Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Oct 8, 2011

Making the web even safer: From auto-upgrade to silent updates

Mozilla now aims to add silent updates to Firefox — much like Chrome and Opera already does — as summarized in this Computerworld article. This marks an important milestone, and is an important follow up to Mozilla's decision back in June to auto-upgrade the then soon-to-be unsupported Firefox 3.5. Back then, I blogged about the importance of the bold decision to NOT leave users behind on an unsupported version.

Later in June when Firefox 5 was released, Firefox 4 users where prompted to update to the new version. I was so excited, I had to blog about that too.

Now Mozilla has decided to introduce silent updates to Firefox. From Mitchell Baker's blog we can learn that:
Before Mozilla instituted the rapid release process, we would sometimes have new capabilities ready for nearly a year before we could deliver them to people.  Web developers would have to wait that year to be able to make their applications better.
And why is that a problem?
A browser is the delivery vehicle for the Internet. And the Internet moves very, very quickly.

The key motivation for the change is the lack of agility required to meet new or changing demands in a timely manner. The internet evolves, which means that the requirements for browsers also change rapidly. If capabilities have to wait for a year, something is definetely wrong. Across the software industry there are made great efforts to change software development processes to reduce the time needed to put a new feature or bugfix into production. Many of these efforts push towards agile software development.

With Mozilla's rapid release process came concerns for enterprise deployments, add-on compatibility, and update fatigue for users. Mitchell Baker addresses these in her Rapid Release Follow-Up. One requirement mandated by more frequent releases is to silently take care of the update process for the user. Brian Bondy, a Mozilla developer, mentions the concrete features they're working on as part of the silent update on his blog. Check them out, they're all of the type "Get out of the user's way".

So why is this important for security? For one, there's a lot happening on the border line between browser security and web application security, e.g. the recently added security mechanisms: Strict Transport Security, X-Frames-Options, and Content Security Policy that are triggered by the web application but enforced by the browser. Web browser adoption of such mechanisms is key to their adoption in web application. Second, there's a lot going on with the internal security in the browsers, one interesting example being Chrome's plugin sandboxing initiative. There's only one way to keep users safe, keep them up-to-date.

The broader effect of this will be interesting. Firefox, Chrome, and Opera accounts for about half the browser market. If the major browsers are successful with their rapid releases, they've set an important standard. They've then shown that it can actually be done for widely deployed client software. We're witnessing a paradigm shift on the desktop, version numbers are soon irrelevant. How cool is that!?!

As a final note, how Mozilla organizes their rapid release cycle is explained in more detail on their blog, it will be interesting to see how it works out, and learn about their experiences.

44 comments:

  1. So, why are we trusting other browser makers to be better at this than Microsoft? When MS first started pushing auto-update settings for Windows there was a huge outcry over how bad this was for security.

    Mozilla and Google are not getting nearly the same heat. How come?
    Are newer update systems safer, or have our risk perception changed?

    ReplyDelete
  2. I would argue that we've moved from "do I trust that they got this right", to "I just expect that this works".

    One of the reasons for that is that we're accustomed to the automatic Microsoft Update, as well as auto-updating anti-virus software. We expect that the world has learnt how to solve this. We've simply accepted the risk, and do not spend any more time contemplating about it.

    Do you have any pointers to the huge outcry over Microsoft's auto-update feature? It would be interesting to see what the discussion was really about back then.

    ReplyDelete
  3. I haven't Googled for old articles, and I'm not sure how much we'll find online. This was, after all, pre Y2K. Some of the criticism is mentioned in the Wikipedia article on Windows Update. I think that pretty much sums up what I remember about it: How de we trust that they can keep this secure? Will someone be able to hijack the update process, or upload malicious updates etc.

    Of course, when I say "huge outcry", that's still among those who would be caring about it: the admittedly narrow field of security practitioners.

    To this date, we haven't had many significant incidents. I guess that means it works in practice, despite any theoretical fears of compromise.

    But do you think our expectations are warranted?

    ReplyDelete
  4. As always, there are no guarantees. And the past can seldom tell us much about the future.

    Still, I put my faith in the Microsoft/Google/Mozilla security teams. Don't you?

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Safe? With silent updates? What? I hate this new feature! I want to control everything what's doing on with my things. I don't want to see anything to be installed without my permission. I've already lost few point of rating of Grabmyessay because of such 'wonderful' updates. No, this is not for me.

    ReplyDelete
  7. You would be safe with https://persuasivepapers.com/.This is the choice of the year!

    ReplyDelete
  8. Something tells me that you also need to check out some good articles. Like this one. It ahas all you need to know about persuasive essay topics

    ReplyDelete
  9. The technic you describe here is simple and easy to carry out. At least it seems to be from my point of view. Do you think it will help to improve my blog https://bestwritingservice.com/? I want to attract more followers.

    ReplyDelete
  10. I'm used to the get all the best things in my life. I always choose the best quality food, clothes, shoes and the best service. So if I give any recommendations those are also the best. So this is a link to my blog successful essay writing and you decide if to follow it or not. We could also become the best friends, by the way.

    ReplyDelete
  11. The vast experience we have in offering nursing writing services has enabled scores of students to score high grades in their assignment since we are known for offering the purchase term paper.

    ReplyDelete
  12. Thanks for this valuable information sharing, and i learned a lot and cleared my all doubts in this.. keep posting like this useful information.
    post free classified ads in india

    ReplyDelete
  13. This is extremely helpful info!! Very good work. Everything is very interesting to learn and easy to understand. Peaky Blinder Costumes

    ReplyDelete
  14. We’ve successfully stepped in the digitized era where project management is growing rapidly. And to keep up with the fast growing methods, you need project time tracking app that comes really handy. The modern project time tracking app not only have built-in framework but they are designed to help project managers to perform their tasks proficiently

    ReplyDelete
  15. Dentistry Research Paper Writing Services have come up with Dentistry Writing Services for dentistry coursework writing service students in order for them to score straight A’s in their dentistry paper writing services.

    ReplyDelete
  16. best rice cooker. ability to De-obfuscate the javascript code.

    ReplyDelete
  17. Psychology coursework writing services are not hard to come across for those in need of Psychology Research Paper Services and psychology assignment writing services.

    ReplyDelete
  18. sad shayari. in other words you get the columns

    ReplyDelete
  19. If you are website owner, it is your duty to provide secure services to your customers, so that they can use your website without any fear. If you provide more facilities to your customers, you will get positive response. Dissertation proposal writing services.

    ReplyDelete
  20. Looking for help with your thesis and dissertation? Get the Best Thesis Writing Help as well as the Best Dissertation Writing services From the leading Affordable Writing Services Online And get your assignment done on time.

    ReplyDelete
  21. I think that thanks for the valuabe information and insights you have so provided here. Check used cars for sale to buy a suitable car!

    ReplyDelete
  22. Best Assignment writer at assignment doer. University and College students offer best packages in assigment help.

    ReplyDelete
  23. Even if you don't want to child abduction prevention
    hire bodyguards for yourself, you can hire them for your guests, top officials, or high-ranking employees.

    ReplyDelete
  24. The world has luckily pushed ahead from that point forward Custom Homework so in this blog entry we'll view the default setup of ongoing Windows Server renditions considering the most recent suggestions

    ReplyDelete
  25. Web upgrading is very important for all the developers.Every month google updated.Because it have included all the new features.If you are looking to buy an online business management research paper topics to help all the stduents of management at an affordable and reasonable price.

    ReplyDelete
  26. Hello, I am looking for Thesis Help, If you are a professional writer or you know any professional writer that can provide affordable thesis writing service then let me know. I am in urgent need of a professional writer.

    ReplyDelete
  27. Kontakt Crack is the standard sampler made by Native Instruments. The world’s most accurate and advanced sample-based instruments are created using its top-quality audio engine and advanced modular design. To create innovative sampling and sophisticated instrument design, KONTAKT provides a unique toolbox for sample manipulation and unbeatable creative possibilities.

    ReplyDelete
  28. Hey guys are you looking for the UK essay writing cheap then you can visit our website: 4poundessay.co.uk

    ReplyDelete
  29. "이용이유가생기는곳 먹튀검증 안전노리터 go"

    ReplyDelete
  30. 검증카 먹튀검증 안전놀이터

    ReplyDelete
  31. จุดเด่นของ เกมสล็อตทดลองเล่นอย่าง ลึกซึ้ง ทำให้เกมของเรา มีคุณภาพทั้งเรื่อง กราฟิกสีสันของเกม ซึ่งทาง BETFLIX เสนอและสอนวิธีเล่น

    ReplyDelete
  32. security is so important for any important thing and if you have the web for your organization it is necessary to keep safe and for that reason your post is really great and helpful. but this is not important for me coz i am a student and i look for the help for my studies and for that i have known an educational site named best dissertation writing company service who helps very easily to students.

    ReplyDelete
  33. Such a good blog. This browser makers to be better at this than Microsoft. I really like it. Thanks for sharing this blog and good information. Now it's time to avail african gowns for ladies for more information.

    ReplyDelete
  34. Did you know that WordPress can automatically update your website? In some cases, that can include plugins and themes too. Now its time to avail dispatch freightfor more details.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts