Tuesday, October 13, 2009

Internet Explorer 8

I seem to have astonished a couple of readers, by not pronouncing anathema on Internet Explorer. So let you think I'm going soft, let me elaborate on the couple of posts where I've been making vague mutterings of approval about it.

1. Internet Explorer 8 is a decently secure browser.

Microsoft has worked really hard on getting IE's security out of the toilet, and they deserve a lot of credit for this. Actually, this isn't the first time they've done this - their IIS web server was a security joke in the late 1990s, and they did a good job getting that turned around. So it's not really a surprise that they were able to do this.

2. ActiveX is an abomination unto the Lord.

Sadly, IE is stuck with a holdover from the 1990s, where Microsoft was locked in a death battle with Sun Microsystem's Java, for Total Domination Of Teh Internetz. Microsoft introduced ActiveX, which is a way for your browser to download and execute a blob of code from a Web server. ActiveX has the worst security model ever devised - it's actually not a security model at all, but rather an authentication model, which means that you might know who wrote the blob of code, but you have no idea whether teh code is secure.

Cliff Note's version: it's not secure, but your Internet Explorer browser is happy to run it anyway.

So if you want to use IE8, you must must must turn off ActiveX. I walk you through how to do this here. The problem is that the ActiveX blobs ("controls" in technical parlance) are very, very hard to update if there's a security problem - and there's always a security problem, as the number of announced vulnerabilities in ActiveX controls recently shows.

3. Internet Explorer 6 and 7 are not secure.

At all. All the nice things I said about Microsoft trying hard and seeing some success do not apply here. Security is teh broken for these, and Sitemeter tells me that a lot of y'all like 'em. Don't be one of those guys.

4. Firefox is still a better bet.

Firefox still comes out ahead, for two reasons. First, the Firefox team have the best security patch turnaround time in the industry. They also have the best update mechanism ever devised built, into the browser. Security updates flow silently down from the Great Patch Site In The Cloud to you, very soon after vulnerabilities are announced (like a day or two after). Nobody gets fixes out to the installed base faster, and this helps your security a lot.

Second, Internet Explorer is a bigger target for the Bad Guys. If you're trying to get your malware into someone's browser, which one do you target: the one with 75% market share, or the one with 25%? Firefox is chipping away at IE's share, but for now, this means that you're a little better off with Firefox.

Still, it's a different game with IE 8. Rather than lose by a knockout, the match is now going to Firefox on points. That's big progress, and like I saiid, the development team in Redmond deserves some kudos.

No comments: