Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Risks associated with using flash | Is there an alternative ?

  1. #1
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Risks associated with using flash | Is there an alternative ?

    Hi,

    I watched a video on youtube in which Richard Stallman was saying using flash is not a good idea. He mentioned flash amongst other things like malicious software, backdoors, etc.

    Coz RS is saying thing I am a bit worried.

    So what are the risks of using flash ?

    Is there an alternative ?
    Lubuntu 14.04 / PCBSD 10 (Dual Boot)
    Some people are funny. They spend money they don't have, to buy things they don't need, to impress people they don't even like.

  2. #2
    Join Date
    Sep 2006
    Beans
    7,344
    Distro
    Lubuntu Development Release

    Re: Risks associated with using flash | Is there an alternative ?

    I'm not sure about games, but the workaround for video is to use sites that show their video in actual video formats not wrapped in Flash. Youtube for example now supports HTML5 for most videos. The Flash wrapper is extraneous and only introduces incompatiblities and security holes and maybe some privacy issues.

    The security record for Flash is apparently on par with ActiveX. Additionally, it has full access to your keyboard, microphone, camera, and other peripherals and lets the remote site do anything with them.

    Further, being a blob, there is no source code to allow it to be ported to other, better architectures. Anything which promotes lock-in like that hurts.

  3. #3
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Risks associated with using flash | Is there an alternative ?

    Quote Originally Posted by Lars Noodén View Post
    I'm not sure about games, but the workaround for video is to use sites that show their video in actual video formats not wrapped in Flash. Youtube for example now supports HTML5 for most videos. The Flash wrapper is extraneous and only introduces incompatiblities and security holes and maybe some privacy issues.

    The security record for Flash is apparently on par with ActiveX. Additionally, it has full access to your keyboard, microphone, camera, and other peripherals and lets the remote site do anything with them.

    Further, being a blob, there is no source code to allow it to be ported to other, better architectures. Anything which promotes lock-in like that hurts.
    Problem is youtube offer HTML5 for newer videos only.

    I don't have camera or microphone but if the remote site has access to my keyboard thats a big issue.

    I don't really want to stay away from using flash coz its simply too inconvenient.

    Do you think installing Xubuntu inside virtualbox and using the VM for flash related sites will minimize the risk ?
    Last edited by linuxyogi; December 23rd, 2013 at 05:49 PM.
    Lubuntu 14.04 / PCBSD 10 (Dual Boot)
    Some people are funny. They spend money they don't have, to buy things they don't need, to impress people they don't even like.

  4. #4
    Join Date
    Sep 2006
    Beans
    7,344
    Distro
    Lubuntu Development Release

    Re: Risks associated with using flash | Is there an alternative ?

    If you make a snapshot and launch from that clean snapshot each time, then it is unlikely that problems can accumulate. Just be sure to use that clean snapshot before updating the vm's system.

    AppArmor might help there too.

  5. #5
    Join Date
    Mar 2011
    Beans
    669

    Re: Risks associated with using flash | Is there an alternative ?

    If you're worried about Flash security, use Chrome.

  6. #6
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Risks associated with using flash | Is there an alternative ?

    Quote Originally Posted by Hungry Man View Post
    If you're worried about Flash security, use Chrome.
    It may help, if you explain why you think that Google's version of flash is any more secure than the original.

  7. #7
    Join Date
    Jan 2010
    Location
    India
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Risks associated with using flash | Is there an alternative ?

    Quote Originally Posted by Lars Noodén View Post
    If you make a snapshot and launch from that clean snapshot each time, then it is unlikely that problems can accumulate. Just be sure to use that clean snapshot before updating the vm's system.

    AppArmor might help there too.

    You say this coz the flash plug in stores something on the computer ? If thats so please have a look at this addon

    https://addons.mozilla.org/en-US/fir...cy/?src=search

    Remove or manage a new and uncommon kind of cookies, better known as LSO's.The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others...
    Lubuntu 14.04 / PCBSD 10 (Dual Boot)
    Some people are funny. They spend money they don't have, to buy things they don't need, to impress people they don't even like.

  8. #8
    Join Date
    Sep 2006
    Beans
    7,344
    Distro
    Lubuntu Development Release

    Re: Risks associated with using flash | Is there an alternative ?

    Quote Originally Posted by linuxyogi View Post
    You say this coz the flash plug in stores something on the computer ?
    I say it because there's more than cookies that can go wrong with a Flash instance. Using a clean snapshot reduces the probability that something was changed or added, cookies aside. The add-on helps but only with cookies not the bazillion other problems.

  9. #9
    Join Date
    Mar 2011
    Beans
    669

    Re: Risks associated with using flash | Is there an alternative ?

    "It may help, if you explain why you think that Google's version of flash is any more secure than the original."It has no access to the file system and runs with seccomp mode 2 filters with virtually no access to system calls. An exploit in Flash in Chrome leads to no file access and a very hard time escaping the sandbox. Google also often pushes out Flash patches before Adobe does.
    Last edited by Hungry Man; December 24th, 2013 at 06:11 AM.

  10. #10
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    1,273
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: Risks associated with using flash | Is there an alternative ?

    Here's what I do:

    1. I use FF as my full-fledged browser, but only sparingly. When I do use it, it is fully hardened with Adblock Plus, a Cookie Manager, WOT, Better Privacy, and most importantly, NoScript. This last, stops all scripting dead in its tracks. Everything is defaulted to "deny". I only whitelist sites that I absolutely have to, like my banking sites. If anything else is permitted, it is one-time and temporary (see below). NoScript has the added advantage of prohibiting cross-site scripting and a few other tricks that scumbags use to crack browsers.

    2. The majority of my browsing is conducted through Links2 in graphics mode. This is a hyper-light, primitive browser that is actually incapable of accepting/storing cookies or running any script including flash. Obviously, it can't show many sites in their full obese pigged-out glory, but I don't care, as I am after the content and not the eye/ear-candy.

    3. For sites that simply will not load without flash, I make a decision: if I must access the site, then I fire up FF, temporarily permit it in NoScript and let it drop back to "deny" when I'm finished. In 95% of the cases, I decide that such a site is not important enough to risk permitting scripting to run and I take the attitude that if the designer cannot engage my interest without forcing his scripts down my throat, he doesn't deserve my viewership/patronage. Stated so baldly, it sounds rather arrogant I'm afraid, but I'm not trying to be arrogant; just safe.

    I'm convinced that my browser will not be compromised so long as I adhere to these stringent rules.

    They aren't for everyone, and even my wife won't put up with this level of paranoia. Her browser is structured far less stringently than mine, but I am convinced that hers is also far more vulnerable. And, to be honest, her surfing habits make me cringe anyway, so I'm not sure browser hardening would do much. In the end, by far the biggest risk factor is the user, and all of these tools are worthless if such users are intent on behaving like fools.

    You have to make your own decision on the basis of your risk tolerance, your perception of how bad things are out there and how hungry you are for eye/ear-candy.

    **EDIT**

    I failed to mention that I have an apparmor profile defined for FF and I actually turn it on (it comes off by default). Mine is not the canned profile, but a custom profile that I've trained. Unfortunately, this is a complicated process and far beyond the scope of this thread, but it is a critical component to contain any breakout which my prior steps may have failed to safeguard.

    I take further steps too, but we risk getting lost in a general security discussion when what you want is a quick and simple set of suggestions to cover off the biggest holes in flash.
    Last edited by DuckHook; December 24th, 2013 at 08:47 AM. Reason: Additional info
    Newb: How far must I jump to clear the ledge halfway down?
    Guru: It's bad to jump off cliffs. Let's look at better options.
    Newb: Stop harping about "best practices" and just tell me.


Page 1 of 3 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •