Press "Enter" to skip to content

Why Not ‘Click to Play’ Flash?

Last week we learned that in the near future, browser plugins won’t automatically work out of the box in Chrome and Firefox. Instead of running automatically whenever a website calls for a plugin function, they’ll be “click to play,” meaning the user will have to give permission for the plugin to run with each instance. According to Google and Mozilla, this new rule will apply to each and every browser plugin in existence on the entire planet, save one. Flash will still run automatically, requiring no prompt from the user. With Flash, it’ll be business as usual.

This has the look and smell of a business play all the way through, although that might not be immediately evident when reading what ad giant Google and open source Mozilla have to say. At first glance, their reasoning makes sense. Flash is just too darn ubiquitous. It’s everywhere; buried in everything. Including Flash in “click to play” would put too much of a burden on the user.

This makes sense until the little gray cells start chattering.

Even though the use of Flash is in decline and has been for several years, it isn’t going to go away anytime soon, no matter how much Steve Jobs wanted to dispatch it into oblivion. Too many people are making money on it. It helps pay the bills in a way ad blocking plugins don’t.

Google, still writing the book on online advertising, has a dependency on Flash. Like Android, Chrome is a tool for keeping Google dominant in search, which keeps them dominant in online advertising. No changes will ever be made in Chrome that adversely affect Google’s bottom line.

Again, the Mountain View company has a dependency on Flash. They may currently offer HTML5 video as an option to their ad clients, but neither they nor the online advertising industry are ready to fully embrace it, not yet anyway. HTML5 is a very unstandard standard and doesn’t implement across all browsers with the ease of Flash. So long as browsers continue to enable it, Flash remains the one-size-fits-all solution from those who make our choices for us.

The bucks are relatively smaller, but otherwise the situation is exactly the same at Mozilla. When Firefox is downloaded and installed on a machine, by contract Google is the default search engine. Each time a Firefox user searches through the search bar and then clicks on a search ad, Firefox gets paid. As a result, Mozilla is able to employ a lot of developers, all of whom want to keep their jobs. Flash ads typically pay a premium. Enough said?

Even Microsoft, which has banned plugins completely from Internet Explorer, comes with a custom version of Flash built-in. Internet Explorer defaults search to Microsoft’s Bing search engine, which makes money on Flash ads too.

Admittedly, this is all speculation. Educated guessing, if you will. If I keep following this train of thought, however, I have to wonder about possible hidden motives for freezing out all other plugins. Indeed there are plenty of legitimate reasons to discontinue their use; security, resource use, system stability, to name but a few. But these are all known issues and have been since the plugin’s inception.

Why are the browser barons jumping to change this now? Could it have something to do with the fact that maybe 30% of the Internet is using some sort of ad-blocking plugin? Would “click to play” mean users of Adblock Plus would be required to click through every ad on every page? If so, certainly the plugin’s developers will devise a workaround, but this detour might as well be a roadblock as far as the casual browser user is concerned. Did you ever try to talk your sister through the process of configuring SMTP on Thunderbird?

According to Forbes, recent events are causing many people to turn to ad blockers for reasons other than mere annoyance with Madison Avenue:

“…disclosures about NSA monitoring has Web surfers thinking more about their online privacy according to surveys, and the actions they can take to prevent tracking, including ad blocking.”

That’s not good news for the advertising folks either.

If I’m getting this right, the two major “alternative” browser makers are both beholden to Google. They’ve both decided to make life miserable for all plugins except Flash, which will receive most-favored-plugin status, meaning high dollar Flash ads will be showing. Plugins such as Adblock Plus will be rendered fairly useless for most users, meaning high dollar Flash ads will be showing. Internet Explorer has taken that a step further, doing away with plugins entirely while hard wiring Flash into the system, meaning high dollar Flash ads will be showing.

I’m only thinking aloud. Am I missing something?


  1. Aria Aria September 30, 2013

    I was under the impression that ABP was a Firefox extension rather than a plugin, and as such is unaffected by any restrictions placed on plugins. Could somebody please clarify?

  2. Dietrich Schmitz Dietrich Schmitz September 30, 2013


    ‘Click to Play’ is the smartest move to come along in years.

    Irrespective of its purpose, Flash is ‘alive and well’ despite wishes for HTML5 to replace it.

    There is simply too much infrastructure that depends on it and undoing flash would be a monumental effort.

    If vendors the likes of Google include PPAPI ‘Pepper’ supported Flash (vs. legacy NPAPI) and Adobe is willing to write to the PPAPI then I see a long life ahead for Flash.

    The major issue as with any embedded browser rich content engine (ActiveX), is the concern that security exploits will seize control of the device running said engine.

    Despite Google’s Engineers’ efforts to contain Chrome on Windows in a ‘sandbox’, there is a general ‘disclaimer’ and ‘caveat’ on the site which essentially says: “We tried to keep the nasties away, but because of how Windows legacy x86 works (including through Windows 8.1), we can’t guarantee your protection with Windows”

    Here is the text from the caveat:


    Other caveats
    The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.

    In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox.

    That is a major ‘shrug-off’ of a major issue which Windows legacy WinNT carries forward to this day.

    It cannot stop a ‘successful’ exploit from escalating and invoking its own SYSTEM kernel function call — which means your PC is ‘buh bye’ — owned — pawned.

    The kernel will accept any call without any further ‘cross-check’ or ‘policing’ of what is happening.

    So, unlike, Windows, you have a fighting chance to remain safe from tag script injected attack because Google support Linux kernel 3.5 seccomp-bpf (Berkley Packets Feature) which gives the exploit a knot hole through which to pass their task which is just 4 primary functions, none of which grant Administrative control to the calling function.

    What does this mean? You are not safe with Windows legacy running Chrome — nothing has changed, for years. You are safe with Linux running Chrome and its seccomp-bpf sandbox.

    That and 50 cents will get you a cup of watered down coffee, So what?

    Coming back to the story ‘Click to Run’. It’s a great idea because many exploits try to target Flash.

    And also, your bandwidth would suffer terribly were ‘everything’ in the page’s content to run. It’s so simple an idea and just common sense.

    No, Flash is alive and well Christine. And looking past at profit motives is beside the point.

    Dietrich Schmitz
    Your Linux Advocate

  3. Christine Hall Christine Hall Post author | September 30, 2013

    Damn @Dietrich, you write longer articles here than you do on your own site.

    I don’t disagree with you that “Click to Play” is a good thing. I thought I made that clear last week in the article “The Death of the Browser Plugin is a Good Thing”

    However, I disagree that “looking past at profit motives is beside the point.” Transparency is a good thing.

    @Aria As I said in the article, at this point I have no idea whether adblocking plugins will be affected by “click to play” or not. I did some searching yesterday trying to find an answer but came-up blank. I’m sure we’ll find out sooner rather than later though.

  4. tiktik tiktik September 30, 2013

    Well, I already have the “click-to-play”-functionality with flash in iceweasel (firefox), cause I have the flashblock-extension installed… Actually flash and java are the ONLY plugins I would like “click-to-play” on by default… But as usual, money talks, so I’ll get the exact opposite of what I want 🙁 And I really, really hope this will not be default for extensions too :/

  5. CFWhitman CFWhitman September 30, 2013

    I’m pretty certain that this only affects add-ons classified as plugins and not those classified as extensions. Basically, it seems to apply primarily to NPAPI based software. I’m not sure about Pepper plugins in Chrome/Chromium, but what else besides the Google developed version of Flash is a Pepper plugin? Not much that I’ve come across so far is based on Pepper, though it may still be the future of the browser plugin.

  6. Mike Frett Mike Frett September 30, 2013

    Like tiktik, I use the Flashblock plugin, mainly so when I load 100 videos from youtube; they don’t auto start. That’s something you’ll probably never find on a Phone and only on a Desktop, Multi-tasking. At least not without turning your Mobile device into a 24′ Monitor — but that’s another story.

    Incidentally, in Chrome, a Click to Play is built-in. No plugin needed.

  7. Richard Blaikie Richard Blaikie October 1, 2013

    Not to mention the added revenue to the carriers for the now not so commom ‘Unlimited’ data plans…

Comments are closed.

Latest FOSS News: