Don’t Worry, Browse Happy
When I logged in to manage the site this morning, I noticed a little ad button at the bottom of my WordPress console page:
Maybe it’s been there forever, and I only just spotted it today. I don’t remember daisies on my admin screen before, but who knows. Either way, the Browse Happy campaign is apparently old news. Wikipedia says it was created by the Web Standards Project in 2004 to convince end users to use something — anything — other than IE to browse the Web, purportedly because of rampant security issues in IE.
Now, you might wonder what place an initiative campaigning against the use of a particular browser (a browser that had about 75% market share at the time) has in the mission of an organization devoted toward promulgating W3C standards. Apparently so did they, and handed over the site to WordPress a year later. (Why? I guess because WordPress <3 Firefox.)
I’ve got no beef with WordPress shilling for Firefox (and c’mon, let’s not kid ourselves that anyone other than Apple is trying to get the world to switch to Safari). WordPress is great, imho. It’s super-easy to use, flexible, and free. So I’m curious if there’s a good reason why they’d be on the anti-IE jihad. And by “good reason,” I mean one that goes beyond opposing everything Microsoft does just out of principle. I headed over to BrowseHappy.com to take a look.
The site is primarily a collection of anecdotes and “personal stories,” kind of a knockoff of Apple’s old “Switch” campaign. Unfortunately, there’s no real meat in the “Why is Internet Explorer Unsafe” section of the site; it’s just a clipboard collection of a half-dozen long-outdated articles about IE6. Both the articles and the personal stories emphasize a number of feature benefits for FF over IE — pop-up blocker, tabbed browsing, etc. — that are in IE7. But the real question in my mind isn’t about UI feature parity, it’s about security. Am I really that much safer when I’m in FF than IE?
My gut feel is that the answer is probably “yes, sort of.” In the same way that Apple made a big deal a while back about the number of viruses targeting Mac v Win platforms, it’s got to be true that there are more exploits out there focused on IE than Mozilla browsers. Back in 2002, IE’s browser share was about 85%. It’s declined steadily, and today it’s just over 50%. But that’s a long time being the dominant player… if I were a hacker looking to score some passwords, SSN’s, or credit card #’s, I’d rather spend my time searching for vulnerabilities in a tool that most of the Internet community is using rather than focus on a minority browser like FF or Opera. But hey, if everyone switches to FF tomorrow, that story changes dramatically.
My gut feel isn’t real data, so I poked around a bit. I was curious to see what I could dig up to support the claim that IE is inherently just a buggier product than its competition, not just prone to exploits because of its popularity, but because of its architecture (or sloppy coding). I found a bunch of old news articles that seemed to confirm my hunch about security as a function of popularity (e.g. here and here), but that’s still basically noise, no more comprehensive than the BrowseHappy showcase articles. I want stuff that’s more up-to-date, and more detailed.
Here we go: Symantec’s Internet Security Threat Report from Sep 2007. (A very interesting and scary read overall, btw — I highly recommend you at least skim it. Obviously it’s in Symantec’s best interest to paint the bleakest picture possible. Still, this doesn’t feel like blatant fearmongering.) The Vulnerability Trends section of the report breaks out the following stats:
|Jul-Dec 2006||34 (0/12/22)||54 (1/13/40)|
|Jan-Jun 2007||40 (0/35/5)||39 (1/15/23)|
Based on this, IE doesn’t look too shabby. There’s a marked downward trend on disclosed vulnerabilities, possibly due to the adoption curve for IE7, which went from about 7% browser share in Nov 2006 to about 20% in Jun 2007 while IE6 fell from 50% to 37% in the same period. And for the most recent period, it’s pretty much a wash: more vulnerabilities for Mozilla, and a lot more of medium or greater severity, but IE claims the dubious distinction of having the only high severity vulnerability.
The Symantec report goes on to document the length of time that disclosed vulnerabilities remained open. I can imagine a fix at big, slow Microsoft taking a while to make its way through levels of bureaucracy before getting the final green light for deployment, while hordes of ego-driven open-source developers compete to see who’s the first to repair a glitch in Mozilla. But just cuz I can imagine it doesn’t mean it’s so:
|Avg Window||Max Window|
|Mozilla||5 days||83 days|
|IE||5 days||90 days|
Too bad this data isn’t correlated to severity of the vulnerability being patched. If that single high severity vulnerability in IE is the one left wide open for 90 days after public disclosure, then these numbers take on a whole different meaning.
Unless that’s the case (and I would hope Symantec would have mentioned it if it were true), this study doesn’t support any claims about Mozilla/FF being a safer browsing environment than IE. At best, looking at trend lines you can make a case that in the recent past it has been. But that just brings things around full circle to my initial take: the higher the rate of FF adoption, the more it’s going to pose the same security risks to end users as IE.
So the conclusion? The Internet is a dangerous place. Fun, but dangerous. Kind of like riding a motorcycle. Browse Happy wants to say that using IE is like riding without a helmet. Maybe that was true in 2004/2005, but it’s not any more. There’s no simple answer to safety. Whatever browser you’re, um, riding, you gotta drive defensively, use your blinkers, and remember that you’re just paper playing in a world of scissors. (And the rocks can hurt, too.)