Tuesday, July 14, 2015

A Month Without Flash

It is hard to keep up with Flash, the legacy web-animation software plug-in. Last month I went to the Adobe site for two urgent security updates for Flash, but it was not enough. There are more security flaws in Flash with active exploits occupying the advertising boxes of web sites you are familiar with. Some are corrected in the latest update of Flash, but others remain. That is, if you look at major media web sites with Flash turned on, you will see browser crashes and glitches at least, and you are at risk for worse damage than that. The simplest option is to turn Flash off. This is something I did two weeks ago.

At first, I thought I would wait a day or two until I had met my most urgent deadlines, and then I would go again to the Adobe site and download the third patch in less than a month. But after a couple of days I changed my mind. The truth is, the web is better with Flash turned off.

Immediately I noticed that web pages seemed quieter. There were not so many bizarrely deformed images bouncing around the screen begging for my attention. Advertisements didn’t jump in front of the content on the page at unexpected times. This was my early reaction:

But it is more than just this. It was far less common to see web pages that froze up and wouldn’t scroll for a minute or two. Browser crashes became less frequent. Now that I think of it, I also haven’t had a computer crash in the last two weeks. I don’t know if that is because of turning Flash off or just good luck, but statistically, you would expect that turning Flash off would result in fewer crashes.

You would think it would be a big compromise to have Flash turned off with so many web pages that still use it (including, at times, this blog), but this isn’t the issue I had expected. In many web pages that use Flash, the behavior of the page doesn’t change in any detectable way with Flash turned off, so these pages are perhaps using Flash just out of habit and not because they rely on it for anything. In the rare cases where a web page does depend on Flash for something I care about, I can turn Flash on just for that one page, a step that requires just a single click in the Firefox browser. If I am feeling especially security-minded, I might look for a way around that web page. Perhaps the same information is available somewhere else in a more secure format.

Meanwhile, the tide of public opinion seems to be turning against Flash. Over the weekend the new security director at Facebook called for an end-of-life date for Flash.

Then, overnight, Mozilla decided to turn Flash off by default in Firefox, the result of newly documented exploits that Adobe hasn’t committed to fixing. Mozilla has done this with hundreds of other browser add-ons that developed critical security flaws, and it’s clear they came to this decision only with great reluctance in the case of Flash.

Today, then, half a billion web users are joining me in the Flash-free web. Of course, it is still early morning in North America, but so far there hasn’t been any sign of outcry or even grumbling about Flash’s new blocked status. So far, there are more posts about how to uninstall Flash than about how to enable it again. If people see the same thing I’m seeing, they won’t want to go back to a web littered with Flash. Maybe turning off Flash is a change whose time has come.