It’s not uncommon for us to get the question: “why haven’t you switched to HTML 5 from Flash because of the widespread concerns over security issues with the Flash platform?”
The short answer is that we already are well into a transition away from Flash, and we will continue that transition as quickly as it is safe to do so.
Since 2014 over 50% of the VoiceThread platform has moved away from Flash, and that percentage will continue to grow as soon as other frameworks like HTML5 begin to offer the rich feature set that VoiceThread users require. Currently this is not the case, and we cannot move out of Flash until there exists a suitable alternative. Unlike YouTube, VoiceThread cannot simply do away with audio and video input because that is the core of what we do.
Our obligation to our users is more akin to that of a utility company than a social media company. We are extremely careful about managing the delivery of the VoiceThread service, whether it’s a robust feature set, overall uptime, or security. Our codebase is defensive in depth, our staff strictly employs disk encryption and MFA, and we engage a top-tier third-party security firm to run periodic penetration tests to find new vulnerabilities.
With that in mind, the more important question is not whether Flash is secure overall, but whether the end user is using Flash in a secure manner. An overwhelming majority of security experts have concluded that it is safe enough to use when managed properly (see management details below). Every major modern web browser, along with the organizations that create them, supports Flash, from Google to Mozilla, Microsoft to Apple, and enterprise platforms that use Flash are fully capable of achieving FedRAMP certification by the federal government of the US. The thousands of security experts behind the decisions to enable Flash use on their platform did not do so without careful thought and neither have we.
In summary, the answer to the question about our use of Flash is that we are moving away from it, but will do so carefully, methodically, and on a timetable that keeps our community’s best interests in mind. If we execute the transition well, the vast majority of our users will probably not notice it at all, and that’s exactly our goal. In the meantime, following the simple guidelines below will help to ensure that you are using Flash appropriately.
Update: A beta version of the no-Flash VoiceThread experience should be ready for testing in the summer of 2017.
What can you do to make sure you are using Flash safely on your computer?
- Always make sure your web browser is completely up to date. Most modern web browsers will update your version of Flash automatically as you update.
- Make sure your version of Flash is fully up to date at all times.
- If you are not comfortable allowing Flash to run upon page load, configure your web browser so that you must click to activate Flash on any page.