undefined | Better HN

story

0 pointsgrishka3y ago0 comments

Back in the day, we had a nice boundary between the document and the "app". Then for some reason we decided that Flash doesn't need to be a thing any more and erased that boundary by building the app functionality into browsers themselves, making the app and the document inseparable. We should have invested that effort into building an open source Flash player instead.

One of the nicest things about Flash was that you could set your browser to only load and run Flash content after you click it.

0 comments

giancarlostoro3y ago

Java Applets were worse though, every time I got a virus of any sort from merely browsing generic sites, it always happened due to Java in the browser. I finally stopped installing Java for the web and my security problems went away.

Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

I think unless we lock down new APIs that aide in fingerprinting to only be accessible to WebAssembly and let people block or enable WASM theres not too much else we can do. It would be nice to be able to block web APIs selectively to limit what a JS script can do.

grishkaOP3y ago

> Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

Those incessant RCEs were only due to the sloppy way the Adobe Flash player was written. There is nothing bad security-wise inherent to the SWF format itself.

Ruffle is an open source Flash player in Rust, currently under active development. I'm sure it won't have such problems because 1) it's open-source and 2) it's in Rust, and I was told that anything written in Rust can't possibly have any memory-related vulnerabilities; we'll wait and see if this would still hold true if/when they implement JIT compilation for AS3.

nordsieck3y ago

> I think unless we lock down new APIs that aide in fingerprinting to only be accessible to WebAssembly and let people block or enable WASM theres not too much else we can do.

IMO, it should be enough if incognito mode presents an identical fingerprint on everyone's browser.

grishkaOP3y ago

It's not that easy to "present a fingerprint" without compromising the user experience. Sure, you could remove all those PWA and pretend-OS APIs and hardly anyone would notice, but what about things like viewport size and font rendering? You can't exactly hide them from a website.

4 more replies

j / k navigate · click thread line to collapse

0 comments

giancarlostoro3y ago

Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

grishkaOP3y ago

> Flash had some security nightmares all the time too if I remember correctly but I dont think it ever screwed me over like Java did.

Those incessant RCEs were only due to the sloppy way the Adobe Flash player was written. There is nothing bad security-wise inherent to the SWF format itself.

nordsieck3y ago

> I think unless we lock down new APIs that aide in fingerprinting to only be accessible to WebAssembly and let people block or enable WASM theres not too much else we can do.

IMO, it should be enough if incognito mode presents an identical fingerprint on everyone's browser.

grishkaOP3y ago

4 more replies

j / k navigate · click thread line to collapse