Who benefits from the war against Flash?

Did you notice that the war against Adobe Flash lasts at least 8 years already? Despite all negative attitude Flash is pretty much alive, even though most of modern browsers are treating the Flash plugin as potential threat. It is hard to believe that Adobe is using some crazy brainwashing technique to maintain addiction to “bad and insecure” Flash Plugin instead of “good and secure” HTML5. So what’s going on?

In 1997, Microsoft used a pretty lame strategy to eliminate support of Java in IE browser. At that time Java applets were a preferable cross-platform and cross-browser solution for embedded media applications. The primary objective of this war was revealed during antitrust trial: “Kill cross-platform Java by growing the polluted Java market.” In reality Microsoft simply kept supporting an outdated version of Java machine and deliberately refused to support the native JVM from Sun. Such strategy was not perfect. Microsoft prevented exponential growth of java applets, but finally they had to pay for unfair business practices. That situation has made everybody smarter.

The modern strategy of technology elimination is based on three general ideas:

· Performance and compatibility issues of a current (presumably bad) technology.

· Security risks and privacy violations in a current (presumably bad) technology.

· A new (presumably good) technology that solves all problems and provides more options.

In most cases none of this is 100% true; however any of this can be partially true for any technology. Therefore the primary task for attacker is to select all “important facts” and present them wisely.

From customer’s point of view the Flash Player is just one of many plugins. I see 20 other plugins in my Firefox and 10 other plugins in my Chrome. Any website or application can ask me to install a web plugin and in some cases I will. The browser’s job is to verify the origin of a plugin and make sure that I agreed to install it. The rest is not a browser’s business.

However, at some point all major browser developers simultaneously decided to treat Flash Player differently. They keep repeating the same allegations related to security and performance, in some cases simply covering a poor implementation of their plugin container. In particular, Mozilla is about to go back into my shit-list the second time in a history after epic fall of Netscape.

I’m sorry I had to say this… Now let’s get back to claims against Flash and alleged advantages of HTML5.

· Flash kills device performance.

Only if programmer’s hands are growing from his ass. Situation with Java Script is exactly the same. The ability of a bad developer to kill a good idea does not depend on platform or language. Moreover, modern programmers prefer to use 3rd party JS libraries, so most of web sites are loading and parsing tons of plain text in order to provide a simple functionality. Long time ago I had to review a quite massive enterprise application that was started with Flash and then switched to Angular JS. At some point the project got stuck because of “performance and cross-browser issues”. After reviewing the code I came to conclusion that JS developers tried to fully replicate behavior of the Flash app without taking into account that JS is not a frame-driven environment. As simple as that — no critical cross-browser issues, just a wrong approach.

· Flash is insecure and dangerous.

We are talking about a system that does not allow taking simple snapshot from video stream without establishing strong security rules on both sides — server and client. When it comes to cross-origin permissions, customized HTTP headers, and access to file-system or I/O devices, Flash is pedantic and pretty annoying — nothing works without appropriated security headers, server configurations, confirmation from customer, etc. Is Flash Player fully secure? Of course not. This is a pretty dumb question to ask in respect to any network software. The key is to find, admit and fix vulnerabilities quickly and effectively.

· Flash requires too many updates.

Before the hysteria started, Adobe was releasing updates with approximately the same intensity, but browsers did not force customers to apply these updates right away. Nowadays, browser can block the current version of Flash plugin right after Adobe released a minor update. Some browsers even do not notify the customer about such “feature”. In most cases such pushy logic just brings your attention to something that does not even deserve attention at the moment.

· HTML5 provides all necessary functionality.

Well, developing a regular web site using Flash is obviously a stupid idea. HTML5/JS development is much easier and faster. However, when it comes to interactive experience that involves such technologies as low-latency media streaming, HTML5 sucks. There is no any solution or workaround. HTML5 specification does not have any requirements on this matter. The initial specification of <video> tag did not even declare list of formats and media protocols. After multiple debates the specification has been changed to: “User agents should support Theora video and Vorbis audio, as well as the Ogg container format.”… Still nothing about protocols, though.

I understand all reflections regarding patent-free formats, but I also understand that such “specification” is just a lame attempt to avoid any responsibility. In result, nothing can force browser developers to normalize support of industry standards, such as h26x video encoding and RTSP/RTMP transport protocols.

It’s worth mentioning that some modern browsers are declaring support of HLS protocol, but celebration of live-streaming in HTML5 is quite premature. HLS requires ~8–10 sec delay by design. There are some desperate developers who are decreasing the length of HLS chunk down to 4 sec, but such approach does not work well. Also, every HLS chunk must be fully recorded by the server before browser can request it, which almost doubles the latency. In other words, if you want to provide a real-time media through pure HTML, you are doomed.

Two years ago I’ve met some folks in New York, who tried to develop a quite interesting interactive system. In order to resolve problems with latency they decided to write a plugin for Chrome. When I asked “how about other browsers?” they said “we do not care about other browsers, because Chrome owns the market”. Back then their answer seemed a little bit of an overreaction, but after two years I’m starting to see what they meant.

Imagine that you’ve decided to create a media solution that requires more functionality, than HTML5 can provide. What options do you have?

· You can decide to use existing cross-browser plugin with built-in programming language and a good environment, such as Flash or Silverlight. However, after weeks of research you may come to conclusion that Flash is literally busted, Silverlight is not very popular, and both of them are not welcome on mobile devices.

· You can write your own plugin. In this case you have to decide which browser you want to support first, and the only smart way to make such decision is to look at real statistics data.

The following charts have been compiled from a real media server stats, based on a million connections approx.

The decision seems pretty obvious to me. I would go with a Chrome plugin and focus on Windows compatibility first.

Considering all above, it looks like the war against Flash mostly helps Google to turn the Chrome browser into “one and only” cross-platform web-application container. Why other browser developers are supporting this madness? I do not know, but I can guess…

Apple never demonstrated any cross-platform ambitions. However, existence of a popular cross-platform solution, which they refused to support on iOS, never was a good thing for marketing. Maybe, after support of Flash on Android was terminated, Apple decided that the easiest way to get rid of enemy completely is to help Google killing it.

Microsoft does not like Flash because they want to replace it with Silverlight, which is maybe a good idea. However, most likely they will face the same accusations related to security and performance in a future. Who told them that Silverlight will be treated differently than Flash?

And finally, I have no idea what Mozilla is doing in this gang. Firefox does not have any chance for fair competition, because every other member of “anti-Flash alliance” owns at least one operating system and installs an own browser by default. How exactly Mozilla wants to compete with them and simultaneously be against cross-browser solutions?