March 7, 2006

Firefox v. IE: an AOL View, pt 2

Read part 1.

Before I continue down this road I should point out that (a) I’m not answering why AOL is bothering to make a browser at all - that’s a different discussion for a different day - I’m answering why I think IE is a better choice than anything (currently) from the Mozilla Foundation as the underyling engine for that browser, and (b) this was a question that was asked even by our CEO, so I'm really not just rationalizing ex post facto :)

In my
last post on this topic, I leveled a few scathing accusations against Firefox (vs. Internet Explorer), including:

- Firefox is safer/more secure
- Firefox is more standards compliant
- Firefox provides a better experience/is more powerful
- Firefox is cooler

So given all that, how
is it possible that I think IE is a substantially better choice than Firefox (Mozilla/Gecko/etc. - I'm using Firefox as a proxy here) for our web browser, AOL Explorer?

Its always possible that we at AOL are just evil (and
stupid :)). Or, perhaps its not so much THAT, as it is that we're part of a vast conspiracy to keep you down - that we are, in fact, "the man".

Let's parse this a little bit further to see where it leads us.

a) Firefox is safer/more secure
While it's true that there's been
some noise over time about the number of security vulnerabilities in IE vs. Firefox, as well as the classification of those bugs, I think its just that: noise. I'll stipulate that, more likely than not - by any objective measure - Firefox has a safer browsing engine than IE.

There was, for example, a
test comparing unpatched versions of each browser that demonstrated that Firefox is 21 times safer than IE (or to put that in less-alarmist language: unpatched IE had about a 1.52% greater rate of infection).

I'll posit, however, that Firefox (and its derivatives) are not safer in a meaningful way for consumers.

I say this for two primary reasons:

(1) Opportunity set.
Certainly the targeting opportunity is a factor (a key point: you'll note Firefox was
NOT zero) - the idea being that Firefox users don't get targeted as much, because there are easier, broader pickings (*cough*IE *cough*AOL). How big a factor this is is difficult to say, but its hard to discount completely. And although I agree that the Firefox team has been (much more) diligent in patching the holes, new ones get found regularly.

I mention this because throwing our user base against this codebase would certainly create opportunity and incentive for the malicious. (Updated: for example this report)

(2) Third party technologies.
While Firefox may not support ActiveX (and much is made of this), it does support NATIVE plug-ins and extensions, including Flash,
Java, Quicktime, Windows Media Player, etc. So it is subject to not only to its own (potential) problems, but to those of external vendors and technologies, much like Internet Explorer: Firefox just doesn't have as MANY (yet).

My main point on security, though, is slightly sideways: you're going to have MEANINGFULLY less infections and problems on your computer (viruses, spyware, etc.) only by having actual security software installed on the box: Antivirus, Antispyware, Firewall, et al., and that these provide FAR more security, and are FAR more important in this regard, than the choice of browsing engine.

Certainly McAfee and Symantec actually deal directly with many (if not most) of the vulnerabilities that emerge in IE (and Firefox, for that matter), whether they are caused by third party technologies or not.

Bear in mind, I'm not saying it SHOULD be so, but I am saying that it IS so, as a practical matter.

All in all, I think that scare tactics can be effective, but I'm not sure the delta is significant when you step back and look the entire scale of security problems, and, more importantly, effective remediations.



Anonymous said...

Well, the way we got to tens of millions of users is because people had *huge* problems with spyware, drive by downloads with IE. Their computers were a mess and ridiculously slow or compromised. Many folks including US CERT are recommending Firefox (implicitly).

Firefox isn't immune to security vulnerabilities we know that
but we're able to respond a little bit faster likely because we're not tied to the OS. Ability to respond and time to respond is pretty important. You can count vulnerabilities all day, that only kinda matters.

Also, go ahead and throw your (entire) user base at us. We have the same number of users you do (not more than AIM but almost double than dial-up). A percentage of your users use either stand alone IE or Firefox now anyway. Probably 5-8% of your users are using Firefox today. Yes?

Sree Kotay said...

You're right, of course.

They would have been safer still had they gone to Opera - perhaps you should encourage them to do so.