Hacker News new | ask | show | jobs
by reedloden 4132 days ago
Ah, so this is why Facebook tries to load Flash on almost every page... Allows them to gather data like this. Always wondered why Flash was "needed".

(another reason to put Flash behind click-to-play and/or push for HTML5 video)
3 comments
mkjones 4132 days ago
I suspect flash is generally used to play sounds from chat messages - the https man-in-the-middle detection is heavily sampled, as referenced in https://www.linshunghuang.com/papers/mitm.pdf.

[I work at FB, but not on sounds or directly on https man-in-the-middle detection.]

link
hobarrera 4131 days ago
Nope, without flash you still get the chat sound messages. I've no flash on my system and the only thing that's different on facebook is that I can't watch user-uploaded videos. Only their mobile site supports HTML5 last I checked.
link
mbel 4131 days ago
It is still possible that they use flash as default audio source and fallback to HTML audio if flash is unavailable. Although of course it would be better if they could get rid of the flash altogether.
link
eli 4132 days ago
I don't follow why this upsets you. Seems like an argument for why allowing flash to run can be used for good?
link
timothya 4132 days ago
Side note: click-to-play is a usability feature, not a security feature. It's still possible for Flash code to run before the user "clicks to play".
link
mbrubeck 4132 days ago
Click-to-play in Firefox at least is a security feature. It's enabled automatically for known-insecure plugins like old versions of Java and Flash. You can enable it manually by setting a plugin to "Ask to activate" in the Firefox add-on manager: https://blog.mozilla.org/security/2012/10/11/click-to-play-p...

Click-to-play prevents Firefox from running any plugin code without explicit user action. I am 99% certain this is also the case for Chromium-based browsers. Source: I am a Firefox developer and I have worked on the click-to-play code, e.g. http://bugzil.la/899347

link
anon1385 4132 days ago
>Click-to-play prevents Firefox from running any plugin code without explicit user action. I am 99% certain this is also the case for Chromium-based browsers.

Wrong: https://code.google.com/p/chromium/issues/detail?id=174963

link
timothya 4132 days ago
Since people are disagreeing with my comment, I'll add some extra information (apparently I missed the editing time window, but I stand by my original comment). I should note though that I was talking about Chrome (I don't know what the deal is with Firefox).

If you go through the Chrome bug tracker, you can find several instances where Chrome engineers point out that Click-to-Play is not meant to be a security feature, and that the "Block all" setting is what is actually secure. There are several bugs which demonstrate ways around Click-to-Play which are closed as "WontFix". A quick search yields the following quotes from Chrome engineers:

"Yes, this is why click-to-play is designed as a convenience and not a security feature. If you want plugins blocked in a way that cannot be click-jacked, use "Block all," which requires a protected browser interaction (context menu, page action, etc)." [0]

"The "Click to play" setting is not a security measure. If you want to securely block plugins you must use the "Block all" option, which is a bit less convenient than "Click to play," but provides a click-jack resistant, browser mediated interface." [1]

"I'm kicking this out of the security queue because it isn't a security mechanism ... The secure method of blocking plugins is to select "Block all" and right-click to run. Whereas the "Click to play" feature is for convenience and performance." [2]

"It's not a security feature..." [3]

[0]: https://code.google.com/p/chromium/issues/detail?id=176724

[1]: https://code.google.com/p/chromium/issues/detail?id=225636

[2]: https://code.google.com/p/chromium/issues/detail?id=160707

[3]: https://code.google.com/p/chromium/issues/detail?id=414232

I'm sure there are other instances where they talk about it more, these are just the first results I found.

link
rnnr 4132 days ago
In recent chrome builds, they changed the behavior to right-click->Run Plugin which to my knowledge makes it immune to these attacks.
link
mintplant 4132 days ago
Er, are you sure about that? That doesn't appear to be the case with Firefox.
link
elithrar 4132 days ago
I think you might be confusing "click to play" in a Flash video/app vs. the browser-enforced "click to play", which in Chrome/Firefox prevents the plugin from running in that tab to begin with.
link
anon1385 4132 days ago
He is referring to the fact that in Chrome click to play has no security effect at all - pages can click jack you to activate it.

To quote a Chrome developer: "Click to play is not actually a security boundary. In particular, it has always been subject to click-jacking."

https://code.google.com/p/chromium/issues/detail?id=174963

link