The “death” of Flash and the birth of CypherPoker

I’ve been reading and hearing about the imminent demise of Adobe’s Flash technology for well over a decade now. In among this hullabaloo , and well within his “reality distortion” mandate, Steve Jobs came out with his “Thoughts on Flash” which was ballyhooed as the death knell, final nail in the coffin, etc., of Flash.

By both his own admission and according to co-founder Steve Wozniak, Jobs was closer to a snake oil salesman than a technologist and had at best a cursory understanding of what he was peddling. I think it can be shown, however, that Jobs was good at manipulating (or having people manipulate) the media so it’s not surprising that the amount of misinformation about Flash, often traced directly back to Jobs’ diatribe, has been nothing short of dizzying … and it’s making the rounds once again. Consider these doozies:

Firefox Is the Latest Browser To Phase Out Flash

“Users will have to manually authorize Flash to play videos and other Flash content.”

Strange definition of “phase out”.

Yes, Google Chrome Is Dumping Adobe Flash This Year

“By December, the browser will make Flash’s replacement, HTML5, a markup language for displaying media on web pages, its default. (Sites that support only Flash will require a person’s permission to run.)”

So by “dump” the author actually means “keep”. Huh.

I could continue to list articles but these are good examples of what I’m talking about, and there’s plenty amiss there.

Flash Has Been Replaced By HTML5

First there’s the “HTML5 is a replacement for Flash” thing. Nonsense. In the browser, Flash lives within the HTML DOM like any other element (images, video, etc.) This has been true since Flash was called Future Splash. It’s kind of like saying that the world wide web is a replacement for the search engine — one depends on the existence of the other so the claim doesn’t make much sense.

To display Flash content on a web page, developers need to include it in the markup (HTML). Whether this is HTML4 or HTML5 is entirely irrelevant. Even more irrelevant is the so-called “news” that Flash content must now be clicked on in order to activate since this is how most browsers work now (and have for some time).

Like its predecessors, HTML5 is a few steps behind Flash in terms of its capabilities. It’s certainly true that you can do a lot more with modern web technologies so HTML is often a viable alternative to Flash but it’s not a replacement.

For example, in Flash you can use free-form TCP socket communication whereas browsers are limited to the structured WebSocket model. For peer-to-peer networking the browser is limited to WebRTC which has spotty support and incompatibilities between browsers whereas RTMFP is supported in the same way everywhere that Flash runs. Similarly, when it comes to video support, MP4, WebM, or OGG formats are a mixed bag with browsers while with Flash both MP4 and FLV formats are guaranteed to work everywhere. In addition, it’s feasible to add support for formats like WebM and OGG to Flash while there don’t seem to be any good alternatives to playing unsupported formats in web browsers (without Flash).

HTML5 Video Is Better Than Flash

On the topic of video, more astute commentators will accede the previous point but will argue that with HTML5 video can now be embedded directly into the page’s markup rather than depending on a plugin like Flash. This argument, however, is also misleading as it was possible (albeit more cumbersome), to embed video and audio content within HTML4. This argument also misses the point that Flash is used for far more than just video.

Still, HTML5 video (i.e. pure browser playback), is more efficient, right? Nope. You can easily verify this for yourself by popping up your OS’ task manager to see what the resource usage is like.

HTML5 Video Resource Usage

HTML5 Video Resource Usage

Flash Video Resource Usage

Flash Video Resource Usage

The above results were observed while watching the CypherPoker intro at the same quality settings, on the same hardware, at the same offset within the video. Perhaps even more interesting, the video file being streamed is literally the same one in both cases; the only difference is that with the HTML5 player it’s the browser (Chrome) that’s handling the video while with Flash it’s the Flash plugin that’s managing the playback (and within the browser to boot).

Flash Security Is The Worst

Fine, say the critics. But you have to admit that Flash is far more of a security risk than HTML5. Fact!

Well, not exactly.

Up until this point I’ve been using “HTML5” in the popular and most recognized way but this is somewhat of a misnomer. At the very least it’s an incomplete definition.

HTML5, or any version for that matter, is merely the presentation or markup language used to describe web content. HTML5 doesn’t actually do anything by itself. It is loaded by browsers along with JavaScript which provides the definition for functionality to be applied to the otherwise static HTML content. Both HTML and JavaScript (and often CSS, style definitions for HTML content), are interpreted by the browser; in their native states they’re just text files. In much the same way, Flash content is loaded and displayed/executed by the Flash player.

For a more realistic comparison of security what we really should be looking at are the runtimes, the software that loads and displays/executes the content. In other words there’s the content and the container for that content. For HTML5+JavaScript content that container would be the various browsers, and for Flash content the container would be the Adobe Flash Player. When apples are compared to apples, Adobe’s Flash Player comes in a little under the average when it comes to security vulnerabilities.

At present, there are 907 Flash Player vulnerabilities1447 Mozilla Firefox vulnerabilities1333 Google Chrome vulnerabilities, 848 Microsoft Internet Explorer vulnerabilities, and 710 Apple Safari vulnerabilities. Excluding Flash, the average is 1084.

The above numbers are a little misleading since they include all vulnerabilities, even those that are minor in nature. When we look at vulnerabilities evaluated as “medium to high” Flash totals 906 vulnerabilities, Firefox has 1387,  Chrome has 1325Internet Explorer has 833, and Safari comes in at 692. Excluding Flash the average is 1059.

In this context it’s clear that Flash Player is far from being the most vulnerable of the bunch.

Flash Isn’t Open-Source

Finally, people will often object to the fact that the Flash Player isn’t open-source. While there are numerous open-source tools available to produce Flash content, it’s true that the Flash Player itself is indeed closed-source software. There’s no getting around this fact.

It should be pointed out, however, that with the exception of Firefox all of the other runtimes are similarly closed-source. Both Google and Apple have stripped-down versions of their products (Chromium and WebKit), but their end-user products are just as closed-source as Adobe’s Flash Player. It’s not my intent vilify these approaches but pointing a finger solely at Adobe when almost everyone is doing the same thing seems terribly unfair.

How does this relate to CypherPoker?

My first reason for posting this information is that I’ll have something to be able to refer people to when they ask me why I use that evil Adobe software. At the very least I can explain why I’ve chosen a path worse than Hitler’s.

Secondly, CypherPoker is written in ActionScript, a language which produces Flash (which is why you can play it in the browser). When I’m not being accused of committing atrocities I’m often asked why I would choose to work with a “dead” technology. As I’ve mentioned, this broken record has been going around for almost as long as I’ve been working with Flash so I’m just not convinced.

However, the web version of CypherPoker has always been secondary since Flash content is subject to many of the same limitations as HTML+JavaScript content, and for many of the same reasons. In addition to a host of security restrictions browsers don’t come with the additional software or protocols needed for a full CypherPoker installation (Ethereum, Bitcoin, Tor, etc.), and I believe players would prefer to just play the game rather than fiddling with arcane command-line instructions, port assignments, and all the rest of it. It’s doable, and eventually I’ll produce some instructions for doing it, but isn’t it a far nicer experience to simply click PLAY and have the software take care of everything?

Besides the fact that I’ve been developing in it for many years, the other upside about ActionScript is that it can be compiled to Adobe’s AIR which is essentially the Flash Player with a whole bunch of functionality added to it to enable it to run as full-blown desktop or mobile applications. I apply the same “simply click PLAY” philosophy to AIR and don’t expect players to care about the plumbing as long as it works well. So far it looks like I’m right — only a handful of people have commented on my use of Flash whereas the vast majority just want to know when CypherPoker will be ready to roll.

With all of this said, I think it’s worthwhile to point out that HTML5+JavaScript would make good a choice for a version of CypherPoker. Their limitations mean that some of the niftier features that I have planned for the game would have to be omitted but implementing the basic functionality is possible. There’s still lots to do on the ActionScript version so this is not something that would be happening any time soon but what I want is for CypherPoker to be played and enjoyed, not for it to be a showcase for Flash or AIR, so it’s very much a part of the long-term vision. Similarly, I’d love to see implementations in other languages and runtimes; whether it’d be C++, Python, Java, or something else, it could only make the CypherPoker experience better.

6 comments
    • @Pippo Thanks! At the very least I’d like to see more informed and equitable discussions on the topic. The rhetoric surrounding Flash often hinders useful debates and everyone loses as a result. The choices presented to us are not nearly as binary as they’re made to seem.

  1. The drivel continues: http://www.zdnet.com/article/in-an-html5-world-flash-client-interface-still-has-adherents/

    “The writing was on the wall back in 2010 when Apple’s Steve Jobs famously proclaimed…”
    “…the nails appear to be in the coffin for Flash…”

    And how did HTML5 “win the user experience wars”? (whatever that is)

    “Monotype recently issued an e-book outlining the fundamentals [of HTML5].”

    Yup. Some company puts out an e-book and that equals “amazing user experiences”. And this guy has the gall to call himself a journalist.

    The comments beneath the article go further to exemplify the type of ignorance being engendered by this type of silliness.

  2. An unusually balanced post by the head of Yahoo’s Video Platform team:
    http://www.streamingmedia.com/Articles/Editorial/Featured-Articles/Moving-Beyond-Flash-The-Yahoo-HTML5-Video-Player-113635.aspx

    I found it interesting that the “Opportunities” of using HTML5 playback are features that are easily achievable (and presently used on many sites) with Flash. Nevertheless, there are good points made on why Flash needn’t be the only video playback option anymore: HTML5 video now often supports what Flash has for a long time. However, even here’s there’s a concession in that, “The most prominent platform that does not support MSE [Media Source Extensions] is IE on Windows 7, which will continue to be served via Flash.”

  3. Another twist in the whole debate is that Apple, the company that lead the “HTML5 for everything” campaign, actually has pretty bad support for the standard (something many developers have encountered).

    http://appleinsider.com/articles/16/10/07/french-company-sues-apple-over-incomplete-html5-support-on-ios-macos-safari

    It calls into question why Jobs was pushing so hard for something that his own company didn’t fully implement. Maybe he wasn’t actually pushing for something so much as he was pushing against something else.

Add Comment

Required fields are marked *. Your email address will not be published.