It was inherent in the design of the system. It required a thing called a Netscape plugin, and plugins were basically removed from all browsers and replaced with safer “extensions”.
Flash required quite a lot of access to quite a lot of things that you didn’t want to give it in a modern secure era. The same way DOS let you do anything you liked to the machine in the old days, and everyone was “administrator” and able to trash their computer.
Flash protocols weren’t just for drawing shapes and animating them or (later) displaying movies… they were basically entire machines-within-the-machine, and plugins were a way for those machines to interact through your browser past many security restrictions (which didn’t exist at the time and we added them as we discovered the need for them).
Same reason Java-in-the-browser died. Java required a plugin, a browser with plugin capability, access to the filesystem from the browser, etc. So it died. Javascript (very different) doesn’t have that and survived in your browser.
Security is almost never a question of “just plug this hole in the dyke”. It’s usually far more about “we’ve designed this dyke to be inherently vulnerable to everything, it’s actually cheaper to knock the whole thing down, build it again and build it better than it would be try to keep fixing it”.
Netscape plugins were not “reinvented”. They died.
ActiveX was not reinvented or fixed or patched. It died. (fun fact: “Windows Update” used to be an ActiveX control in your browser that had full permission to literally upgrade all parts of your Windows machine).
Flash, Java, “toolbars in your browser”, etc. all died because the way they were designed, there was no possible way to “secure them” properly and they inherently allowed things that were dangerous.
They were replaced (and sometimes 3, 4 or more times over as we still got it wrong!) with things that basically didn’t allow you to do those things. Your websites cannot access your entire file system any more. Java and Flash allowed that! Your websites cannot just turn on your cameras and record your video any more. Browser permissions were introduced to stop that and the USER / BROWSER controls them, not the sites.
Java literally let you run network servers in the browser and talk over people’s internal networks. You can’t do that any more.
ActiveX was literally just a Windows program running in your browser talking to websites and was inherently vulnerable. (But then Microsoft also invented WMF graphics files which people later discovered were just full standard executable programs that can be modified into viruses).
And all of them, at some time or other, tried to “patch out the flaws” and secure them. And failed miserably, because the only way to make it secure was to stop things working, things that people were ALREADY reliant on, and thus it would just “break” Java, etc. So they kept patching it and then one day the browser manufacturers basically called time on it, because they were getting flak for people opening up huge holes in corporate networks with this junk.
And when you’re running in an actual secure environment? Turns out you CAN’T run Flash, you CAN’T run Java programs, you can’t use ActiveX and many things made with them just stop working.
Browser-based Java at the end had a control panel icon(!) just for configuring the security of Java because the browsers couldn’t control it, and everything was just happening on the local machine. It’s like having to have a Windows Settings app nowadays to secure your streaming video because the firewalls and browsers just let it do what it likes.
That all died when browsers enforced security and, to be honest, nothing of value was lost. People instead finally got with the programme, secured their shit, and made pretty animations in your browser in safe ways that didn’t require complete control of your PC at an administrative level.
Latest Answers