Don’t Worry, Browse Happy

March 1st, 2008 by Adrian

When I logged in to manage the site this morning, I noticed a little ad button at the bottom of my WordPress console page:

Browse Happy logo

Maybe it’s been there forever, and I only just spotted it today. I don’t remember daisies on my admin screen before, but who knows. Either way, the Browse Happy campaign is apparently old news. Wikipedia says it was created by the Web Standards Project in 2004 to convince end users to use something — anything — other than IE to browse the Web, purportedly because of rampant security issues in IE.

Now, you might wonder what place an initiative campaigning against the use of a particular browser (a browser that had about 75% market share at the time) has in the mission of an organization devoted toward promulgating W3C standards. Apparently so did they, and handed over the site to WordPress a year later. (Why? I guess because WordPress <3 Firefox.)

I’ve got no beef with WordPress shilling for Firefox (and c’mon, let’s not kid ourselves that anyone other than Apple is trying to get the world to switch to Safari). WordPress is great, imho. It’s super-easy to use, flexible, and free. So I’m curious if there’s a good reason why they’d be on the anti-IE jihad. And by “good reason,” I mean one that goes beyond opposing everything Microsoft does just out of principle. I headed over to to take a look.

The site is primarily a collection of anecdotes and “personal stories,” kind of a knockoff of Apple’s old “Switch” campaign. Unfortunately, there’s no real meat in the “Why is Internet Explorer Unsafe” section of the site; it’s just a clipboard collection of a half-dozen long-outdated articles about IE6. Both the articles and the personal stories emphasize a number of feature benefits for FF over IE — pop-up blocker, tabbed browsing, etc. — that are in IE7. But the real question in my mind isn’t about UI feature parity, it’s about security. Am I really that much safer when I’m in FF than IE?

My gut feel is that the answer is probably “yes, sort of.” In the same way that Apple made a big deal a while back about the number of viruses targeting Mac v Win platforms, it’s got to be true that there are more exploits out there focused on IE than Mozilla browsers. Back in 2002, IE’s browser share was about 85%. It’s declined steadily, and today it’s just over 50%. But that’s a long time being the dominant player… if I were a hacker looking to score some passwords, SSN’s, or credit card #’s, I’d rather spend my time searching for vulnerabilities in a tool that most of the Internet community is using rather than focus on a minority browser like FF or Opera. But hey, if everyone switches to FF tomorrow, that story changes dramatically.

My gut feel isn’t real data, so I poked around a bit. I was curious to see what I could dig up to support the claim that IE is inherently just a buggier product than its competition, not just prone to exploits because of its popularity, but because of its architecture (or sloppy coding). I found a bunch of old news articles that seemed to confirm my hunch about security as a function of popularity (e.g. here and here), but that’s still basically noise, no more comprehensive than the BrowseHappy showcase articles. I want stuff that’s more up-to-date, and more detailed.

Here we go: Symantec’s Internet Security Threat Report from Sep 2007. (A very interesting and scary read overall, btw — I highly recommend you at least skim it. Obviously it’s in Symantec’s best interest to paint the bleakest picture possible. Still, this doesn’t feel like blatant fearmongering.) The Vulnerability Trends section of the report breaks out the following stats:

Mozilla IE
Jul-Dec 2006 34 (0/12/22) 54 (1/13/40)
Jan-Jun 2007 40 (0/35/5) 39 (1/15/23)

Based on this, IE doesn’t look too shabby. There’s a marked downward trend on disclosed vulnerabilities, possibly due to the adoption curve for IE7, which went from about 7% browser share in Nov 2006 to about 20% in Jun 2007 while IE6 fell from 50% to 37% in the same period. And for the most recent period, it’s pretty much a wash: more vulnerabilities for Mozilla, and a lot more of medium or greater severity, but IE claims the dubious distinction of having the only high severity vulnerability.

The Symantec report goes on to document the length of time that disclosed vulnerabilities remained open. I can imagine a fix at big, slow Microsoft taking a while to make its way through levels of bureaucracy before getting the final green light for deployment, while hordes of ego-driven open-source developers compete to see who’s the first to repair a glitch in Mozilla. But just cuz I can imagine it doesn’t mean it’s so:

Avg Window Max Window
Mozilla 5 days 83 days
IE 5 days 90 days

Too bad this data isn’t correlated to severity of the vulnerability being patched. If that single high severity vulnerability in IE is the one left wide open for 90 days after public disclosure, then these numbers take on a whole different meaning.

Unless that’s the case (and I would hope Symantec would have mentioned it if it were true), this study doesn’t support any claims about Mozilla/FF being a safer browsing environment than IE. At best, looking at trend lines you can make a case that in the recent past it has been. But that just brings things around full circle to my initial take: the higher the rate of FF adoption, the more it’s going to pose the same security risks to end users as IE.

So the conclusion? The Internet is a dangerous place. Fun, but dangerous. Kind of like riding a motorcycle. Browse Happy wants to say that using IE is like riding without a helmet. Maybe that was true in 2004/2005, but it’s not any more. There’s no simple answer to safety. Whatever browser you’re, um, riding, you gotta drive defensively, use your blinkers, and remember that you’re just paper playing in a world of scissors. (And the rocks can hurt, too.)

Posted in Technobabble, The Web (2.0 and otherwise)

(comments are closed).

About Sips from the Can

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aliquam justo tortor, dignissim non, ullamcorper at, lobortis vitae, risus. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Aliquam erat volutpat. Aenean mi pede, dignissim in, gravida varius, fringilla ullamcorper, augue.

(edit footer.php to change this text)