Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Oct 8, 2011

Making the web even safer: From auto-upgrade to silent updates

Mozilla now aims to add silent updates to Firefox — much like Chrome and Opera already does — as summarized in this Computerworld article. This marks an important milestone, and is an important follow up to Mozilla's decision back in June to auto-upgrade the then soon-to-be unsupported Firefox 3.5. Back then, I blogged about the importance of the bold decision to NOT leave users behind on an unsupported version.

Later in June when Firefox 5 was released, Firefox 4 users where prompted to update to the new version. I was so excited, I had to blog about that too.

Now Mozilla has decided to introduce silent updates to Firefox. From Mitchell Baker's blog we can learn that:
Before Mozilla instituted the rapid release process, we would sometimes have new capabilities ready for nearly a year before we could deliver them to people.  Web developers would have to wait that year to be able to make their applications better.
And why is that a problem?
A browser is the delivery vehicle for the Internet. And the Internet moves very, very quickly.

The key motivation for the change is the lack of agility required to meet new or changing demands in a timely manner. The internet evolves, which means that the requirements for browsers also change rapidly. If capabilities have to wait for a year, something is definetely wrong. Across the software industry there are made great efforts to change software development processes to reduce the time needed to put a new feature or bugfix into production. Many of these efforts push towards agile software development.

With Mozilla's rapid release process came concerns for enterprise deployments, add-on compatibility, and update fatigue for users. Mitchell Baker addresses these in her Rapid Release Follow-Up. One requirement mandated by more frequent releases is to silently take care of the update process for the user. Brian Bondy, a Mozilla developer, mentions the concrete features they're working on as part of the silent update on his blog. Check them out, they're all of the type "Get out of the user's way".

So why is this important for security? For one, there's a lot happening on the border line between browser security and web application security, e.g. the recently added security mechanisms: Strict Transport Security, X-Frames-Options, and Content Security Policy that are triggered by the web application but enforced by the browser. Web browser adoption of such mechanisms is key to their adoption in web application. Second, there's a lot going on with the internal security in the browsers, one interesting example being Chrome's plugin sandboxing initiative. There's only one way to keep users safe, keep them up-to-date.

The broader effect of this will be interesting. Firefox, Chrome, and Opera accounts for about half the browser market. If the major browsers are successful with their rapid releases, they've set an important standard. They've then shown that it can actually be done for widely deployed client software. We're witnessing a paradigm shift on the desktop, version numbers are soon irrelevant. How cool is that!?!

As a final note, how Mozilla organizes their rapid release cycle is explained in more detail on their blog, it will be interesting to see how it works out, and learn about their experiences.


  1. So, why are we trusting other browser makers to be better at this than Microsoft? When MS first started pushing auto-update settings for Windows there was a huge outcry over how bad this was for security.

    Mozilla and Google are not getting nearly the same heat. How come?
    Are newer update systems safer, or have our risk perception changed?

  2. I would argue that we've moved from "do I trust that they got this right", to "I just expect that this works".

    One of the reasons for that is that we're accustomed to the automatic Microsoft Update, as well as auto-updating anti-virus software. We expect that the world has learnt how to solve this. We've simply accepted the risk, and do not spend any more time contemplating about it.

    Do you have any pointers to the huge outcry over Microsoft's auto-update feature? It would be interesting to see what the discussion was really about back then.

  3. I haven't Googled for old articles, and I'm not sure how much we'll find online. This was, after all, pre Y2K. Some of the criticism is mentioned in the Wikipedia article on Windows Update. I think that pretty much sums up what I remember about it: How de we trust that they can keep this secure? Will someone be able to hijack the update process, or upload malicious updates etc.

    Of course, when I say "huge outcry", that's still among those who would be caring about it: the admittedly narrow field of security practitioners.

    To this date, we haven't had many significant incidents. I guess that means it works in practice, despite any theoretical fears of compromise.

    But do you think our expectations are warranted?

  4. As always, there are no guarantees. And the past can seldom tell us much about the future.

    Still, I put my faith in the Microsoft/Google/Mozilla security teams. Don't you?

  5. This comment has been removed by the author.

  6. Safe? With silent updates? What? I hate this new feature! I want to control everything what's doing on with my things. I don't want to see anything to be installed without my permission. I've already lost few point of rating of Grabmyessay because of such 'wonderful' updates. No, this is not for me.

  7. You would be safe with https://persuasivepapers.com/.This is the choice of the year!

  8. Something tells me that you also need to check out some good articles. Like this one. It ahas all you need to know about persuasive essay topics

  9. The technic you describe here is simple and easy to carry out. At least it seems to be from my point of view. Do you think it will help to improve my blog https://bestwritingservice.com/? I want to attract more followers.

  10. I'm used to the get all the best things in my life. I always choose the best quality food, clothes, shoes and the best service. So if I give any recommendations those are also the best. So this is a link to my blog successful essay writing and you decide if to follow it or not. We could also become the best friends, by the way.

  11. The vast experience we have in offering nursing writing services has enabled scores of students to score high grades in their assignment since we are known for offering the purchase term paper.

  12. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    post free classified ads in india

  13. This is extremely helpful info!! Very good work. Everything is very interesting to learn and easy to understand. Peaky Blinder Costumes

  14. We’ve successfully stepped in the digitized era where project management is growing rapidly. And to keep up with the fast growing methods, you need project time tracking app that comes really handy. The modern project time tracking app not only have built-in framework but they are designed to help project managers to perform their tasks proficiently

  15. Dentistry Research Paper Writing Services have come up with Dentistry Writing Services for dentistry coursework writing service students in order for them to score straight A’s in their dentistry paper writing services.

  16. best rice cooker. ability to De-obfuscate the javascript code.

  17. Psychology coursework writing services are not hard to come across for those in need of Psychology Research Paper Services and psychology assignment writing services.

  18. sad shayari. in other words you get the columns

  19. If you are website owner, it is your duty to provide secure services to your customers, so that they can use your website without any fear. If you provide more facilities to your customers, you will get positive response. Dissertation proposal writing services.

  20. Looking for help with your thesis and dissertation? Get the Best Thesis Writing Help as well as the Best Dissertation Writing services From the leading Affordable Writing Services Online And get your assignment done on time.

  21. I think that thanks for the valuabe information and insights you have so provided here. Check used cars for sale to buy a suitable car!


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts