In 2010, Steve Jobs banished Adobe Flash from the iPhone. It was too insecure, Jobs wrote, too proprietary, too resource-intensive, too unaccommodating for a platform run by fingertips instead of mouse clicks. All of those gripes hold true. And now, Adobe itself has finally conceded.
The company announced Tuesday that it would “stop updating and distributing the Flash Player,” giving the end of 2020 as its end-of-life date. With that, the internet’s favorite punching bag deflates.
No one should shed a tear for Flash’s coming disappearance. The web will be safer, faster, smoother without it. But between now and 2020, the internet does need to figure out how to deal with the remains.
Pain in the Flash
It’s rude to speak ill of the dead, but since Flash is technically still in the process of dying, we can allow ourselves a moment of reflection.
You can take your pick of arguments against Flash, but let’s start with security. It offers very little. In fact, for years now, it has constantly threatened to upend yours.
“Flash has been a favorite amongst exploit kit authors for several years,” says JÃƒÂ©rÃƒÂ´me Segura, lead malware analyst at Malwarebytes. “Due to an alarming number of zero-day exploits distributed via large malvertising campaigns in recent years, many in the security community have urged users to completely remove Flash from their machines.”
Take your pick of incidents just last year. Flash security holes enabled attacks against all major desktop platforms last October and June, with Windows-focused hits coming in May and April. This is not normal! There’s no great analog comparison for something so pervasive that fails so often, but imagine a heavily trafficked bridge that spontaneously gives way every few months. You should not drive on that bridge
“The writing’s been on the wall long enough,” says Jeffrey Hammond, analyst at Forrester Research. Developers have already moved on from Flash over the last few years, embracing open standards that achieve the same ends – or close enough to it – without collapsing under the weight of security failures or browser incompatibility. Even Adobe has invested in HTML5 since 2010, and made a strong push that direction in late 2015.
Adobe itself acknowledged the transition, though a bit less bluntly:
“As open standards like HTML5, WebGL and WebAssembly have matured over the past several years, most now provide many of the capabilities and functionalities that plugins pioneered and have become a viable alternative for content on the web.”
Indeed! Just as the automobile became a viable alternative for horses on Main Street.
However much joy one might find in re-litigating Flash woes, though, its slow fade into the sunset raises more important concerns. Namely, whether that fade is slow enough to prep the internet for what comes next.
First, the good news. Chances are you already lead a mostly Flashless life. The Flash Player plug-in hasn’t been on iOS since 2010, or Android since 2012. The amount of sleep you’ve lost over this in the intervening years can likely be measured in zeptoseconds.
That’s increasingly true on desktops as well. Google has automatically blocked Flash ads from running – you have to click them to play them – since September 2015. Firefox started blocking some Flash elements last summer. Microsoft Edge opted for click-to-run late last year as well.
That mostly leaves Internet Explorer as the web’s last Flash hotbed. Even IE, though, will disable Flash by default in 2019, ahead of Adobe’s schedule. And poof, there it goes, the internet’s least-favorite plug-in gets unplugged.
Just to be absolutely clear, the vast majority of internet visitors will benefit from this. It won’t, though, come entirely without repercussions.
Look at security again. Neutering a favorite hacker target undoubtedly helps make the web more secure, but it doesn’t make the hackers go away. Instead, they’ll just look for other ways in.
“The focus might switch to yet another Achilles’ heel for all browsers, which are extensions and third-party plugins,” says Segura. “This is in particular true for Google Chrome, which has the most market share and as such represents the most coveted target.”
More importantly, the removal of support for Flash doesn’t actually remove Flash. That’s up to developers, who have to contend with either updating legacy systems for a Flash-free age, or leaving old sites abandoned by the roadside, permablocked by most browsers. While three-and-a-half years sounds like a decent lead time, it’s short of the six or so that Microsoft afforded Silverlight, another sunsetting web-builder.
“We’re not going to see the end of the world as we know it, but we will see unexpected things,” says Hammonds, who notes that the heaviest-hit site types include games, interactive learning companies, and enterprise applications, many of which will either no longer work, or misbehave in unexpected ways. (The loss to the legacy of browser-based gaming, in particular, may be the only one worth shedding a tear for.)
Still, all of that ultimately represents a small price to pay for the safer, more stable world without Flash that lies ahead. Steve Jobs was right that you wouldn’t miss it on your phone. And when the desktop finally catches up, a full decade later, you won’t miss it there either.