SoylentNews is people
SoylentNews
Mozilla yesterday said it will follow other browser markers by curtailing use of Flash in Firefox next month.
The open-source developer added that in 2017 it will dramatically expand the anti-Flash restrictions: Firefox will require users to explicitly approve the use of Flash for any reason by any website.
As have its rivals, Mozilla cast the limitations (this year) and elimination (next year) as victories for Firefox users, citing improved security, longer battery life on laptops and faster web page rendering.
"Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content," wrote Benjamin Smedberg, the manager of Firefox quality engineering, in a post to a company blog.
Firefox 48 is slated to ship on Aug. 2.
[...]
Firefox is late to the dump-Flash party.
Original Source: http://www.computerworld.com/article/3098606/web-browsers/firefox-sets-kill-flash-schedule.html
-- submitted from IRC
(Score: 2) by Runaway1956 on Monday July 25 2016, @10:18AM
Flash should have been disabled by default just about the time that supercookies were discovered. It should have required positive actions by the user to enable flash for any site. More, permissions should have been temporary, unless another action were taken to make permissions permanent for that site. And, that doesn't even touch on the negligence required for all the other flash exploits in the wild.
Out of curiosity, I did a search for companies with the most unpatched exploits. This article from April of this year : http://www.mobipicker.com/adobe-flash-player-has-top-10-most-attacked-security-vulnerabilities/ [mobipicker.com]
Adobe Flash Player Has Top 10 Most Attacked Security Vulnerabilities
By Ashish - Apr 28, 2016
It is no news that the Adobe Flash Player keeps facing a lot of security issues and Adobe desperately tries to clear them up with regular updates. This is why it isn’t surprising to know that the all the positions on the list of the Top 10 of most popular targeted vulnerabilities in 2015 (using exploit kits) were filled by the Flash Player. The list has been released by the Japan’s largest telecom operator NTT Group’s security department in Japan.
(Score: 2, Interesting) by Anonymous Coward on Monday July 25 2016, @10:22AM
So when will JAVA and JAVAscript be killed??
FLASH could be cleaned, but the parent company does not want to pay for it. JAVA is in the same boat.
(Score: 3, Interesting) by Runaway1956 on Monday July 25 2016, @10:32AM
Java can die anytime. But, Java is less pervasive than flash was, at it's peak. In my experience, java was used for less "evil" than flash. For instance, I've never opened a web page, to find sixteen throbbing headers based on java.
IMHO, the history of flash is worse than that of java, by at least an order of magnitude. YMMV, depending on your own experiences.
I will note that I have found some useful applications based on java, aside from just games. I haven't looked at I2P lately, but it is entirely based on java. It also powered a pretty cool proxy chain, way back when. So, I know that java does have some redeeming values.
(Score: 2) by gman003 on Monday July 25 2016, @01:26PM
Java has also added some of its own security measures - current versions of the Java plugin refuse to play unsigned or self-signed .jars, with no override for the former and requiring you add their cert as a root certificate for the latter.
Which is actually kind of annoying if you're the kind of person to run old Java applets some professor('s TA) wrote to demonstrate ellipsoid equations or stuff like that. It's stuff that could probably be trivially done with modern tools but nobody seems to have been assed to rewrite them in Javascript.
(Score: 2) by Thexalon on Monday July 25 2016, @01:05PM
Java is indeed bad. Javascript, or something like it, is essential for pages to be responding to user actions without a page reload.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1) by fraxinus-tree on Monday July 25 2016, @11:07AM
... but we're not in Soviet Russia. If a browser gets in the way between the user and it's favorite porn/game/social website, the user just downloads and runs another browser and sticks with it until next annoyance. Most users don't care about security unless it's too late (and even then) so the security measures you suggest simply cannot work.
(Score: 2) by Runaway1956 on Monday July 25 2016, @11:15AM
But, I'm not speaking of Soviet style dictatorship. I'm merely talking about what should have been "best practices". Every browser development team in the world knew, or should have known, about flash vulnerabilities. I don't even suggest that they should have completely disabled flash. Simply make it known to users that flash was the worst thing possible to run on their machines, and block flash by default.
Give the user two or three screens to click through before he can get at his porn, or whatever.
Kinda like those bollards you see around buildings to prevent idiots from driving through the doors. A determined person can drive between most of them, but they stop most people from doing stupid shit by accident.
(Score: 2, Insightful) by fraxinus-tree on Monday July 25 2016, @11:41AM
> Give the user two or three screens to click through...
... and lose him to the other, default, less secure browser.
Security works only when it is not too invasive to the job done. Give them a complex, secure password and you will see it on a post-it note.
(Score: 4, Touché) by Thexalon on Monday July 25 2016, @01:32PM
A complicated password on a post-it note on a computer monitor is more secure than a simple password stored only in the users' brain. In order to read the post-it, an external bad guy first has to somehow physically get into the room with that computer monitor, and then somehow collect the contents of the post-it without anybody noticing, followed by guessing correctly what that is a password to. By contrast, in order to get the simple password, all they have to do is run an automated dictionary attack from the comfort of their own home or office.
What I'd actually tell an employee who is keeping their passwords taped to their monitor: "Please keep that in your wallet, not on your monitor."
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by frojack on Monday July 25 2016, @07:30PM
A longer easier to remember password is better than the punctuation explosion most password schemes require these days. No, I'm not suggesting "Correct Horse Battery Staple".
Anything you can't remember without yanking out your wallet (leather or digital) becomes a nuisance and just begs to be written down and posted everywhere.
Two Factor for the win. One on your phone, another on a usb key locked or hidden in your desk.(Yubico or similar).
No, you are mistaken. I've always had this sig.
(Score: 2) by driverless on Monday July 25 2016, @11:41AM
It's not even doing what's been overdue, it's just making it click-to-run, and even that's still a year away (the August change is just blocking "some content", whatever that means). Then perhaps in 2018 they'll add a warning dialog, and in 2019 they'll change the warning text to a larger font, and in 2020 they'll add a flashing marquee, or at least they'll add that to their roadmap but by then their market share will have dropped to zero so it'll never be implemented.
"Killing flash" means, you know, actually killing it. Refusing to load or run it, not just business as usual provided the user auto-clicks somewhere.
(Score: 1, Informative) by Anonymous Coward on Monday July 25 2016, @03:53PM
You can go in the Firefox options and make Flash opt in (ask to activate). That's what I do.