Amazon bans Flash ads – but not for the reason you may have hoped!

Websites with cool interactive content like games used to go for Java.

By embedding a special sort of Java program called an applet in your website, you could add a bit more pizazz than your competitors could manage with plain old HTML.

Then came Adobe Flash, using a programming language called ActionScript instead of Java, but with the same ultimate idea: multi-platform, cross-browser, web-based, real-time, on-line multimedia coolness.

There were downsides to Java and Flash from the start, of course, namely that:

  • They were “someone else’s” standards, rather than web ones.
  • They required you to install and manage additional plugins in your browser.
  • They inevitably opened up additional security holes.
  • Cybercrooks fell in love with Java and Flash security holes because they often worked in every browser, leading to true “cross-platform” attacks.

Eventually, browser makers and web standards-setters agreed on an alternative approach, called HTML5, that would (or at least could) make both Java and Flash redundant by giving web programmers a way to do cool multimedia stuff right inside the browser.

(To see how cool, try typing the word asteroids in the Naked Security search box!)

As a result, these days you can just use JavaScript in your interactive web pages, instead of using Java or ActionScript.

→ Java and JavaScript are completely different. As a recent Naked Security commentator pointed out, “Java” and “JavaScript” are no more strongly related than “Car” and “Carpet.” They simply start with the same letters.

Sure, HTML5 increases the so-called “attack surface area” of your browser because there are now more tricks you can pull off with JavaScript, and there is more code in the background to go wrong.

But every modern browser supports JavaScript and HTML5 anyway; HTML5 can do the job of Java and Flash; and many if not most websites support HTML5, even if they also support Java or Flash.

Simply put, almost all of us can live without Java or Flash in our browsers, almost all of the time.

Indeed, most of us do live without Java in our browsers these days, because Oracle, which owns Java, no longer enables the Java applet web browser plugin by default when you install the Java product.

Java is mainly used for applications, full-blown software programs that you install locally, so support for in-browser applets is rarely necessary these days.

But Flash has proved harder to eject from the world’s browsers, with lots of people keeping it installed and turned on, and often insisting that they need it, even when they don’t.

The fight against Flash

Apple was the first big brand name to take against Flash in a big way, by the simple expedient of banning it altogether on iPads and iPhones.

If you have an iDevice, you don’t have Flash, and that’s that: it’s all done with HTML5 instead.

Facebook jumped into the anti-Flash wars recently, too, with its newly-appointed CSO coming out swinging on Twitter.

Alex Stamos publicly demanded that Adobe should act to kill off Flash, and to set a date by which all browsers would refuse to support it.

Of course, that was just a Twitter rant.

Facebook doesn’t yet seem to share its CSO’s strident views, because the company didn’t back him up, and still makes use of Flash in your browser if you have it installed.

That’s annoying for those who want to convince the world that Flash is largely superfluous, and thus an unnecessary security risk.

Sites that use Flash “because they can”, instead of just moving to HTML5 for everything, tend to reinforce users who still think they need Flash, even when turning it off would make no visible difference.

So Flash naysayers will welcome Amazon’s recent announcement:

Beginning September 1, 2015, Amazon no longer accepts Flash ads on, AAP, and various IAB standard placements across owned and operated domains.

This is driven by recent browser setting updates from Google Chrome, and existing browser settings from Mozilla Firefox and Apple Safari, that limits Flash content displayed on web pages. This change ensures customers continue to have a positive, consistent experience across Amazon and its affiliates, and that ads displayed across the site function properly for optimal performance.

Interestingly that Amazon hasn’t gone all out by banning Flash because of its security risk – the “added attack surface area” it brings to your browser.

Amazon is blaming, if that’s the right word, three of the world’s Big Four browsers instead, because they no longer play Flash ads automatically by default.

Indeed, Amazon’s explicit reason for ditching Flash seems to be that it will improve the consistency of your ad-viewing experience, meaning that your browser’s “click-to-play” Flash option will no longer act as a sort-of implicit ad blocker.

Ironically, even though Amazon’s announcement means that some users will start seeing ads that didn’t appear before, it may actually help to distance Amazon from Adobe’s recent (and rather unpopular) suggestion that ad blockers are a Bad Thing and could cost our economy $22,000,000,000 this year.

Nevertheless, Amazon has banned Flash ads, and that’s that!