Duplicate Remove Flash from XF: security warning on XenForo.com

[Alpha1]

Browsers like Firefox are blocking Adobe Flash and showing a security warning:
Firefox has prevented the unsafe plugin "Adobe Flash" from loading on xenforo.com

Meanwhile Facebook is calling on Adobe to kill Flash and states that its no longer a risk worth taking.

I suggest to remove Flash Uploader from XenForo and replace it with a html5 alternative.

 

[HWS]

I'm almost sure this is a duplicate. But I am supporting it.

However the browsers just show this message if you've installed an old version of Flash. You just neeed to upgrade it and the warning will be gone. This is not XF related.

 

[Chris D]

There is a duplicate suggestion relating to this.

I believe the vulnerability has been patched in recent Flash updates. Otherwise you can disable the flash uploader in your preferences for now.

 

[Amaury]

I believe the vulnerability has been patched in recent Flash updates. Otherwise you can disable the flash uploader in your preferences for now.

So 18.0.0.203, the latest version, is still safe, they're just blocking Flash in general by default and it's therefore safe to allow Flash on trusted sites like XF? They made it sound like even the patch was vulnerable.

 

[Chris D]

I may have been behind on my news earlier. It looks like this is a new vulnerability.

Doesn't change anything, though. If it's blocked or you don't want to use it, it can be switched off in your preferences.

 

[Alpha1]

That's true. But by now the question needs to be asked: shouldn't XenForo ditch Flash now?
I mean, the browser warning makes the site (and any site running xenforo with flash) look bad. Its easy for the user to misunderstand and perceive it as if the site itself is infected as it tried to load a dangerous script.

 

[Chris D]

It's easier said than done, of course.

It's only the current Flash version and Firefox that is displaying this warning to users. I'm sure it will get fixed and, which to be fair to Adobe it often is the case, in a timely fashion.

 

[silence]

Can't you disable it in the attachment options though?

 

[Chris D]

Yes. Or in your personal preferences.

 

[Alpha1]

It's easier said than done, of course.

Yes, most certainly.

 

[Amaury]

It's only the current Flash version and Firefox that is displaying this warning to users. I'm sure it will get fixed and, which to be fair to Adobe it often is the case, in a timely fashion.

I assume a popup box like normal will appear on your desktop asking you to update Flash. I was going to keep an eye on the plugins page, but I realized it'll probably still say vulnerable because that version and version below are affected.



I also updated Java (TM) Platform from 11.31.2. I must have missed it earlier, but it said it was vulnerable. I also updated Adobe Acrobat Reader, but it was only outdated, not vulnerable. Plugins and plugin updating are fun!

 

[Snog]

With all of the hullabaloo about flash on facebook, etc. I don't see anyone dropping flash any time soon.

If and when it happens, it would be a slow change. Do it too quickly and YouTube would die a quick death. I don't think it's parent company would let that happen.

 

[Chris D]

Bear in mind most big sites, especially YouTube, work perfectly fine without Flash. So no one is going to suffer as a result of the demise of Flash.

In theory, any site whose service already runs fine on iOS which has never had Flash support, is already geared up to drop Flash on all their platforms. If 1 billion iOS devices have successfully managed to live without Flash for 8 years, I'm sure it won't do any one any harm if it happened as quickly as possible.

 

[Chris D]

There is a duplicate suggestion relating to this.

Here's the original suggestion. I have renamed it slightly as it's difficult to find.

Attachement editor - Plupload (HTML5 Uploader)

 

[Sheldon]

If and when it happens, it would be a slow change. Do it too quickly and YouTube would die a quick death. I don't think it's parent company would let that happen.

Default is already HTML5, so it won't be too long before Flash is completely removed.

I don't see your average user jumping in and changing the default behavior of the browser, and most don't notice nor care. I'd say most have no idea what player they are using for YouTube at the moment, and again, not sure they care either way. As long as it plays, they are happy.

 

[Kevin]

With all of the hullabaloo about flash on facebook, etc. I don't see anyone dropping flash any time soon.

If and when it happens, it would be a slow change. Do it too quickly and YouTube would die a quick death. I don't think it's parent company would let that happen.

Considering that Facebook's head of security wants to see a sunset date for Flash and Google (YouTube's parent company) recommends using an iframe (which could render an HTML5 player) instead of using direct object tags, I think YouTube will do just fine in a post-Flash world.

 

[Martok]

Both Amazon and Twitch (which Amazon own) need to pull out their fingers if Flash support is dropped. Twitch still uses it extensively for its videos/streams and Amazon use it for Prime Instant Videos (or Silverlight if you're on Windows).

 

[Snog]

To be perfectly honest, I was unaware that YouTube had an HTML5 player until now. I've switched my player now.

 

[Amaury]

What browser are you using? The HTML5 player has been default on Chrome for a long time and not too long ago became default on Firefox.

 

[Snog]

What browser are you using? The HTML5 player has been default on Chrome for a long time and not too long ago became default on Firefox.

Linux Firefox 39.0. It was not the default, I had to choose it.