the computer, nor affect useful data.

Re:hope there's a "no videos" flag in HTML5's futu

[phantomfive]

I don't mind ads (I really don't) as long as they stay in the side of the page and don't try to play audio or video

You should mind. Ads are a known vector for malware. Whether it bothers you to look at them or not, proper security requires that you block them.

Vector animation

[tepples]

How would a vector animation like Homestar Runner or "Badger Badger Badger" have been created without Flash? With Flash, you can buy an old copy of Adobe Flash and use that. But with HTML5, you have to rent (not buy) Edge Animate on Creative Cloud. Or would you recommend creating the vector animation in Flash, rendering to AVI, and sending that to the viewer as MP4 and WebM? That not only bloats the file size by a factor of ten (in my tests) but also destroys any possibility of interactivity.

Re:hope there's a "no videos" flag in HTML5's futu

[peragrin]

Not only are ads a known vector they are quickly becoming the primary vector. Ad companies keep poking security holes in your computer and web pages so they can display more ads. Run Adblock for a week and then switch to IE. The difference is amazing.

Re:hope there's a "no videos" flag in HTML5's futu

[gstoddart]

I don't mind ads (I really don't)

And you're OK with the endless stream of analytics companies and other assholes monitoring every site you go to so they can monetize everything you do on the internet.

If the sites in question were serving their own ads, then maybe.

But the 15 or 20 (or sometimes 30 or 40) external websites which come along with those ads are just parasites whose business model is predicted on you being willing to let them know everything you do.

And I'm completely not willing to allow that.

Right now on Slashdot as I type this there's no less than 9 external sites who would be getting requests and running scripts if I wasn't actively blocking them. And Slashdot isn't even the worst site out there.

There's simply no way in hell I'm willing to let a bunch of corporations make money of tracking everything I do on the internet, run scripts, embed ads, deliver malware through shady partners, share that information with anybody they choose because they have an EULA ... none of it.

It's about FAR more than ads staying in nice places on the screen.

In Chrome install something like HTTP Switchboard, and look at the sheer amount of crap embedded in every page. Flash is an open invitation for dozens of sites you aren't even visiting to allow dozens of their affiliates run arbitrary code on your machine.

Re:Streaming was difficult

No, streaming is actually hard. Mostly, it's hard for streaming to be efficient across an active medium like a data network. A passive medium (or one-way medium) is much better suited to streaming. On a data network, the request to receive the stream is usually a two-way handshake over TCP, followed by a UDP video stream. The control connection stays TCP, and is kept open (or at least available) for the entire duration of the UDP stream. (This is the mess that is known as RTP, RTSP, and RTMP. And they're pretty much the best option out there. All other working options are variations on and combinations of these three with only slight modifications.)

Now, most of these services aren't actually streaming anything. They're providing a download in a format that allows for playback of progressive downloads. That brings all kinds of other "problems" that the media companies don't want, like the ability for the recipient to keep what they downloaded and play it, edit it, or otherwise do "unauthorized" things with it (air-quotes around unauthorized because the mere act of presenting it for download is all the authorization anyone legally needs).

Re:hope there's a "no videos" flag in HTML5's futu

[phantomfive]

Run Adblock for a week and then switch to IE. The difference is amazing.

What does IE do differently here than any other browser?

when no one is visiting their sites...

[afaiktoit]

when no one is visiting their sites they might decide its a good time to upgrade.

Re:hope there's a "no videos" flag in HTML5's futu

[meta-monkey]

Devours your soul.

Like IE 6 it will be here for 10 more years

[Billly+Gates]

The problem is:
1. Too many business apps have flash built into like a dependency such as signing payroll forms, training videos, websites made for older versions of IE (use flash to make up the lack of ability in IE 6 and 7) etc
2. Zombie cookies. These cookies are permanent and can never be deleted. Advertisers LOVE THIS. It means always tracking
3. Mouse and keyboard logging. Yes actionscript can monitor your keywords and mice and sell the data to those who feel it can be useful for more targetted ads.

Advertisers hate HTML 5 and will fight tooth and nail to make sure flash is required on a PC and not play content even if they offer it via IOS. How frustrating :-(

Re: hope there's a "no videos" flag in HTML5's fut

[Archangel+Michael]

The problem is, ad networks should be held accountable for the ads they are dishing out. If they don't want malware, then they should actually do their job and vet the ads before promoting them. THEY are promoting them, right? They are the responsible party.

Cold turkey

[Tough+Love]

Cold turkey works. One day I just removed flash from my tween kid's computer, which means no more flash games, causing much weeping and wailing for a few days. The flash games are social networks you see, which is why the kids keep going to those site, not the crappy retro 2D games.

Fringe benefits: the fan on the laptop isn't going all the time now. Ads are less obnoxious and consume less bandwidth. Hours of mind-numbing wastage on useless grinding-type games becomes available for, you know, education. After a few days of complaints, life goes on, and from where I stand, it's a better life without flash.

Flash isn't so bad, really

[Anonymous+Brave+Guy]

Flash needs to die. It's incredibly insecure, unstable and a total resource hog. It has no place in 2015.

People keep saying this, and yet...

To my knowledge, there is no actual evidence to show that browsers are significantly better on security. The major ones all fix critical vulnerabilities regularly, it just doesn't get as widely publicised. (Don't believe me? Go check the changelogs for recent releases of your browser of choice.) Moreover, if browsers do start to offer all the same functionality as Flash but natively, they'll also increase their attack surface accordingly. Of course if you compare a browser against the same browser with a plugin then the second combination has a larger attack surface, but right now that is an apples-to-oranges comparison.

I see little evidence of Flash being unstable, and haven't for years. It's much harder than it used to be to hang or crash browsers generally these days, too, but when it does happen it's almost invariably a glitch in the browser itself. (This assessment is based on building various web applications for a living, and the reasonable assumption that consistent trends shown across long-term bug tracking for a variety of otherwise unrelated projects is probably quite accurate. YMMV.)

Finally, as for resource hogging, since sites like YouTube went to HTML5 video, I see my graphics card core speed, and consequently its temperature and eventually fan speed, ramp way up just from watching a video. Since web sites started using funky browser-accelerated tricks with modern JS, same result, and often CPU cores ramping up as well. Older sites that use Flash for similar video or graphics demo tricks sit there quite happily, barely troubling either the CPU or GPU for anything it seems. (Again, this is just based on long-term monitoring and performance testing with objective tools. YMMV, but it's hard data from the machines I use for web development work.)

And Flash still has cross-platform consistency and portability that things like HTML5 video are sorely lacking, and still offers some features that the browser-native tools don't.

The dogma that Flash needs to die needs to die. Flash can die when the browser-native alternatives are actually better.