FirefoxFollowing up on my comments on Opera, Firefox supporters have a major blind spot as well. It has to do largely with the heavy emphasis on web standards among the developers and the early adopters, and the ideals of the open source/free software community. There are a lot of websites out there that don’t look quite right on anything but Internet Explorer, and there are sites out there that just plain don’t work in anything but IE. This is largely due to three facts:

  • There is a lot of broken HTML out there that has only been tested on IE, and the designers relied on IE’s particular error-recovery behavior.
  • There are sites that rely on ActiveX or other IE-specific code without providing an alternative.
  • There are sites with bad browser-detection logic that deliberately exclude other browsers, regardless of whether they would otherwise handle the site.

In each case you can either change the browser to handle the websites, or you can change the web to handle the browser. Both approaches are difficult, and while the former often yields more immediate results, the latter is more ideal, because it benefits users of all web browsers. In most cases Opera has chosen to adapt the browser, while Mozilla has chosen to promote standards for web development. Continue reading

Some potentially nasty browser security vulnerabilities found this weekend in Mozilla and in Safari. Both involve software update mechanisms. The Firefox one tricks the browser into thinking it’s installing from a trusted update site (the maintainers of updates.mozilla.org and addons.mozilla.org—the only trusted sites by default—have made some changes on their server to prevent the exploit from working). The Safari one takes advantage of the Macintosh tradition of automatically opening archives. This one just happens to unzip itself into the location where Dashboard stores its widgets.

IEBlog has weighed in with a balanced (i.e. non-fanboyish) comment on just who “us” vs. “them” should mean: responsible developers & security researchers vs. the malicious ones. It won’t happen—people are too hunkered down in their own trenches—and even with Mozilla, Opera and Apple collaborating on specs, I don’t expect to see much in the way of collaboration on security except in the actual open-source world. (Even then, I suspect there’s too much rivalry between Gecko and KHTML developers to do much collaboration.) Continue reading

Sorry for the misleading title, it’s sort of an homage to CNET’s recent coverage of Firefox.*

Opera CEO Jon von Tetzchner, excited by the response to Opera 8.0, promised to swim from Norway to the US if Opera 8.0 managed 1 million downloads in 4 days. (By comparison, Firefox 1.0 managed 1 million in less than a day, and hit 2.5 million by the end of day 2.

Well, they did it, and von Tetzchner has donned a wet suit [CNET].

Tetzchner entered the “freezing Oslo fjord” on Monday and started swimming toward the United States, the company said. Opera’s public relations manager, Eskil Sivertsen, is rowing an inflatable boat alongside Tetzchner “as an act of guilt after making the CEO’s statement public,” according to the Opera Web site.

Full details, photos, and a map are at Opera.com/swim. [archive.org]

Update two days later:

Let me tell you, those PR folks at Opera know how to set up a publicity stunt.

In a “dramatic” update to the saga, Opera’s CEO won’t finish swimming to America after all, as his PR manager’s raft deflated an hour into the day’s swim.

Some choice quotes:

“As much as I don’t want to talk behind a colleague’s back, there is no doubt that we would never have let Eskil assist Jon in the raft had we known he can neither swim nor read maps,” says an embarrassed Tor Odland, Opera’s Communications Director. “I feel partly responsible for letting Jon down, as he cannot possibly continue without the raft.” [emphasis added]

A local farmer spotted the drama from his kitchen window and took surprisingly sharp photos with a remarkably powerful telescopic lens.

“And my mother [in Iceland] will be so disappointed when I call and tell her that I won’t be stopping by for hot chocolate after all.”

The tongue-in-cheek tone of the whole thing is right up there with the Opera Bork Edition that translated the MSN website into the Swedish Chef’s unique form of gibberish. That was to point out the ridiculousness of MSN singling out visitors using Opera and sending them a broken—or perhaps we should say borken—page.

It’s kind of funny how Opera can get away with stunts like this. Microsoft or Apple would be embarrassed to even consider it, and Mozilla wouldn’t dare. These days Mozilla/Firefox is too busy fighting uphill for respect. They wouldn’t risk sanctioning the “Always use Protection” poster, and they wouldn’t try something this wacky. Whatever happened to the days when the IE team deposited a big blue “e” on Netscape’s front lawn?

*Things like “Mozilla flaws could allow attacks, data access” which didn’t just bury but actually omitted the fact that a fixed version had been released three days earlier, and that the disclosure was made as part of the release. The second-to-last sentence, “All versions of Mozilla Suite prior to version 1.7.7 and all versions of Firefox prior to 1.0.3 are vulnerable.” sort of hints at it, if you know that these are the newest versions, and if you don’t misread it as “through” instead of “prior to.” And the original article on the Opera swim promise misstated the Firefox download numbers using one of the preview releases instead of the big launch, claiming it took 5 days to reach 1 million. They’ve “corrected” it to “within days,” which is technically true—but wouldn’t “in less than a day” be more accurate and better convey the contrast? Compare this to other articles from last week like “Apple patches iSync flaw” and “RealNetworks fixes ‘highly critical’ flaw” and you have to wonder whether there’s a misinformation campaign some editorial bias involved.

Talk about convoluted. Someone has developed a Java applet that will use one browser to install spyware on another. The applet runs in any browser using the Sun Java Runtime Environment—Firefox, Opera, Mozilla, etc.—and if it can convince you to run the installer, it will install spyware on Internet Explorer. And since you can’t remove Internet Explorer from Windows (you can hide it, but it’s always there…waiting), just using an alternative browser isn’t enough to protect you.

Of course, the obvious solution here is don’t let it install anything. That’s what the Java sandbox is for, after all: applets run in their own little world and can’t touch the rest of your system unless you let them (or they find a hole in the sandbox, which is why you need to keep Java up to date—just like everything else).

Time to emphasize the fact that while Firefox is still safer than IE, it’s not a magic bullet. There is no magic bullet. You can minimize risk, but never eliminate it.

(via SANS Internet Storm Center)

I installed the just-released Netscape 8 Beta. It imported most of my settings from Firefox, including bookmarks, cookies and even history. One of the first things I always check with a new browser is how it identifies itself, which in this case is as Firefox 0.9.6. (Presumably they’ll get on this by the time the final version is out.)

First impressions: importing was clean and worked well. UI is a bit freaky, as things are spread all over the place—like the main menu, which is in the upper right and in line with the title bar instead of where the menus are on every other Windows application. The multiple toolbars seem confusing at first (it took a while to dig up my bookmark bar, for instance). Then I looked at the site trust/rendering choices, the big exciting feature of this release. And I’m not impressed. Or rather I am, but not favorably.

The current tab shows a shield icon indicating the trust level of the site: Green if it’s been verified by a “Netscape Security Partner,” yellow if not, and I would presume red if it’s a known phishing/virus/etc. site. There’s also an icon indicating the trust level: a check mark if it’s trusted, an ellipsis for “not sure” and an exclamation point for not trusted. Unverified sites are, by default, in the “not sure” category. So far this makes sense.

Clicking on the shield icon opens a site controls dialog box enabling you to choose to what extent you trust the website, and below that, whether to display the site using the Mozilla Netscape or Internet Explorer engine: Continue reading

Firefox – Switch [archive.org] is the first of these sites I noticed. Based on Apple’s “Switch” campaign, it’s aimed at raising awareness of Firefox and convincing people to switch from IE. It has stories of people who have switched, a top 10 list of reasons to switch, and answers to questions about just how you go about this switching thing, anyway.

Stop IE [archive.org] is, as its name implies, a negative campaign. It focuses on the security risks inherent in using Internet Explorer and provides a list of alternatives, though Firefox is the only one it deals with in any depth.

Browse Happy is my favorite of the bunch, because it’s an inclusive campaign. It’s run by the Web Standards Project, so the goal isn’t to promote Firefox or eliminate Internet Explorer, it’s to promote choice and get people away from today’s Internet Explorer. The WaSP’s ultimate goal is to encourage people to build a vendor-neutral web in which you can use whatever browser you want—including IE—and get the same high-quality experience. That’s a goal I can agree with, and that’s why Browse Happy is the one I promote. The meat of the site is stories of people who have switched away from IE, with profiles of four browsers: Firefox, Mozilla, Opera, and Safari.

Firefox. Take Back the Web Stop IE Browse Happy

Update (June 2007): Stop IE is long dead. I’ve updated the links to point to the Internet Archive of the site.

CNET has posted a write-up of AOL’s new Netscape prototype based on Firefox, as well as a screenshot. It seems to be a combination of Firefox + theme + bundled extensions… plus a mode that embeds Internet Explorer for compatibility.

There are some nice ideas: adapting Firefox’s RSS capabilities to create a headline ticker, for instance, and the Firefox team has been talking about bundling extensions since it was called Phoenix. As for the embedded IE mode… on one hand it provides a convenient solution to the biggest criticism laid on all non-IE browsers: they don’t render pages exactly the way IE does. But it comes at the cost of all the security risks inherent in IE itself. It does remind me of the “View with Gecko” option Konqueror used to have (and probably still does on some systems).

But the clutter… The sheer number of buttons, icons, widgets etc. in that screenshot is staggering. Even after installing the web developer extension I don’t think I have that many buttons on Firefox. 3+ buttons on the tab bar, 3 icons on each tab…. I hope that CNET was just enabling every feature they could find to get them all in one screenshot, but if AOL is trying to bill it as “easier” than Firefox (which was created with a simple user interface as a design goal), they’ve got to try another approach.

Update (via WaSP): It seems BetaNews has more information on the dual-engine setup. Apparently they do have security settings to mitigate the IE issues… but then so does IE, and we all know how well that’s worked. Also, another screenshot, which looks even more cluttered than CNET’s. I think this will be a browser that requires you to run it maximized at 2000×1500. (Also of note: Firefox developer Blake Ross’ Open Letter to Netscape and Henrik Gemal’s collection of screenshots.)

Further Update: MozillaZine has posted a more thorough review.