Facebook info security chief: ‘Death to Adobe Flash’
Add another enemy to the list of people who despise Adobe Flash Player: Facebook’s new chief information security officer Alex Stamos, who the social network poached from Yahoo (YHOO) last month.
Adobe’s (ADBE) often flaw-ridden software Flash has long been a point of contention among Internet security experts. Its monthly, and occasionally more frequent “emergency”patches, are a nuisance to security pros who must perpetually update their versions in order to keep their machines clear of cybercriminal malware infections. Even the late Apple (AAPL) CEO Steve Jobs penned a takedown of the insecure browser plugin in 2010.
Over the weekend, Stamos directed his own frustration at the San Jose, Calif.-based company’s code via a couple of tweets. “It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits”—meaning instructions to disable the software—”on the same day,” he wrote. “Even if 18 months from now, one set date is the only way to disentangle the dependencies and upgrade the whole ecosystem at once.”
Stamos has long been a champion of improving the safety of the Internet, even getting into an heated confrontation with Michael S. Rogers, director of the National Security Agency, at a conference earlier this year over the prospect of adding “backdoors” into Silicon Valley’s encrypted products. His latest call to arms? Presumably, the comment was prompted by a series of previously unknown, or “zero-day,” Flash vulnerabilities that were released into the wild over the past week, the result of Italian spyware vendor Hacking Team getting royally hacked.
Stamos’ execution plea begs the question: Does the Internet really need Adobe Flash? Security analyst and blogger Graham Cluley, for one, says no: “The truth is that the company would probably gain a lot more respect from the internet community if it worked towards this ultimate fix for the Flash problem, rather than clinging on to the belief that it might be able to one day make Flash secure,” he wrote on his blog. “As it is, the only people who truly seem to love Adobe Flash these days are the criminals themselves.”
That assessment is backed up by investigative cybercrime reporter Brian Krebs, who recently tried to go a month without using the Adobe software. “So, rather than continue the patch madness and keep this insecure software installed, I decided to the pull the…er…plugin,” he wrote. In fact, Krebs caved only twice. (He needed to watch an instructional video for a home gym and a live-streamed legislative hearing, he said.)
Interestingly, Facebook (FB), Stamos’ new employer, is one company that has helped perpetuate the use of Flash on the Web, especially as the social network aggressively pushes its video business, which, as Fortune reporter Erin Griffith will tell you, has been tremendously successful. (Lots of companies have been forced to accommodate the faulty plugin, Facebook just happens to be a highly visible one.)
Facebook in fact allows the coding language HTML5, a Flash alternative that is generally less vulnerable and more optimized for mobile, on browsers that support it.
The Internet seems to be slowly weaning itself off the buggy Flash software. At the beginning of the year, Google’s (GOOG) YouTube, a rival for Facebook’s video advertising dollars, dropped default support for Flash in favor of HTML5. Adobe itself has been deemphasizing its own product lately, too. As the Verge’s Rich McCormick notes:
YouTube’s move highlights the shrinking relevance of Adobe Flash on the modern internet. Adobe itself has spent the last few years severing many of its ties with the product — the company’s Flash 2012 Flash roadmap narrowed its focus to gaming and “premium” video, and in 2011, the company killed Flash Player for mobile, saying at the time that HTML5 was the “best solution for creating and deploying content in the browser across mobile platforms.” In 2015, YouTube has realized that Flash is not the best solution for web video, full stop.
Will Facebook eventually have the same realization? Fortune reached out to ask whether the company has any plan or intention to eventually do away with Flash. Facebook did not provide a response before press time, but we will update this story once we receive a reply.
Such structural paradigm shifts have a precedent. Lately, there’s been another trend happening on the Web—a move to another improved standard. Many websites are transitioning now to secure their traffic with encryption through the adoption of HTTPS, which protects users from spies and hackers. That includes Netflix (NFLX), the Washington Post, and the U.S. government, to name a few.
Mozilla, maker of the popular Firefox web browser, has also announced its intention to advance HTTPS by deprecating HTTP, a standard, though insecure, data transmission protocol. As it happens, Firefox temporarily suspended Flash on Tuesday due to the spate of recent “security risks.”
Perhaps one day Adobe, coaxed by Internet browsers and the demands of their disgruntled users, will set a deadline to eradicate Flash once and for all. But with no end in sight, that seems unlikely. As Stamos explains, “Nobody takes the time to rewrite their tools and upgrade to HTML5 because they expect Flash4Eva. Need a date to drive it.” (Fortune also contacted Adobe to inquire about the company’s long-term plans for Flash. We will update this story with any additional comments.)
Maybe it is time for Adobe to schedule a date on the chopping block for Flash. That’d sure put a smile on Stamos’ face. No doubt the late Jobs would be pleased, too.