In and out of the browser - how Microsoft and Google think differently
By Simon Bisson & Mary Branscombe in Editorial
Posted in Web browser, Privacy, Applications, People, Adobe, Firefox, Internet, Google, Security, Microsoft on
For years, we’ve been saying that Google would be mad to build its own operating system. It should leave the thankless task to Microsoft and Apple and Linux distributions; you can debate how good a job they do, turn and turn about, but the scale of what a desktop OS needs to do and the range of devices it needs to support is far broader than what you need to do in a browser or on a smartphone. I still don’t think Google has any plans to create its own OS, but it’s pushing beyond the browser as a development platform with Gears and App Engine and the like. Microsoft has a whole range of platforms in the browser, out of the browser and around the browser, from Windows and WPF to Silverlight to SharePoint to Office to SQL Server – to name just a few of the platforms Bill Gates touched on in his last ever keynote at Microsoft TechEd this morning.
Silverlight is a lot of things, from Microsoft’s answer to Flash to Microsoft’s answer to Web based applications. Leave aside the video plugin side of it; the fact that Silverlight 2 (beta 2 due at the end of this week) runs .NET and programs written in dynamic languages on Mac and Linux as well as Windows is the most interesting part. And it’s not just for consumer Web apps; Facebook and Hotmail users aren’t happy with line of business apps in dreary basic grey when they get to work, and Silverlight is an easy way to spruce those up without slaving over a hot CSS schema for hours.
Adobe’s Air tackles much the same problem; how do you make powerful applications for the Web that work online and off, that look good and that work without installing anything (once you have the initial plugin or runtime). Air builds on Flex, so if you’re already writing Flash, you’ve got a head start. But there are a lot more .NET developers writing business apps, so although Microsoft demos consumer apps like the Crossfader social video sharing tool it talked about today, most Silverlight apps might show up at work, using Workflow Foundation and making data from SQL Server look good.
Silverlight is a subset of .NET and Windows Presentation Foundation, so developers are using familiar skills and Visual Studio plus Expression Blend for designers, who get to work on the live project, not in Photoshop mockups. The visual development tools also appeal to disenfranchised Visual Basic developers who’ve been wondering what Microsoft has done for them lately…. Microsoft VP Soma Somasegar said Crossfader is being built by six developers and two designers in three months, which is more like Internet time than standard Microsoft time scales.
If Silverlight’s so good, why would anyone be creating Windows applications at all? Bill Gates finished his Q&A trying to balance that question. “Yes, you’ll be able to do amazing things in Silverlight, but there will always be things that you can do in Windows Presentation Framework that you can’t do in Silverlight. Why is that so? Well, it’s so because with WPF we get to assume we have the full power of the PC; we’re not just running in a browser environment. So, take things like 3D type things, virtual world type things, take things like ink recognition or playing video back at arbitrary speeds. WPF will, because it can connect in to all of Windows, expose those services and let people do new things.
“We need to keep the Silverlight download to be fairly modest. So, if you think of what that will be versus the entire Windows environment, we have a much bigger runtime to call on. So, we’re not saying that those get absolutely merged, but we will have exactly the right relationship. And even as you’re in Visual Studio or in the Expression tools, you’ll be able to say I want to author for the Silverlight piece and to let you know that if you’re sticking to the things that work in that world.
“Silverlight will probably have almost everything WPF has today, but WPF will keep getting richer and richer as we go forward.”
That’s the Microsoft dream and it’s one direction things could go. Google is pushing in completely the other direction. Last week at Google IO, Chris Prince and Aaron Boodman (better known as the designer of the Greasemonkey Firefox extension) were explaining why they don’t want you to think of Gears as taking Google applications offline. Yes it does that, but actually Google wants it to give Web apps to have access to all the capabilities of your PC the way desktop apps do. Why shouldn’t the browser get the power of your 2GHz processor and your 300GB hard drive? Why shouldn’t they be able to send you notifications in another window or show a progress bar? Why can’t you access USB drives from inside Gears or use a GPS to tell the Web app where you are?
Google filed its name off Gears so that it has more chance of becoming a standard, either as part of HTML 5 or by becoming ubiquitous as a plugin in its own right. Personally, I’m not going to be installing it on any machine I use.
It’s not just because it has no way to limit the amount of disk space it’s going to take for its local database (used by MySpace to give you search across the whole site without having to take up space on their data centre for those pesky index files). It’s only partly because it’s going to be able to use your GPS or other tools to get your location and there is currently nothing to warn the user and no options for choosing if and when Gears can get your location. Google seems committed to harmonizing with whatever standards HTML 5 includes for the things that Gears does, and I’m not the one who will have to detail with duplicate APIs from Gears and HTML 5 to do the same thing – that’s a problem for Web developers to juggle. And the fact that Web sites like YouSendIt already have real progress bars without needing me to download a plugin is a quibble rather than a complaint.
Mainly, I won’t use it at this point because of how Chris Prince explains why he thinks Web apps are so good in the first place. “Everything in the browser is inherently safe,” he said at Google IO. “There is no cost to install a Web app, you’re not afraid to click a link, and you can navigate away with no fear it will take over your machine.” Compared to the near-paranoia that’s is Microsoft’s attitude to the Web, from the phishing filter to the way IE doesn’t get the same privileges as a desktop app to the security-first attitude that permeates the company, calling the browser ‘inherently safe’ seems a little laissez faire to me.
Adding binary data files to JavaScript will certainly make for more powerful apps. Some of them might be Trojans; if Gears gets everything Google talked about that would be able to scrape files off a USB stick, record you talking with the audio APIs, add in your physical location and do whatever you can think of with it all, good or bad. If I’m not too busy playing with whatever features the Web app disguising the Trojan has I can navigate away from it – but if it’s using Gears to run offline, has it gone away?
The browser sandbox limits the features on my system that Web apps have access to. That’s a pain when you want to build a better app in the browser – but it’s a security measure if you want to build a better way of attacking my system. I asked Chris Wilson of the Internet Explorer dev team if I was being paranoid – he was the one who’d raised the issue about privacy with the GPS location in Gears at the end of the session. Maybe, he suggested - but with the number of security issues it raises, Gears isn’t going to be installed by default with IE any time soon…
Rated: 60% (1 votes)
Loading ...
Internet Explorer has fewer security holes than Firefox
By Simon Bisson & Mary Branscombe in Editorial
Posted in Web browser, Firefox, Security, Internet, Microsoft on
You type most of your passwords into it - and you type your credit card details into it every time you shop online. It’s how you unlock an iPhone so you can install applications on it. It’s the home of many of your applications and it’s the first avenue of attack for most malware. Really, if you wanted to be secure, you might never use a Web browser again.
You don’t have to be a hacker in the criminal sense to want to get around some security lockdowns. The latest iPhone cracker uses an image security issue in the Safari browser to open the system up. If you have a Buffalo NAS box you can use a security hole in the Web administration interface to make yourself root to install Perl so you can run SlimServer and get music onto your Squeezebox. I’d like to run SlimServer on something other than our main server - but I’m not cracking the security on our backup and media store to do it.
I’ve never switched away from IE to Firefox; originally it was because I had to have IE on my system for work and didn’t want the hassle of managing two browsers. Since IE 7 came out and I found IE 7 Pro I just haven’t bothered. It’s not perfect, but it’s good enough for me. Given that it took me five hours of browsing dubious sites and downloading known spyware to infect a machine running XP SP2 when I tried a few years ago, and given that everything that interested me in Firefox turned out to be Greasemonkey scripts (and I’m probably unfair to carry on thinking of that as a security problem waiting to happen, but I do), I’ve been assuming the security (dis)honours are about equal.
Jeff Jones at Microsoft has done another vulnerability survey, this time for IE and Firefox. Since Firefox 1.0 came out in November 2004, Mozilla has patched a total of 199 bugs: 75 high severity, 100 medium severity, 24 low severity. Microsoft has only patched 87 IE bugs in the same time (and we’re assuming fewer bugs patched is a good thing rather than avoiding the problem): 54 high, 28 medium and 5 low severity. Honours are more equal comparing just Firefox 2 and IE 7 for known bugs that haven’t been fixed: eight high severity bugs for Firefox versus ten for IE, 15 medium severity bugs and one low severity bug for Firefox versus 11 and none.
Firefox also stops patching old versions of the browser six months after a new version comes out. Microsoft has much longer support lifecycles - ten years for business software and at least one year for service packs. How do enterprise Linux vendors who include Firefox in their distribution get around the problem? Red Hat and Ubuntu write their own patches (Ubuntu 10, Red hat 7 and in this case fewer bugs fixed is not a good thing); Novell pushes out updates that upgrade you to a newer version.
Do the figures make Firefox less secure than IE? They certainly make it less secure than popular opinion - and IE hasn’t really been a sump of iniquity and vulnerability since XP SP2 came out. But it’s not just the numer of bugs that matter - the arguments raging about the report bring up the issues of patch management and stability.
There’s a lot of squabbling about the terms of the report because it doesn’t count days of risk, just numbers of bugs and because it can only count published and not unpublished vulnerabilities. Mozilla has backed down from claiming that Firefox is more secure than Internet Explorer - or at least the FAQ answer comparing the two has vanished from the FAQ page in the last few days. But the Firefox camp disputes the conclusion of the report (without denying the actual figures). The Mozilla Security blog at http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/ critiques the study for counting number of bugs rather than days of risk and Mike Schroepfer, the Mozilla Corporation’s vice-president of engineering, picks on a specific vulnerability he says Firefox fixed first. He also quotes Secunia figures for the overall security picture that Jeff Jones debunked when we spoke to him in the summer.
Jeff said at TechEd: “I’ve talked to their CTO and he’s acknowledged this problem. Unless they want to assign somebody to check the code for every distribution they track, they run the risk of saying this applies to a distribution when it doesn’t; instead they err on the other side inaccurately saying there’s nothing unpatched. The site says “You can use this vulnerability report to make sure you’re aware of all vulnerabilities both patched and unpatched, allowing you to take the necessary precautions.” Not true. Secunia tracks the issues fixed by the vendor not the issues reported. Why do I care? I issued my 90-day Vista report and there was an article that said ‘Ubuntu scores a remarkable zero unpatched vulnerabilities of 61 of the lifetime of the product’. As of that date the Secunia site showed zero unfixed but in my spreadsheet there are 25 issues fixed since that were public prior to that date and nine of them were high severity. And that’s true all the time, when I put out my reports I get this thrown in my face – ‘zero unpatched’. ”
One question none of the Mozilla viewpoints have addressed. For Vista users, IE 7 is more secure than Firefox however few patches and updates you’ve installed; that’s because IE runs in protected mode. Any malware that launches from IE might get to read files on your hard drive - and not many of them - but it can’t write anything to the drive, so nothing gets installed without you Oking it. Social engineering gets past a lot of people - Microsoft’s Mike Nash gets a laugh when he says that nothing is going to stop his brother-in-law clicking link after link to get something cheap or free no matter how suspicious it looks, but that’s true of many users. But reducing hackers to social engineering rather than programmatic attacks is a big step and it’s a shame that Mozilla isn’t using the extra security option that comes free in Vista to take it.
The other side of this is that the real Firefox advantage is the auto-patching mechanism that downloads and installs updates without waiting for Patch Tuesday or user agreement; next time you run Firefox, you’re running different code. Should Microsoft do that for IE? Only if it wants the usual firestorm of complaints about taking over user machines. And if your line of business applications run in IE, you’d probably like the chance to test patches before they roll out across your network rather than after.
-Mary
Not yet rated
Loading ...
Tag cloud
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Most commented posts
- Java’s SSVAGENT.EXE: training the monkey
5 comments
- Wubi Tuesday
- Not very open, not very social
- The best mobile game ever
- A Big Day In The Enterprise IT World
- Employees are our most valuable asset (snigger)
- Biometrics - it's not the technology that's broken
- More battery life, fewer explosions
- Spam Fighting in Exchange
- IDF: Will SSD mean the end of 5GB free?
Highest Rated Blog Posts
- Nobody knows what Web 2.0 really is (100%)
- Songs of distant satellites (100%)
- Log in and lock in (100%)
- Mommy, why is there a home server in the office? (100%)
- Employees are our most valuable asset (snigger) (100%)
- Locking down IT or blocking creativity (100%)
- Video opera? What would you do with huge bandwidth and millions of pixels? (100%)
- Consumer BlackBerrys are good for business (100%)
- HD Trek (100%)
- Top tips for speeding up Vista (100%)