Wednesday, October 06, 2010

Browser Diversity: The Internet's Condom

For the first time since the 90's, Microsoft Internet Explorer does not hold the majority of the browser market.

It's about time. The browser doesn't fully comply with W3C standards that say what an internet browser ought to do. I don't think it ever has, and they didn't try that hard to do so because they, at one point, controlled 95% of the market share. Why comply with standards when your browser is the standard?

This ends up being a huge pain in the ass for web designers. Take, for example, this game I've been developing. The part of the interface I've developed so far draws a map using 5x5 icons. Each of the icons is absolutely positioned using CSS. In Firefox and Chrome, the map renders properly:

This is what happens in IE:

IE, in one form or another, ignores the style sheets. It's rather insulting, really.

Once the Internet at large had enough, Firefox liberated us. It was the first browser capable of putting a significant punch into IE's market share, and more importantly, it introduced the idea that the browser you use is a choice. People using Windows had stuck with the default browser, but Firefox presented--for the first time--a viable option to switch to. Having changed before, users become slightly bolder to change again; the idea of changing browsers was no longer foreign.

I was a Firefox fan for a long time. Yesterday, I switched to Chrome. Why? I'd tinkered with it briefly and saw it going good places. Google is right about the speed too--it does things faster. I felt a little guilty about leaving my liberator and hero, but I realized it wasn't such a bad thing. As more people move on or move around, it'll make us all safer.

This seems a little counterintuitive--that as people spread out across multiple browsers, it will make everyone safer. After all, having one browser with all of the security flaws worked out sounds safer than many browsers with smaller teams working on the same problems, leaving potentially more flaws out in the open.

No matter how hard a team of developers works, every browser has security flaws. Sure, updates bring the number closer to zero, but they can never quite reach it. There will always be holes. If there's one browser, then that flaw leaves room for more damage--at IE's peak, 95% of users were at risk.

It reminds me of the cordyceps fungus:
When one browser is hegemonic--like a single insect in the jungle having an edge--a single security flaw affects every user of the Internet. It brings everyone down.

A lot of the exploitation of browsers flaws comes from the fact that it can be profitable. Let's say an unscrupulous developer decides to write a script that forwards a user to a crappy search engine. The script makes it appear that the user clicked an advertising link for that search engine, and the unscrupulous developer gets paid for it.

In browser hegemony, it becomes very profitable for the unscrupulous developers to look for as many flaws as possible in those browsers. The resulting rate of return is very high, so even if those holes are hard to find, the yield makes them worth searching for.

On an Internet with browser diversity--the one we've started transitioning to--exploiting a single security flaw has a much lower rate of return, and doing so for profit is much more difficult. As a result, it's plausible that the business of exploiting browsers for profit could diminish. I don't think it will go away, but the increased difficulty will make it subside. Finding a security flaw in Firefox, at this point, gives you a 30% share of the market; IE, only 49%.

That's a much smaller incentive and, in the long run, makes things safer for everyone.


Post a Comment

<< Home