[OpenID] Replacing all browsers isn't as hard as it might seem...

Mike Beltzner beltzner at mozilla.com
Sat Jan 20 23:20:08 UTC 2007


----- Bob Wyman <bob at wyman.us> wrote:
> A number of comments related to the phishing issue are making the
> point that "getting everyone to adopt a new client" is just too hard
> and will take too long. These comments are, of course, based on

Really? I don't remember seeing that argument in my reading of this list. I remember arguments that making the solution only available in a plugin would be limiting in that users would have to install that plugin. I think that's largely true. From what we see at Mozilla, while there's a passionate user base around customization, the majority of our users expect the browser to do everything that's essential out of the box.

That's why I've gone on record saying that if there's a feasible solution that makes things better for users, can be wrapped in a simple UI, and can easily work with the majority of web sites in the world, Mozilla would be very interested in making it part of the Firefox 3 product.

> extensive experience with adoption patterns in many realms. The folk
> on this list have a significant amount of experience with releasing
> products and observing the results of others who have done so...
> However, I think many folk are ignoring the simple fact that the
> browser market exhibits unique adoption patterns as a simple result of
> the fact that there are so few significant providers of browsers and
> the fact that one of those providers still enjoys effective monopoly
> dominance in the market.
> 
> However,... just since October, we've seen something like 30%
> turn-over in the browser market as users have switched from IE6 to IE7
> and from Firefox 1.x to Firefox 2.0. These turnover rates are not

Where are you sourcing those statistics, and how much of that turnover is actually users choosing versus IE7 being issued as a strongly recommended automatic update from Microsoft? While we're seeing an uptick in how users are making the choice to pay attention to their web browser, it's not nearly as drastic as 30% of the web using population.

> surprising -- based on earlier experience in the browser space. In
> most product areas, you wouldn't expect such a rapid turnover unless
> the new products were radically different from those previously
> offered. But, the reality is that neither IE7 nor Firefox 2.0 were
> particularly compelling products (my apologies to their developers...)

No offense taken! :) The goal of Firefox 2 was slow and steady improvement in ways that make things better for users. I think we hit that goal with the feature set we delivered. (FWIW, we're hoping to use the new Mozilla Labs as a delivery vehicle for more extravagant and world-shaking changes to the way people interact with the web, in order to ensure those experiments don't totally mess with people's expectations before bringing them to the main distribution channels.)

> -- certainly they were better than what came before, however, for most
> end-users neither upgrade offered "must have" capabilities. If either
> or both of these browsers had shipped with "solutions" to the phishing
> or "identity theft" problems, my guess is that the blazing turnover we
> currently see would have been even more impressive. In any case, 30%
> in a few months ain't bad. Had those browsers contained the needed
> solutions, it wouldn't be long before the number of old browsers would
> be so low or that the old browsers would be so infrequently used as to
> make phishing a much less compelling business than it is today.
> 
> The fact that browsers have failed to provide us with the capabilities
> we need to provide our users with a safe browsing experience cannot be
> something that we simply accept and try to work around. This situation
> should be considered a scandal and the press should be filled with
> articles on the subject. The proper and correct course of action is, I
> think, to find means to force the browser developers to address better
> the most critical needs of the market. Too many people have lost too

This statement bothers me, somewhat. It's impossible for me to say this (as the only guy in the room who works on a web browser for a living) without sounding defensive, but ... I don't know why it's up to web-browser vendors alone, or why browsers alone are being made to blame. Why not ISPs, CAs, protocol and technology specification authoring groups? Or banks for continuing to email clients with links to their web pages instead of clearly stating "we will never email you a web link, ever, ever, ever!" Do you similarly consider email clients to blame for allowing spam or web scams, telephone manufacturers to blame for allowing telephone scams, or banks to blame for credit card fraud? Surely not on their own. The failures that have led to the relative ease of phishing, MITM, pharming, etc, should be shared equally. The browser vendors can help and work with these groups to make things better, and we can even act in harmony to deprecate blatantly insecure technologies (as we did by refusing to display certain versions of SSL), but I don't think that it's only up to us.

> much money, reputation, or time as a result of using browsers built by
> people who prioritized "pretty" web pages or proprietary interests as
> being more important than safe browsing.

Show me where we've prioritized either of those things over "standards compliant" or "presenting the web as it's authored" or even "secure" and I'll give you $10 next time I see you. You make it sound like we've had the solution sitting in front of our faces for years and have simply chosen to not look into it. Firefox 2 (and Internet Explorer 7, and Opera 9, and Safari 2) have all taken steps to prevent phishing with the most viable (though not perfect) solutions available to us. We'll continue to track how that goes. We're participating with a variety of fora (CAB Forum, W3C Group on Web Security Context, I've spoken with people like Ping, Rachna and other identity/phishing security researchers) and keeping abreast of technologies available. We're eager to help, but we're not going to dictate how the web should work - that is not our job alone, nor is it our right.

cheers,
mike



More information about the general mailing list