Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Jun 12, 2011

Making the web safer: From auto-update to auto-upgrade

The Firefox team has decided to stop supporting Firefox 3.5. They've put a great deal of thought into how they will handle the ~12 million Firefox 3.5 installations around the world. Firefox 3.5 will be updated to the latest 3.6 version, through the auto-update system — which really makes it an auto-upgrade. The plan is to start pushing the upgrade on June 21st, in conjunction with the release of the new Firefox 5. The team has shared their assumptions and rationale for the decision in a Firefox 3.5 EOL article on the Mozilla wiki.

The decision to upgrade users' soon to be outdated and unsupported browsers is important. Home users' computers are under constant attack. The stream of software updates is both endless and rapid, especially when taking into account that there are updates to the operating system, web browsers, and commonly installed software such as Adobe Acrobat and the Java Runtime. The average user should be relieved from having to deal with all the different update notifications and procedures. Apple have been leading the way here for many years already. If you do a Google search for "security update" flash you'll see why: They've been supplying updates to the Flash player for many years through their update system. The Chrome team chose the same route in April when they included an updated version of Adobe Flash with their latest Chrome release — fixing a vulnerability in the Flash plugin in addition to three in Chrome. The simpler the job for users to keep their systems up-to-date, the more users will be running the latest, greatest, and safest software.

The Firefox developers are not the only ones having to deal with the responsibility for aging software versions. Microsoft decided not to auto-upgrade IE 6 to IE 7 through Windows Update, and specifically gave corporations the possibility to block upgrades. They also took steps to hinder upgrades of pirated installations. IE 6 has been unsupported since July 13th 2010, but today there are still so many IE 6 installations left that Microsoft has launched a campaign to educate/convince IE 6 users to upgrade their browsers. You can follow their progress at theie6countdown.com. Judging by the data published by Netmarketshare at the time of writing, Firefox 3.5 has a market share of 1.38%, and IE 6 has 10.36%. If there's ~12 million FF 3.5 installations, IE 6 accounts for ~90 million installations! Microsoft has quite some way to go before reaching their goal of 1% IE 6 installations.

But how dangerous are these outdated browser installations? For one, vulnerabilities are surfacing for all IE version, including IE 6, ref CVE. You can't rely on these vulnerabilities getting fixed for IE 6. Next, consider the amount of IE installations. Just a small fraction of those ~90 million machines would make a pretty decent botnet, right?

Though the Firefox team is doing the right thing by not leaving user's behind, they did not take the risk of going the extra mile and upgrade the users to FF 4. They've taken a softer approach, which is still pretty cool, by motivating their existing FF 4 users to help their friends upgrade. This is what the FF 4 Web Hero start page looks like:

While Microsoft has chosen to not automatically upgrade their users, and the Firefox team upgrades their unsupported versions to the closest supported version of the browser, Opera and Chrome take a different approach. Opera has one timeline for their browser, and will bump the major version number when they introduce notable new features. But they will not be maintaining two separate major versions simultaneously. To get the latest security fixes, you'll simply have to update/upgrade to the latest version.

Google has taken Opera's approach even further with Chrome, avoiding the whole notion of version numbers. I use all the major browsers, IE, FF, Opera, and Chrome on a daily basis. I'm conscious that I'm now using IE 9, FF 4 and Opera 11. But Chrome is different, I just use the latest Chrome. I actually had to check the version now. Apparently Chrome has reached version 11, which was a surprise. I would have guessed it to be a version 2.X, after all it hasn't been around that long! It's the latest, greatest and safest — that's all that really matters. Google is doing things right as long as I can keep letting Chrome update itself, and keep on being ignorant about the version number.

So arguably, things are happening on the client side through simplified update/upgrade procedures for users, as well as campaigns to educate and notify users that they are running outdated software. But we need to create stronger incentives to keep browsers up to date, and that is mostly a server side problem.

An important reason for many users and enterprises to run old browser versions has been aging web applications that haven't seen the necessary maintenance to function properly in modern browsers. Hence, a browser upgrade might break business critical applications. In turn, this has caused a strong incentive to support outdated browsers even in new web applications. If a company is running IE 7 because of business critical legacy applications, and your web application only works in IE 8 and newer, they probably won't buy your application. You see the catch-22 here, as there are also little or no incentives to start fixing the legacy web applications as long as we keep supporting old browser versions in new apps.

Google is now changing the rules of the game, like only one of the really big players can. A couple of days ago they announced on their blog that, starting from August 1st, Google Apps will be supporting the two latest versions of IE, FF, Safari, and their own Chrome. The most notable effect is that they're dropping support for IE 7, even though Microsoft will support it until 2014. According to numbers from Netmarketshare, Google is dropping support for ~20% of the browsers on the Internet, that's quite drastic! And judging from their blog, they seem to mean business:
In these older browsers you may have trouble using certain features in Gmail, Google Calendar, Google Talk, Google Docs and Google Sites, and eventually these apps may stop working entirely.
It'll be very interesting to see how this plays out. The fundamental shift here is important, and I strongly believe that Google is doing the right thing.

No comments:

Post a Comment

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts