Wednesday, October 11, 2006

Making a secure web browser

A couple of browser security and vulnerability articles posted today. "The False Promise of Browser Security" was a good read (yours truly quoted), but something from Computer World's got my attention, "What if I don't want IE7?". Isn't that the age old question I thought to myself. At the end the author says..

"I'm torn on this issue: IE7 is more secure than IE6 (how could it not be?) and I think the majority of home users do need to upgrade. But making it a mandatory upgrade as soon as it's publicly available strikes me as draconian and premature. I don't like having major upgrades to something as fundamental as my browser forced on me. Especially when I know IE7 is going to break things."

Forcing the update of "fundamental" software. That's an important point since people will be unable to do their testing to make sure their day to day productivity won't be impacted. Let me stop there. I'll take a wild guess and say I think people are tired of listening to me bag on Internet Explorer. In fact, I'm tired on hearing myself speak talk about it. What I would like to speak about is the difficulty of building a web browser.

Consider what web browser developers have to put up with ever day. The stupid non-compliant HTTP web servers do with the protocol. Must support half a dozen client-side programming languages, with several variants each, all potentially harboring malicious code. Developers clamoring for standards compliance, then ticked off when you do. The environment is completely hostile and browser vendors have to make the best of it. Billions in revenue depends on it.

Is there any wonder web browsers are a top target for malicious hackers?

2 comments:

Anonymous said...

Jeremiah,

It should be no surprise to anyone who writes web apps that IE 7 and Firefox 2.0 are coming. They should have tested already, and provide upgrades as necessary. 40-50% of folks will be using IE 7.0 in a few days time. There will be a bit of chaos as folks have not done the right thing, but it's not the mom and pop's or Microsoft's fault.

I *will* be upgrading the wife's PC on day 1 if she doesn't have it by the end of it. I'm sick of being family tech support because of hostile web sites.

In my own testing, only stupid ActiveX based sites suffer terribly; SAP is the major casualty for me... for which I have a rollback XP VMware image. SAP is the only thing I use this image for - IE 6 is too dangerous to use otherwise.

IE 7 is just as good as IE 6 except that it doesn't take one for the team every few sites.

Andrew

Jeremiah Grossman said...

Hey Andrew,

You're right. Web developers and power users should have already tested. I was speaking more on behalf of the everyday casual web surfer. They can't be expected to test betas in advance. One morning they are going to wake up to something different and hopefully the web will still for work them.