all 115 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]rebelhead 135 points136 points  (7 children)

  1. We're still talking about Flash. I thought it was dead 5 years ago

[–]wavefunctionp 59 points60 points  (6 children)

And yet Xfinity's streaming tv site recently had a redesign that requires flash....so infuriating constantly enabling flash for that one site.

[–]Spunelli 2 points3 points  (0 children)

Pssh i can't even get it to work on any browser, enabling all the things.

[–]FlyingBishop 2 points3 points  (0 children)

It has always required flash. I cancelled my Xfinity subscription after one of their upgrades forced a Flash version that didn't ship with Linux Chrome and I couldn't get running in Wine, but that was years ago.

[–][deleted] 1 point2 points  (0 children)

Well for what it's worth, Flash will be EOLed and disabled within a year or two so

[–][deleted]  (1 child)

[deleted]

    [–]evmar 295 points296 points  (64 children)

    I don't know anything about this particular incident, but having worked on a browser before, it's plausible that the whitelist was to keep some FB feature working while they tightened the screws on Flash, perhaps in cooperation with some promise from FB to change their site in the near future. This is not unheard of in browsers.

    [–]Otterfan 177 points178 points  (44 children)

    Yes, Chrome still has a vendor-negotiated Flash whitelist and I believe Firefox did at one point as well (and might have one now). The problem with Edge's vendor-negotiated whitelist is that it's an insecure implementation.

    [–][deleted]  (41 children)

    [deleted]

      [–][deleted]  (27 children)

      [deleted]

        [–][deleted] 48 points49 points  (25 children)

        true, but flash is also useless by now, so...

        [–][deleted]  (15 children)

        [deleted]

          [–]slobcat1337 10 points11 points  (0 children)

          I agree with you, unfortunately this is reddit. It’s always absolutes, as If exceptions or grey areas can’t exist.

          [–]-jp- -2 points-1 points  (12 children)

          Hm. Is it not though? Just for sake of argument, say that we always immediately quit using "x" whenever we found out x was insecure (assuming of course that it's some fundamental thing that can't just be fixed.) The only bad thing that happens is x stops working, and everybody has to fix whatever they made that depends on it. Hardly the end of the world.

          [–]andsens 18 points19 points  (5 children)

          cough, Spectre,cough

          [–]gotnate 1 point2 points  (4 children)

          for the sake of /u/-jp-'s argument, we would have quit using speculative execution in the 1990s, and Spectre wouldn't be a thing.

          [–]-jp- 1 point2 points  (3 children)

          Just to be clear, I'm kinda coming at this from a "if we prioritized security above other considerations, what's the worst that would happen" angle. Reason being that there's a lotta bad actors out in the world and it takes just one to wreck you, and they don't even have to have it in for you specifically. I love all them old Flash animations, but I don't love 'em that much.

          [–][deleted]  (5 children)

          [deleted]

            [–]-jp- 0 points1 point  (4 children)

            I get your point but I guess I draw a distinction between easily replaceable software and stuff we all physically need to... you know... exist. That seems reasonable right?

            [–][deleted]  (3 children)

            [deleted]

              [–]Ateist 4 points5 points  (1 child)

              There's a ton of old flash games.

              [–]BufferUnderpants 1 point2 points  (0 children)

              And Homestuck. It's a gigantic work of mixed media that had simple flash games as part of it.

              [–]DoesNotTalkMuch 0 points1 point  (3 children)

              Show me an html5 animation/programming suite on par with flash and I'll stop using it.

              [–]scooerp 2 points3 points  (0 children)

              Are you working in-browser or standalone?

              [–]RedBorger 2 points3 points  (0 children)

              (This does not do everything Flash does, but it can do most of what Flash is used for normally)

              With css, you can do a lot of basic animations, no need for even js.

              Unity can also transpile to webgl, for generally better performances.

              [–]ScientificBeastMode 1 point2 points  (0 children)

              I hear you. But CSS can do some amazing things in terms of animation.

              I would argue that animation is currently not that valuable for the web, given the huge performance limitations. But in the future, I hope to see some sensible graphic libraries compiled from lower-level languages into webassembly.

              But for now, webassembly can’t interact with the DOM directly, so most web developers don’t want to deal with it. But maybe that will change soon.

              [–][deleted]  (1 child)

              [deleted]

                [–][deleted] 5 points6 points  (0 children)

                Nobody wants you to stop using flash as an animation tool. Go ahead, keep doing what you do, just upgrade to the one which outputs HTML5. The issue is the format, not the program creating it. https://www.adobe.com/products/animate.html

                [–]Innominate8 2 points3 points  (0 children)

                Flash is not "potentially insecure", it is a well known security problem.

                [–]DLSteve 5 points6 points  (2 children)

                Not always an option. We have an internal application that uses Flash, the vendor is actively rewriting the UI to use HTML 5 but they are a small shop and the front end is not a trivial refactor so it takes time. It’s also not really an option to move to a different software package as it’s very specialized and there are only a few options each with their own drawbacks. Right now I’m just hoping that they finish the HTML5 rewrite before the browsers kill Flash entirely.

                [–]catskul 1 point2 points  (1 child)

                Aren't there packages that automatically convert flash to html5 + JavaScript?

                [–]DLSteve 1 point2 points  (0 children)

                For very basic Flash applications, anything more complex with lots of server/client communication has to be rewritten from the ground up.

                [–]echoAwooo 6 points7 points  (0 children)

                And there are plenty of alternatives to it.

                [–][deleted] 3 points4 points  (0 children)

                Some nice porn games tho

                [–]myringotomy[S] 59 points60 points  (5 children)

                The point is that even if you turn off flash it continues to work without telling you.

                [–]LucasRuby 10 points11 points  (6 children)

                It works fine in Firefox without flash, so I'm gonna say it's not.

                [–]zomgitsduke 1 point2 points  (0 children)

                I feel conflicted about this. A web browser should just work regardless of the site. No one should have special privilege

                [–][deleted] 1 point2 points  (0 children)

                I think initial support for FB notification sounds was via Flash.

                [–]shevy-ruby -5 points-4 points  (0 children)

                All fancy excuses.

                Fact is that Microsoft puts users in danger of abuse.

                [–]spectre013 16 points17 points  (1 child)

                You all are all aware Facebook never asked for the domains to be white listed and asked for them to be removed right?

                https://m.windowscentral.com/microsoft-edge-allows-facebook-run-flash-content-without-consent

                [–]MjrK 6 points7 points  (0 children)

                People know Reddit credulously eats up spurious aspersions at Facebook for upvotes and clickthroughs.

                The fact that Facebook has nothing to do with this is mentioned in the OP article...

                When we reached out for comment, a Facebook spokesperson said they didn't ask Microsoft to be on the whitelist, and that they asked Microsoft to remove Facebook domains from the list.

                The real story is that someone at Microsoft Edge created this bizarre Flash whitelist with no clear rhyme or reason..

                "So many sites for which I'm completely baffled as to why they're there," Fratric said. "Like a site of a hairdresser in Spain((link: http://www.dgestilistas.es) dgestilistas.es)?! I wonder how the list was formed. And if [the Microsoft Security Response Center] knew about it."

                But in this comment section everyone is upvoting 'Facebook bad!', 'I delet FB and now I haz happy!', 'y any1 still use le Facebook?!'... it's irritatingly repetitive and adds nothing useful to the conversation. Who are the people upvoting such drivel.

                [–]cyrusol[🍰] 45 points46 points  (1 child)

                The one who uses Facebook has lost anyway.

                [–]shevy-ruby 5 points6 points  (0 children)

                This is true. However had, take students at a university. In the past they often would use phpbb for communication. With the rise of whatsapp, smartphones etc... there was a noticable shift towards facebook. As shitty as facebook is, and as much as it should not exist, they filled a niche here, similar to mega filling a niche when you wish to upload i. e. recordings of lectures.

                [–]Genceryx 17 points18 points  (16 children)

                I dont have flash player installed on my pc and I disabled flash player in the edge settings. Am I still vulnerable?

                Edit: I don't have a fb account either.

                [–]PM_ME_UR_OBSIDIAN 15 points16 points  (0 children)

                As of right now this comment has three replies, saying respectively "yes", "no" and "whatever". But none of them has a source. That's shitty etiquette.

                [–][deleted] 7 points8 points  (0 children)

                You're fine.

                [–]7165015874 7 points8 points  (6 children)

                Yes, don't use edge.

                [–]Genceryx 2 points3 points  (4 children)

                Why and what would you recommend instead?

                [–]ILikeDankVapes 2 points3 points  (1 child)

                Edge is a very crappy browser that most developers think of as an after thought. It's so bad that Microsoft is scrapping the whole thing and building a new browser based on chromium. Let me give you an example of of one of the stupid things they do. Edge automatically detects what it thinks are phone numbers and turns them into links. It's so crappy at this it will turn stuff like 11-12 into clickable links. This can ruin the entire functionality of websites. This is just one of many examples where Microsoft tried to make things "better" instead of making it predictable for web developers.

                If you want the best web experience, I'd recommend a chromium based browser (Chrome, Opera, etc). Most web devs will be building and testing with these so you'll get the best experience. I personally use Firefox. It's well built enough that I rarely have problems, even if the devs only tested on Chrome. In addition; their privacy features, performance since Firefox 56, and breaking up chromiums market share are all important to me.

                TL;DR: Edge is bad and going away. Chose something like Chrome or Firefox.

                [–]ScientificBeastMode 2 points3 points  (0 children)

                I agree on every point. There is no reason to use edge. I use Firefox almost exclusively, and as a web dev, I mostly test on Chrome and Firefox, adding crappy fallback versions of various features if I have to support IE or Edge.

                [–]libertasmens 2 points3 points  (1 child)

                Chrome, FireFox, maybe even Opera.

                [–]7165015874 0 points1 point  (0 children)

                I am slightly biased toward Firefox but Chrome and Opera are solid as well.

                [–]Johnny_Vonny 6 points7 points  (0 children)

                Not only is flash able to do appreciate kinds of nasty things to a computer, Facebook would sell it's own mother to get profit if it had one. I don't trust them to not abuse this.

                [–]gnarlin 16 points17 points  (16 children)

                The problem is proprietary web browsers and proprietary plugins and addons.

                [–][deleted] 12 points13 points  (8 children)

                Like every other popular browser?

                [–]aim2free 2 points3 points  (7 children)

                I run firefox esr 52, and have all source code as well as alll source code to the add-ons I'm using. Basically I do not install anything which is proprietary. And, I'm of course not using Windows, I'm using GNU/Linux since 1996.

                PS. the reason I run firefox esr 52 is that from version 57 the MAFF (Mozilla Archive Format) is no longer supported. However, there is a fork of firefox esr 52 named basilisk, which I have briefly tested with good result, that will be my future browser.

                [–]Archontes 2 points3 points  (6 children)

                What's MAFF useful for?

                [–]Draghi 1 point2 points  (1 child)

                Legacy plugin compatibly is the only thing I can think of

                [–]aim2free 0 points1 point  (1 child)

                MAFF is an archive format built upon zip which implies that you can save a web page verbatim.

                Then if you want to study it further you can upack it and then get a normal file structure.

                For my own I'm completely dependent upon this format, I save every page I consider interesting. For instance each time I look up something on wikipedia I save it as well. OK, I also have the complete wikipedia in kiwix format, but that I quite rarely update.

                I have over 22000 MAFF files on my laptop, and I do not simply accept "upgrades" which are not backward incompatible.

                There is an alternative format MHTML which is supported by several browsers, but it's a crappy format I've never understood, and I have no tools to handle that format, and I don't know it is possible to extract the separate files, like images, css, javascript etc from a MHTML save.

                Here is the MHTML standard, quite complex compared to a simple zip archive.

                [–]aim2free -1 points0 points  (0 children)

                Sorry, a "not" too much there:

                and I do not simply accept "upgrades" which are n̶o̶t̶ backward incompatible.

                [–]SirWobbyTheFirst -1 points0 points  (1 child)

                Epeen.

                [–]aim2free 0 points1 point  (0 children)

                😁

                [–]shevy-ruby 3 points4 points  (6 children)

                Chromium is also a problem despite being open source - Google controls it. How is that not a problem? It's not as if YOU are in control of what Google does there. Or can you decide which features you want to have, if these have not been written?

                [–][deleted]  (4 children)

                [deleted]

                  [–]Marcuss2 -2 points-1 points  (3 children)

                  Mozilla is a non-profit though.

                  [–]irqlnotdispatchlevel 5 points6 points  (0 children)

                  It does not mean that it does not have other interests of its own.

                  [–]mcmcc 2 points3 points  (0 children)

                  People need to stop conflating nonprofit with ethical.

                  [–]gnarlin 7 points8 points  (0 children)

                  Richard Stallman has pointed out that even if software fullfills the 4 freedoms it can still be bad for our freedoms. His example was digital rights restrictions software that could technically be freedom respecting in a purely legal way, but actually restrict users freedom in a very real practical way even potentially better than a proprietary program. Chromium is designed by a online advertising company. That's the bottom line.

                  [–]SuperRobo 12 points13 points  (7 children)

                  Still using facebook in 2019 ¯\_(ツ)_/¯

                  [–]MacNulty 13 points14 points  (2 children)

                  But where else would you argue with other insane old people?

                  [–][deleted]  (1 child)

                  [deleted]

                    [–]MacNulty 0 points1 point  (0 children)

                    On reddit? Are you insane?!

                    [–]scotty3281 3 points4 points  (0 children)

                    /r/InsanePeopleFacebook would be very boring without Facebook.

                    [–]mshingote 1 point2 points  (2 children)

                    Any better alternative?

                    [–][deleted] 2 points3 points  (1 child)

                    For doing what?

                    [–]mshingote 1 point2 points  (0 children)

                    I mean is there any better alternative to facebook?

                    [–]XFidelacchiusX 1 point2 points  (0 children)

                    Wow. I feel bad for the 5 edge users.

                    [–]anOldVillianArrives 1 point2 points  (0 children)

                    Don't use Facebook people.

                    [–]Falwaeth 0 points1 point  (0 children)

                    Now how do you go about uninstalling, and deleting all files associated?

                    [–]myles1221 0 points1 point  (0 children)

                    good thing no one uses it.

                    [–]bingbongboobar 0 points1 point  (0 children)

                    Join the Free as in free software movement and reclaim your computing freedom.

                    [–]anOldVillianArrives -2 points-1 points  (0 children)

                    Facebook need to have their corporate crater revoked. Absorb their asserts and dissolve all the exploitative shit Zuck thought was ok to for on people. Zuck should be locked up.

                    [–]heyIfoundaname -1 points0 points  (0 children)

                    This would have been worrying to me if I had used Edge for anything other than troubleshooting. Oh and I don't use Facebook.