Google is planning to block Adobe Flash and implement an ‘HTML5 by Default’ policy on Chrome by the end of 2016. The intention is to use HTML5 automatically, and force users to explicitly accept the use of Flash only where there is no other choice.
It’s been coming. The end was almost inevitable once Steve Jobs Announced that Apple would not allow Flash on iOS back in 2010. Two years later Adobe announced there would be no certified implementations of Flash on Android 4.1. For the desktop, Amazon ceased accepting Flash advertisements in September 2015. Google will do the same for AdWords and DoubleClick from the end of June 2016.
Now Chrome developers have put forward a proposal to promote HTML5 above Flash in Chrome on desktops. Anthony Laforge, technical program manager at Google (Chrome), announced last week the intention to allow Flash execution only “if the user has indicated that the domain should execute Flash.” The target for implementation of this proposal is Q4, 2016.
Flash will still be included with Chrome, but it currently seems there will be little granularity in choices for the user. If a visited site requires Flash, the user will be given the option to accept Flash for that site. Chrome will then add the site to a whitelist for future visits.
“To reduce the initial user impact, and avoid over-prompting,” wrote LaForge, “Chrome will introduce this feature with a temporary whitelist of the current top Flash sites.” The whitelist includes companies such as YouTube, Facebook, Twitch and Amazon; although this may change over time. “This whitelist will expire after one year, and will be periodically revisited throughout the year, to remove sites whose usage no longer warrants an exception.”
Two immediate concerns from users commenting on the LaForge proposal concern the lack of granularity in user choice, and concern for the future of the gaming industry.
On the former, one commenter to the LaForge proposal wrote, “I would want Chrome to be able to understand, verify and present to the user information on the status of a code signed SWF file before passing it to the plugin.” As an example, he would like to be able to base his subsequent action on being able to distinguish between a Yahoo Flash signed by Yahoo, and one signed by Adobe. “If I want to trust only flash code signed by adobe.com which is served by yahoo.com and reject code signed by yahoo.com, malware.xxx and unsigned flash then I should be able to do so.”
The future of Flash is particularly important to Flash gaming companies. One indie game developer commented, “Our codebase is huge, so moving to another technology would impact us (and other Flash based game companies alike) heavily. And what I would really appreciate is if our own discrete internal decisions would not be forced by Google or other companies that think they know best for everyone.”
The security industry, however, is likely to be uniformly in favor of Google’s intentions. The most recent Flash zero-day exploit was patched just last week.
In a special note titled ‘Flash: The Last of the Low-Hanging Fruit’ in F-Secure’s Threat Report 2015 published last month, security advisor Sean Sullivan wrote, “It’s at this point that I’ll make the following prediction for early 2017 – once it no longer needs to support Flash-based ads – the Google Chrome browser will start aggressively forcing users to whitelist sites that require any sort of Flash. Mozilla’s Firefox and Microsoft Edge will do the same, and by spring of 2017. Flash will be effectively decapitated as far as exploit kits are concerned.”
Today he told SecurityWeek, “It seems that Google is aiming for Q4 2016 rather than Q1 2017 as I predicted. Good for Google.”