Hole in Browser Security Patch Processes

May 8, 2009 at 7:52 am | Posted in Browsers, Google | Leave a comment

There’s been some lively internal discussion here about the desirability of automated browser updates for security patches.

An article in Techzoom.net called “Why Silent Updates Boost Security” practically salivates at the thought of patches automatically and instantly being deployed.  It praises Google for its 5 hour automated update cycle and states “After 21 days of releasing Google Chrome 1.0.154.48, an exciting 97% share of active Google Chrome 1.x users were using the latest Google Chrome 1.x version.”

That excitement wasn’t shared over at cnet (“Google issues, then reissues Chrome security fix“) where they wrote “Google fixed security holes with a new release of its stable version of Chrome–then released a replacement shortly afterward to prevent a batch of crashes that turned up as well.”

I agree with my fellow analysts that the idea of pushing out silent updates does not and should not sit well with enterprise IT.  Still, I understand the other point of view too.  Just creating a patch and putting it on your website isn’t likely to have much impact.  The majority of browser security breaches are targeted at personal PCs who don’t have IT staff to push out updates and don’t even know what a patch is. 

One part of the answer then could be creating separate versions of the product (consumer and enterprise) that have different patching strategies.  Another part of the answer is that vendors need to take extreme caution when pushing updates directly to anyone’s browser.  It seems the balance has shifted to quickly trying to close holes rather than the primacy of a personal user’s control over their desktop environment.  It needs to shift back.  Lastly, a middle ground between silent updates and passive posting of patches needs to be used.  This includes effective NAGs that let the user know their security patches are outdated (red alert in the titlebar perhaps?), but are not overly disruptive to users.

Could IE Finally Be Knocked Off Its Perch?

January 6, 2009 at 5:42 pm | Posted in Browsers | 1 Comment

John Letzing reported recently in many publications (1/5/09 WSJ page B3, or at the San Jose Mercury News) that “Microsoft’s browser sees notable decline in usage”.  It seems IE’s market share has dropped to 68% in December from 74% in May according to NetApplications. 

With most users not knowing or caring that they can install a different browser on their PC, what people choose to me isn’t as interesting as the fact that they choose at all.  I estimated in February that only 42% have explicitly thought about and selected their browser, which is even less than the percentage of Americans that have changed their religion!

In that context, seeing IE’s market share drop below 70% indicates a potential shift in channel power away from Microsoft.  To a large extent, their market share is a referendum on Microsoft’s ability to push its technologies through its channel rather than indicating technology preferences.  With more awareness of Firefox, more Macs using Safari (and PCs running iTunes which installs it), and upcoming competition from Chrome (it didn’t have time to impact the NetApps numbers yet), I can say for the first time in 5 years of covering browsers that there is a real possibility IE could fall below 60% in share within 3 years. 

A lot has to happen for that to occur (namely Google succeeding with making a case for Chrome as a better Internet platform), but it is possible.When I last reported on browser market share, I indicated not much had changed since my browser survey in 2005.  But 2009 could be the year that finally marks a shift in the browser market and, more importantly, sends a signal about Microsoft’s ability to push technology through the PC manufacturer and Windows reseller channels.

Google Chrome: If Google Isn’t Evil, Can Their Lawyers Be?

September 3, 2008 at 9:44 am | Posted in Browsers, Google | 2 Comments

When you’re the big guy, it doesn’t take long for people to try taking you down.  I recognize that Chrome is in beta, so expect some issues like the carpet-bombing flaw it inherited by using an old version of WebKit.  Or that some pages (even from Google’s own services) don’t render correctly or consistently.  Hopefully Google quickly addresses these issues, which isn’t a given since they are the inventors of the “perpetual beta”.

But I would expect the lawyers would have their act together.  And, being a non-evil company, they would err on the side of giving away too many rights rather than storing them up for potential future use.  Putting beta-like technical glitches aside, here are four issues from the blogosphere that stick with me as longer term concerns:

1. The Register points out that in section 11 (Content license from you) Google’s ELUA states that I still own my content, but they can reproduce it. I’m no lawyer, but that could be fishy.  Here’s the clause (emphasis added):

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

2. CNet also mentions the content licensing clause, and adds that a door is left open to targeted ads based on your browsing history, searches, and information.

17.1 Some of the Services are supported by advertising revenue and may display advertisements and promotions. These advertisements may be targeted to the content of information stored on the Services, queries made through the Services or other information.

17.2 The manner, mode and extent of advertising by Google on the Services are subject to change without specific notice to you.

3. Some have attacked Chrome’s privacy characteristics.  InsideBayArea (among many others) notes the strange contradiction in adding the “incognito mode” to protect your privacy, but also adding a unique id buried in each browser as described in Google’s privacy notice for Chrome

Your copy of Google Chrome includes one or more unique application numbers. These numbers and information about your installation of the browser (e.g., version number, language) will be sent to Google when you first install and use it and when Google Chrome automatically checks for updates.  If you choose to send usage statistics and crash reports to Google, the browser will send us this information along with a unique application number as well.

4. InformationWeek points out, even the Incognito mode doesn’t hide web log information from the web servers.

 

So far, none of these issues mean something nefarious is happening or will definitely happen in the future.  But they could be used against users in the future. I would expect a non-evil company to refrain from stockpiling weapons (legal disclaimers in this case), not to just refrain from using them.

Browser War Gains New Front With Google Chrome

September 2, 2008 at 10:23 am | Posted in Browsers | Leave a comment

The browser wars have flared up again as the Wall St. Journal reports Google has entered the field with an open source, beta (of course) browser called Chrome. I last looked at browser market share in February (see my posting IE is Still Beating Mozilla and Generalissimo Francisco Franco is Still Dead). I found that little had changed since my browser study three years ago. With Google entering the race, the question is whether this might finally be the disrupter.

For the end user, Google makes its case (in a surprisingly informative comic book, one page off which I’ve attached below) by stating its browser is more stable, faster, and secure than other browsers because they’ve architected theirs better (better transparency for identifying slow processes, multi-threaded means smarter freeing up of garbage collected memory and a sandbox to isolate JavaScript rendering bugs, better automated testing on sites ranked highly by Google, better JavaScript interpreters with native execution instead of p-code and improved garbage collection).

clip_image002

According to the comic, Google also rethought the UI, placing tabs at the top of pages, altering behavior of the URL bar, and adding a portal-like concept on the home page that shows recent pages browsed.

That is well and good for the external audience, but what does this do for Google beyond poking Microsoft in the eye? One benefit to the Googleplex and its investors is that their browser supports Google Gears, their plug-ins/downloadable API extensions. But then again, Gears can run in other browsers too. The WSJ hinted this was the case and added another possible benefit in creating saleable real estate: “They can use the precious screen real estate to promote their own Web services. Moreover, they can tailor their browsers to ensure compatibility with their other products.” Browsers are really vehicles for controlling standards (often around rich internet applications) and creating demand for new property (like the search bar that helps support Firefox).

So, how does it really work? Beats me – maybe by “released today” they mean “released at midnight today”. Strangely, gears.google.com/chrome redirects to www.google.com. Their “trends” site shows “download google chrome” is a top search, but again redirects to the Google homepage. No press articles point to the browser, and searches on Google come up with nothing. I’ll let you know what I think when I get to play around with it.

Will Google succeed? I’m generally not afraid to go out on a limb, but I’ve got way too little information to assess that right now. I would like to see a more efficient and stable browsing platform and maybe Google will be it or spur others to respond in kind. But in an article last week in the Economist about how Google’s Lively virtual world isn’t seeming very lively these days, they summarized Google’s record: “for all its might, Google’s efforts to diversify beyond its sole money-making business, web search, have yet to set the world—real or virtual—on fire.”

Why Browser Stick-in-the-muds Are Good For The Industry

March 4, 2008 at 8:48 am | Posted in Browsers | 2 Comments

I just had a good conversation with a reporter from the New York Times regarding why people choose not to update their technology and my blog posting on “More People Pick Their Religion Than Their Browser?“.  I’m not sure how much of it will wind up in print, so I’ll relate here what I said.

First, it’s a fact that even though vendors come out with a new release doesn’t mean that everyone automatically upgrades.  For example, 0.14% of browsers are still Netscape (not Mozilla/Firefox – I actually mean the old Netscape).  That may not sound like much, but given the number of browsers out there it actually adds up to a real number.  And since these stats are based on hits on websites, it does mean they are actually in use and not just sitting dormant on an old PC somewhere.

The reporter asked a good question, which is whether the people that are slow to update their software are good for the industry.  I gave a resounding “yes”.  These stodgy users force vendors to give compelling reasons to upgrade or else they won’t do it.  And the reasons have to be good enough to make up for their strong bias towards sticking with what has worked in the past.  When their PCs finally bite the dust and they need to buy a new one, that’s when they’ll get new software.  Good for them.

Of course, software as a service (SaaS) promises to change this whole dynamic.  Since the vendors make money from ongoing subscriptions rather than on periodic upgrades, they no longer have an incentive to make changes just to get a revenue bump.  But the other side of that coin is that SaaS vendors might have more incentive to skate by with whatever they can as long as it doesn’t cause a mass exodus of users.  Also, many enterprise users are uncomfortable with software that can change incrementally and frequently because of the burden it places on training and help desks that have to support users.  End-user SaaS is still new so it’s yet to be determined how these pros and cons will play out in the enterprise.

More People Pick Their Religion Than Their Browser?

February 28, 2008 at 4:05 pm | Posted in Browsers | 1 Comment

I blogged yesterday about how IE is still maintaining a tight hold on the browser market (see IE is Still Beating Mozilla and Generalissimo Francisco Franco is Still Dead). Today I wanted to explore the question “why?” Not that I think IE is a bad browser or that Mozilla is categorically superior – I really don’t have a strong preference. But I find the selection process interesting. So did the New York Times in a recent technology blog post (The Browser Choices We Make) which wondered “why people choose the browsers they choose. Let us know about what’s behind your choice in the comments section.” So what did they find? Well, culling through the 170+ responses didn’t help explain why IE is popular. In fact, on the surface it did just the opposite. Almost all the responses are about why they chose Firefox, Safari, or Opera, yet IE owns ~80% of the market.

Of course, the reason is that the majority of IE users didn’t explicitly choose IE. They use it because their computer came with it (and they don’t know they have a choice or know how to change it) or their employer requires it. Some do make a conscious choice to use IE, mostly because of compatibility. I guesstimate that in the US only about a quarter of the IE users explicitly selected IE at best (19% of all users). So combined with the 23% represented in other options (if you assume all those were explicit choices which may not be the case for Safari either), a conservative estimate is that only 42% have explicitly thought about and selected their browser.

Since choices about browsers or Java and .NET are often figuratively referred to as “religious” decisions (for example, see this posting on “The Firefox Religion“) that brought to mind a recent study on religion. According to the recent Pew study, 44% of Americans have changed religions (if you include switching between different forms of Protestantism). This means that more people probably change their religion than change their browser. Strange. One would think it’s easier to install Firefox on your laptop than to convert your religion. Still, both numbers are pretty high when you consider how often we tend to stick with the status quo in other areas of our lives. To me, this propensity to change shows that Americans are not afraid of replacing whatever comes installed on their laptops or their souls.

IE is Still Beating Mozilla and Generalissimo Francisco Franco is Still Dead

February 27, 2008 at 5:22 pm | Posted in Browsers | 4 Comments

I just checked the most recent browser stats and, no surprise, IE is still keeping it’s grip on the browser “market” (can it be a market if it’s free?).  A browser study I did in 2005 of 217 organizations found that 89% had some form of IE (mostly IE6 at the time) as their desktop standard.  At the time 17% of respondents said they had considered changing their browser standard.  Corporations, governments, and non-profits also influence consumer browser habits since they create the majority of sites that consumers browse.  In my study I found that these organizations were more open about the browsers they targeted for their sites than what they forced their own internal users to use (49% did compatibility testing against Netscape and 29% had help desk troubleshooting scripts to help Netscape users; the numbers were 28% and 11% for Firefox).So how have things changed since 2005?

Not much.  OneStat shows about 83% marketshare globally for IE and 77% in the US.  According to them the most popular browsers on the web are:

 

Worldwide February 2008 June 2007 Difference
Internet Explorer 83.27% 85.81% -2.54%
Mozilla Firefox 13.76% 12.72% 1.04%
Apple Safari 2.18% 1.79% 0.39%
Opera 0.55% 0.61% -0.06%
Netscape 0.14% 0.11% 0.03%
USA February 2008 June 2007 Difference
Internet Explorer 77.35% 75.69% 1.66%
Mozilla Firefox 17.85% 19.65% -1.80%
Apple Safari 4.03% 3.77% 0.26%
Opera 0.44% 0.61% -0.17%
Netscape 0.21% 0.17% 0.04%

Marketshare (from Net Applications) shows about the same as the OneStat US shares give or take a few percent.

 Browser    Total Market Share   View Trend Microsoft Internet Explorer 75.47%

View Trend Firefox 16.98%

View Trend Safari 5.82%

View Trend Opera 0.62%

View Trend Netscape 0.61%

View Trend Mozilla 0.32%

Determining browser market share is a bit of an art form.  While my market share numbers were obtained by directly asking organizations, most stats are determined by looking at web server logs of visitors and by reporting sent by services installed by participating sites.  So the stats vary based on the types of users that hit these sites.  Ultimately, the only stats that matter for an enterprise determining what to use is what its target population is using and is expected to use in the future.  I’m not interested in the horse race or religious aspects of browser selection – the reason I think browser selection matters to enterprises is twofold: 1) to determine which browser offers the best experience for its employees (such as distributed management of security settings, compatibility, etc.) and 2) to determine how websites should be developed and tested based upon the browsers its audience is expected to have.

Are Mac applications invading the PC?

June 12, 2007 at 7:36 am | Posted in Browsers | 1 Comment

Yesterday, Apple announced it will be introducing a version of its Safari browser to run on Windows. You can already download the beta here. Possible motivations range all the way  from breaking Microsoft dominance by forcing web application developers to code for more than just IE (only 11% of enterprises test against Safari according to a study I did of 217 end-user organizations in 2005 while 90% test against IE6+) to breaking Microsoft dominance by installing a platform-independent web stack. Recall the recent articles in the WSJ and E-commerce Times about how iTunes for Windows installs a separate networking stack (called “Bonjour”) that, by all accounts, seems to work well and without harm to Windows. It will be interesting to see Apple’s next move.

On Mozilla and The Evolution of the Browser

May 11, 2007 at 10:10 am | Posted in Browsers | Leave a comment

I just saw a great blog posting “On Mozilla and The Evolution of the Browser” that talks about microformats and the future of browsers.  Microformats are ways to add simple, machine readable tags to otherwise human-readable web content (my definition-forgive me if I missed a formal one somewhere).  hCal is a simple example: “Friday, June 11th at the Hackney Pavillion, 7pm” could be tagged so it could be clicked via some type of UI and added to your calendar. 

I like microformats, but rather than seeing Mozilla thinking about which ones they should build into the browser I’d prefer they keep the browser lean and extensible and create a plug-in API so that anyone who feels like creating a microformat interpreter can do so.  The UI of the browser would accomodate whatever microformat plug-ins are installed.  I think they are considering a more open approach and the technologies they picked were just samples of what could be inserted into the browser – at least I hope!

I can actually think of quite a few more actions that could be taken on web pages.  I wouldn’t force the user to understand which are due to microformats and which are possible without them.  They are all just actions (like other than historical or techie reasons, why would subscribing to RSS be accomplished through its orange icon, adding a calendar entry under a submenu from a green plus, and personal bookmarking be from the bookmark menu, and editing from the tools menu?).  And I disagree with Alex Faaborg’s statement that the content area shouldn’t be altered.  The UI I envision for microformats would be a combination of page-wide and contextual microformats that could be applied:

Page-wide actions

Place in toolbars across top or side rather than forcing user to click on a “+” symbol in the middle of the toolbar.

  • Tag (del.icio.us)
  • Rate (Digg, StumbleUpon, reddit)
  • Blog
  • Discuss (Wirefan)
  • Subscribe (RSS, Atom)
  • Edit
  • Bookmark (Yahoo My Web, del.icio.us, enterprise equiavelents from IBM, Microsoft, BEA, etc.)
  • Store (to workspace, offline)

Contextual actions

There’s a familiar UI for contextual capabilities which is to support right-clicking to take action on items and have the option of a contextual toolbar the provides pushbutton access to choices on the highlighted or cursored information.  Given the number of microformats that could be embedded in a page there will probably need to be a “show all codes” equivalent where you can see all microformatted areas while holding down ctrl or something like that.

  • Map
  • Save contact
  • Contact (call, IM, email as appropriate)
  • Add to calendar
  • Search (Sphere, Google, Wikipedia)
  • Virtual teleport (Slurl)

Firefox and IE are at it Again

October 27, 2006 at 10:33 am | Posted in Browsers, Internet/Browsers | Leave a comment

People love an underdog story – the little guy who the big guys ignore but triumphs through gut, gumption, and raw talent. I just watched Rocky again for the first time in years (the original, non-Roman-numeraled movie) and the clichés are all there.

This explains why the press loves the Mozilla vs. Microsoft story. Every couple of years IE and Mozilla (formerly the Netscape guys) go at it again, releasing new versions of their browsers and the spotlights shine brightly on them. It’s not as much that the product improvements themselves are that exciting, but the resurfacing of that underdog story.

A look through my press quotes from InformationWeek, Forbes, ComputerWorld, and Tech News World shows how nothing really changes. I was interviewed by NPR on this subject in 2005 as well, and I can guarantee they didn’t care just because of the evening news listener’s interest in tabbed browsing and CSS support. But “Can a plucky non-profit beat giant Microsoft?” – now that’s a story!

Here are some other quotes of mine for historical perspective on this never-ending story:

In my most recent interview, when asked if I thought Mozilla 2.0 was a major release, I said not really. But they had to put something out since the spotlight was going to be there anyways and they have to look busy. To quote myself:

“I think they’re invigorated, knowing browsers are in the news again,” he said of Firefox maker Mozilla. “They want to have something to show if people are going to pay attention to them.”

I do think Mozilla 3.0 will have more in it, but really the value of a browser is that it’s a thin, stable platform on which to run web applications. I want all the improvements and variation in the apps, not the viewer for them. Where there are fixes needed, fix them. Where there can be neat improvements (like tabbed browsing – love it!), make them. Put in support for Rich Internet Applications (RIA) technology. Otherwise, leave it alone and just keep my apps humming along smoothly.

Blog at WordPress.com.
Entries and comments feeds.