Ah yes, the good old days when anyone with a bad idea and a little bit of time could chew up your CPU cycles and run ridiculously insecure code on your computer without consent.
You can only say this if you haven't met people who have suffered from being hacked. Enormously painful stories. Flash is a trash fire, and Adobe and Microsoft externalised the penalties.
There is no reason we couldn't have had safe Flash except Adobe didn't care.
I've heard the Flash codebase described as a big steaming pile of C++. Perhaps they cared but making a secure Flash was an impossible task. Windows has magnitudes more resources working on it and it still gets exploits all the time.
They could have reimplemented it in a safe(r) language and runtime. It would have been a big effort, and Adobe extracted the maximum cash for least effort.
Comparisons with Windows don't make much sense because it is an OS and a thousand SDKs and ever growing attack surface.
I have huge amounts of nostalgia, from when my parents bought me a version of flash from my birthday to kickstart my whole interest in programming, to building animations and games for Albinoblacksheep - Without flash I would never have learned to code.
So yes, some people have nostalgia with no rose tinted glasses, and I would like to think I have a clue about technology.
We're so lucky that this has changed (narrator: it hasn't).
It definitely doesn't happen anymore (narrator: it still happens).
And it definitely doesn't happen in absolutely every browser out there and it can't really be blocked (narrator: it does, it is just done with JavaScript, which only hermits disable).
I'm making fun of you because it's not very realistic to disable it, especially due to network effects.
All the popular sites, including many intranet sites in every company I've worked for, use Javascript. I mean, you can disable it/enable it selectively, maybe I should try it with some Firefox extension. But I expect 95% of the web to break if I disable it.
So it's kind of a revolutionary attitude, which works out if you have nothing to lose, I guess. Or if you're trying to prove a point, but along the way you're probably hurting yourself, too.
> I mean, you can disable it/enable it selectively, maybe I should try it with some Firefox extension.
The one I use is called, appropriately enough, Disable JavaScript [0]. It puts a simple toggle button in the toolbar, and remembers the setting on a per-domain basis. If a website has annoying behavior, it's little effort to switch JavaScript off to see if the site is still usable that way, or to re-enable it briefly to glance at some missing content. I recommend it; it's surprising how many sites I've disabled JS on, and left that way because there's no major breakage.
> maybe I should try it with some Firefox extensions
So you're making fun of me although you haven't tried it. Yeah, okay.
> But I expect 95% of the web to break if I disable it
And you'll be wrong, it is much lower than that (except if you're talking about adverts failing to display, then I guess yes, in that respect it does).
I don't give a damn about other sites (and I don't browse intranet sites on my home machine -- if I'm in an office I use their office machine).
If they don't work I don't use them except in rare cases when I really need to in which case they get run in a VM.
> you're probably hurting yourself, too
That's deeply patronising from somebody who admits they haven't even tried doing what I do, nor has even asked why I and others do it (hint: it's for many of the reasons you described). It sounds like you're talking to a rather stupid child.
I have tried it a long time ago (4, maybe 5 years ago?). Many, many things broke and I didn't have time to fix them all.
I already use the strictest Tracking Protection stuff in Firefox, for example, and I do hit sites that don't work correctly.
Maybe it's worth revisiting but something tells me that the web uses more JavaScript, not less, since I last tried this experiment.
And regarding the patronizing aspect, let's say your bank's website uses JavaScript, what do you do?
Edit, actually, sorry, I re-read your comment and you answered my question:
> I don't give a damn about other sites (and I don't browse intranet sites on my home machine -- if I'm in an office I use their office machine). If they don't work I don't use them except in rare cases when I really need to in which case they get run in a VM.
Q.e.d.
I'll just rephrase things to something less offensive: you're not "hurting" yourself, you're limiting yourself, sometimes with drawbacks not everyone is able/willing to endure.
> let's say your bank's website uses JavaScript, what do you do
Well mate, take a guess :) I do it on the phone only (and I don't mean smartphone). I've had a little exposure to bank's competence from the inside 20 years ago (large UK bank, mortgages), they couldn't find their own arse with a torch, arrows, diagrams and a PhD in arse-finding.
> 'll just rephrase things to something less offensive: you're not "hurting" yourself, you're limiting yourself, sometimes with drawbacks not everyone is able/willing to endure.
That's much more accurate. We can agree, however consider that that 'limiting [my]self' means limiting my exposure to ads, abuse of my CPU, tracking, most dark patterns, nag screens, malware and more. The tradeoff's very ok for me, and I've experience the web on both sides. Oh yes it's worth it! (for me).
> Name one browser-embedded technology in distribution today that has had even half as many security vulnerabilities as Flash has had over its lifetime?
Why should I name a "browser-embedded technology"? I can just point out browser vulnerabilities.
10 years ago, it was nearly impossible to browse the web with Flash disabled. Which means that most people had it installed, and thus a vulnerability in Flash would mean all users were exploitable. Browser vulnerabilities only mean the users of that browser are exploitable, which limits its scope somewhat. Of course, the Chrome monoculture that has established itself doesn't help here :).
Great. So your two comments taken together prove my point. Don't use technology that's actively working against your best interests, and your interests will be better served..
How is this any different from javascript in HTML5?
The bad thing about flash is they also had network access without SOP... oh wait websockets does that. They also had FS access... which HTML5 has too now. Well the sandbox had some CVEs occasionally but then again, all software does.
I guess the worst thing was that it meant you had to install a closed source package from a large SV company... like most people do with Chrome.