All web browsers have bugs, but when simply viewing a web page can infect your computer with malicious software, the speed with which bugs are found and fixed is critical. It may be the most important yardstick by which to measure any web browser.
For Windows users, the choice between Firefox and Internet Explorer isn't a contest at all. Microsoft is slow in fixing IE bugs, being locked into a once a month cycle. Not Firefox.
Mozilla released version 3.02 of Firefox on Tuesday. It had a bug. Happens all the time. What doesn't happen all the time is that the bug was fixed quickly and version 3.03 of Firefox was released on Friday.
Anyone interested in Defensive Computing doesn't want their bug fixes idling at the gate waiting for the one day a month when they are set free.
See a summary of all my Defensive Computing postings.
What are they thinking at Mozilla? How could they devote time and effort to eye candy like new icons and drastically reworking the address bar when Firefox so often fails at printing.
How did printing get pushed to the bottom of the priority list?
I read lots of Web pages in hard copy and from the get-go (version 0.8 or so) Firefox has underperformed when it comes to printing Web pages. That issue and the slow start-up time are two constant annoyances endured by devoted Firefox users. It's been quite awhile now, and I think it's time that Mozilla get around to making Firefox the equal of Internet Explorer in terms of printing Web pages.
This page deserves special mention: SSLVPN Vulnerabilities - Client Certificates offer a superior defense over OTP devices.
In Firefox 2, not one word of the article prints. Not a single word. Print preview shows one mostly blank page.
In Firefox 3, the first page is the same as Firefox 2, page 2 has the article and page 3 has some links from the page footer. But, the article is about 7 or so pages and page 2 has only the first page. In other words, Firefox 3 can't print the vast majority of the article.
Firefox is Lucy Ricardo. For those of you who recall I Love Lucy, I'm Ricky. I love my wife, Lucy, but sometimes she just does the craziest things.
Maybe it's time for Ricky to go to the Opera. Version 9.5 of the Opera browser, running on Windows XP, prints the entire article, although it also feels the need to start with an appetizer of an empty first page. Internet Explorer 7 prints the entire article perfectly, no blank first page.
Update August 20, 2008: A commenter below noted that Safari can print the article in question, I haven't tried this. The person didn't say however if it was Safari on the Mac or on Windows. I only tried Firefox on Windows XP, another commenter below said that Firefox 3 on a Mac printed this page fine. Firefox version 2 had an optional toolbar button to report web sites that didn't display well in the browser (the button looked like a spider web). Version 3 of Firefox eliminated this button, so problems like this can no longer be reported to Mozilla.
See a summary of all my Defensive Computing postings.
In his Open Road blog, Matt Asay was skeptical about some browser market share data because the sample audience was heavy on techies. The July 2008 stats for the site in question, W3Schools.com, were:
| W3Schools.com | |
| BROWSER | USAGE |
| Internet Explorer | 52% |
| Firefox | 43% |
| Safari | 2% |
| Opera | 2% |
Into this discussion, I'd like to add my own numbers.
My JavaTester.org website also leans a bit towards a technical audience. To seek out the site, you have to know what Java is and that there are different versions of it. In July 2008 the site averaged 8,050 page views a day, according to awstats. Interestingly, the July usage stats also showed Internet Explorer at 52 percent, the same as W3Schools.
| javatester.org | |
| BROWSER | USAGE |
| Internet Explorer | 52% |
| Firefox | 32% |
| Netscape | 4% |
| Mozilla | 4% |
| Safari | 2% |
| Opera | 2% |
The most popular site that I manage belongs to a client whose audience has no interest in technology. The site averaged 12,477 page views per day in July, also according to awstats. The market share there shows Internet Explorer did better, as did Safari.
| Non-techies | |
| BROWSER | USAGE |
| Internet Explorer | 62% |
| Firefox | 26% |
| Safari | 6% |
| Mozilla | 2% |
In short, among techies, IE was used 52 percent of the time and Firefox either 32 percent or 43 percent. The higher percentage was at W3Schools.com and chances are that their users are more technically inclined than those at Javatester.org. Among a more general audience of web users, IE scored 62 percent and Firefox 26 percent.
It seems that as the technical awareness of the the audience decreases, the use of Internet Explorer increases.
Does this remind you of Windows? Businesses, with techies making the decisions, are, for the most part, sticking with XP while consumers find nothing but Vista on retail shelves.
See a summary of all my Defensive Computing postings.
A few recent stories highlighted a bedrock of Defensive Computing - if you surf the web on a Windows computer, you are safer using Firefox as opposed to Internet Explorer.
On June 26th at ZDNet Ryan Naraine wrote about a new bug in Internet Explorer (Zero-day flaw haunts Internet Explorer) for which Microsoft has no fix/patch. A few days later, he documented how the bad guys were exploiting this bug (Exploit code released for unpatched IE 7 vulnerability). That story starts with "Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser." We've been down this road before.
The original source for stories about this particular bug is US-CERT Vulnerability Note VU#516627 which says the bug affects IE6, IE7 and even the beta edition of the upcoming IE8. A trifecta.
Bringing up the rear, IE6 suffers from another new bug for which there isn't yet a fix. Gregg Keizer wrote about this on June 26th at ComputerWorld (Researchers warn of IE6 zero-day bug).
Do you follow tech news? Were you aware of these new unpatched bugs in Internet Explorer? Have we gotten so used to IE bugs that they're barely news?
Old Versions of Software
Unpatched bugs in the latest version of software are bad enough. Then, there's the problem of not even using the latest and greatest version.
A recent survey, described by Robert Vamosi at CNET found "...637 million Web users are surfing with outdated Internet browsers..." That's just asking for trouble at a time when simply viewing a web page can infect a computer.
Many computer users are non-techies and the self-updating system for software needs to take them into consideration in choosing defaults, error messages and status messages.
Firefox does an excellent job of updating itself, Internet Explorer does not. The survey found many IE users running old versions of the browser, moreso than other browsers. For example, Firefox defaults to opening up a window telling the user that there is a new version, what the new version is, and asking for permission to install it. Internet Explorer doesn't come close to being that user-friendly.
Not only is the Firefox self-updating system well designed, it benefits from only having to update Firefox. Internet Explorer is udpated as part of Windows Update and Microsoft Update and thus lives in a bigger more complicated, more intimidating system. Microsoft uses this system to update Windows, IE, the .NET frameworks, Office, it's Defender anti-malware software and who knows what else.
One of the many problems with the Microsoft update environment is the schedule. Firefox has no schedule, Internet Explorer does. Or rather, Microsoft does. Big companies need a schedule. Microsoft has argued many times that having a schedule for releasing bug fixes is a good thing.
Perhaps it is a good thing for the big companies that Microsoft caters to - but it's not a good thing for you and me. The net result is that Microsoft releases Internet Explorer bug fixes once a month. Mozilla releases Firefox bug fixes when they're ready.
Which do you prefer?
Update. July 6, 2008: Tuesday July 8th is Patch Tuesday and according to Ryan Naraine at ZDNet there will be no fixes to Internet Explorer, which currently suffers from several known bugs. Quoting:
"These include the Safari-to-IE bug reported by Aviv Raff, the cross-domain zero-day affecting IE 6, the cross-site scripting bug reported by Roel Schouwenberg, the print table of links issue, and the serious iFrame hijacking flaw discussed by Sirdarckat. There really is no excuse for the delay in patching the Safari-to-IE code execution flaw. It was reported to Microsoft since 2006!"
Update. July 7, 2008: Yet another IE related bug was reported today - Microsoft probing ActiveX attacks targeting Access feature. Firefox doesn't do ActiveX, one of many reasons it's safer. But, perhaps the most telling point of all is this quote "Eventually, Microsoft may provide a security update for the vulnerability...". May provide? What does that say about Microsoft?
Update. July 7, 2008: A commenter made a good point, Windows 2000 users have access to the latest version of Firefox, but are restricted by Microsoft to IE version 6. And speaking of operating systems, anyone needing to use both Macs and Windows can find a comfortable home with Firefox.
See a summary of all my Defensive Computing postings.
Recently I wrote about Flagfox, a simple Firefox extension that puts a flag in the corner of the browser window indicating the country where the website being viewed resides. Hovering the mouse over the flag displays the IP address (explanation below) of the website and clicking the flag brings up more details, including the city where the site is located.
This can be important because there are many ways to be tricked into thinking you are at, for example, a bank website, when you are really viewing a well-crafted, scam copy designed to steal personal information. Flagfox can go a long way toward verifying that you are really looking at the website you expect. Anyone doing financial transactions online would be well served to use it.
When banks explain why their websites are safe and secure, they focus on the SSL encryption used to transmit data over the Internet. That's only part of the puzzle however. We can encrypt data and send it to the bad guys too. That's where Flagfox can help.
The problem is verifying the physical location of legitimate websites.
For example, on my computer, Flagfox reports that the login page for Capital One credit cards is in McLean, Virginia. Is this the real site, or, has my computer been compromised such that I'm looking at a phony copy?
The only way to verify the location is to ask the bank. So that's what I've been doing.
On July 3rd, I contacted eight banks asking where their websites were physically located. In some cases I emailed, in other cases I filled in a form on their website. In each case I pointed to my previous blog posting and asked for a comment. The banks I contacted were: Citibank, Chase, Washington Mutual, Bank of America, Wells Fargo, Wachovia, HSBC and Capital One.
About IP Addresses
Flagfox determines the country based on the IP address of the website. Every computer on the Internet is reachable by a unique number called an IP address (a single IP address often front-ends multiple computers, but that's another topic).
It is impossible for the computer(s) running a website to hide their IP address. Just as the Flagfox extension displays it, so too can any Internet-aware software that cares to do so. And, just like you can learn the IP address of a website, the website also knows your IP address. To see this in action, go to ipchicken.com.
Thus, one way to detect scam websites would be for financial companies to publicize the IP address(es) of their website. Customers could put a yellow sticky on their monitor with the IP address and verify it with Flagfox before logging in to the website.
The Bank of America did just that. They wrote back that their website uses these three IP addresses:
171.161.161.173
171.159.193.173
171.159.65.173
But, IP addresses are for computers not for people. Humans are better off dealing with countries, states and cities. Capital One credit card customers would, I'm sure, prefer to remember McLean, Virginia rather than the IP address 208.80.48.53.
It has been two days since I contacted the eight banks (yes, it's a holiday in the U.S., but bank websites don't do holidays). Three haven't responded at all. Four responded with canned messages that failed to address the topic. Only Bank of America seems to have read the question.
If I learn anything from these companies, I'll pass it on. If you do financial transactions online, try asking your financial institution. Can't hurt.
Update July 7, 2008: Attacking the registrar for a domain is one way to redirect people to phony websites. See this July 7th ComputerWorld article for a recent example: ICANN blames June site hijack on registrar
See a summary of all my Defensive Computing postings.
A big part of phishing scams and identity theft is fooling people into thinking they are on one website when they are actually somewhere else. The technical tricks to accomplish this include lookalike and phony domain names, zapping the hosts file, tricks with URLs and assorted attacks on DNS servers. What's a normal person to do?
Flagfox is an unobtrusive extension for the Firefox web browser that offers some assistance by placing a flag in the bottom right corner of the Firefox window. The flag (shown below) indicates the country where the website physically resides.
If you don't recognize the flag, hover the mouse over it and a yellow pop-up window (below) displays the IP address of the website and the country where it resides. If you normally deal with a bank, brokerage or credit union in, for example, the United States, and one day you notice the flag is from another country, you are not at the website you thought you were.
Of course this only goes so far. If a legitimate website is in New Jersey and a phony, phishing copy of it resides in New Mexico, the flag will still be American. Before doing anything sensitive, such as banking, click on the flag to open a new tab showing a map and more precise location information such as the city and state.
This is the physical location of the website, not of the organization or person represented by the website. Although in the case of CNET and CNET.com they are the same, this is not normally the case. The New York Times, for example, runs their website out of Colorado. The website of another New York City newspaper, the Daily News is in Texas. Our third local newspaper, the New York Post, hosts their site in Massachusetts.
In all but two cases that I tried, Flagfox was able to pinpoint a location based on the IP address. However, it didn't know where CNN.com or TomsHardware.com were located.
The point is to be aware of where the important websites that you deal with are located. Customers of Citibank, for example, would be safer if they verified that the website was in New York City before signing in.
But where are the bank websites? Only the banks know for sure. For example, my computer showed Citibank.com as being in New York City, but if my machine was compromised, I could be looking at a scam site imitating Citibank while the real site is elsewhere.
For Flagfox to be most effective, banks, brokerages and credit unions would have to publicize the physical location of their websites. I'll contact a few and see what they say...
Update July 2, 2008: If Flagfox can't locate a website based on the IP address, there are other options. Two websites that I've used often for this are www.ip-adress.com/ipaddresstolocation and www.ip2location.com/demo.aspx.
For more on this same subject, see my next posting Verifying legitimate bank websites
I recently wrote about another Firefox tweak Firefox 3: Expand the Site Identification button on HTTPS pages which also helps with verifying the true identity of a website.
See a summary of all my Defensive Computing postings.
I happened upon a computer today that hadn't been used in a couple years and was running Firefox version 1.0.6. That version still had a single X on the far right side for closing tabs. It wasn't until later that each tab got its own little X.
Clicking on "Help -> Check For Updates" told me that the latest version was 1.0.12. Nothing about version 1.5, 2, or the just-released 3. Likewise, when Firefox 2 users check for updates, they are only told about the latest go-round for version 2, nothing about version 3.
In general, the way Firefox self-updates is very well done. This is born out in the stats below, an excerpt from a website activity report showing, for this month, how many hits the site experienced from people using Firefox version 2.x. As you can see, the vast amount of Firefox 2 users are using the latest edition, 2.0.0.14.
Is the failure to look up the version ladder a bug or a conscious design decision? Either way, there are, no doubt, computer users that never got the memo, people still running Firefox version 1.0.12 or 1.5.x, thinking they have the latest and greatest.
Self-updating Firefox from version 2 to version 3 now, would be a mistake. While a new version is new, the decision to upgrade should not be automated. However, at some point Mozilla will stop maintaining version 2, a condition techies refer to as "end of life". Here's hoping that when version 2 hits EOL (the mandatory TLA) that the update checking is a bit more self-aware.
Update June 26, 2008: According an article today at arstechnica, "...Mozilla told us that they have not finalized the schedule for when Firefox 3 will be made available to Firefox 2 users through the update channel, but they suspect that it will happen within the next two or three months."
See a summary of all my Defensive Computing postings.
Unlike many people, my usage of Firefox 3 has been restricted to test and virtual machines. Thus, I may have stumbled across a bug that goes unnoticed on more actively used systems. There seems to be a problem installing the Flash and Java plugins, at least on Windows machines.
Firefox 3 obviously works fine with both Flash and Java, assuming they are already installed. But, if you try to view a web page that requires either plugin, clicking the "Install Missing Plugins" button (shown below) doesn't work, at least on four Windows machines that I tested.
On a Vista machine, Firefox never found the missing plugins, either Flash or Java. It just kept searching and searching. On Windows XP, both plugins were "not available" (see below). I tried this on XP Home and Professional and with both a normally installed copy of Firefox 3 and with the portable version. I even tried this on Windows 2000 and got the same results as with XP. None of these Windows machines had any anti-malware software installed.
It's not all bad news. Every time I manually installed the Flash and Java plugins things went fine.
To test this yourself with Java, you can use the version page at my JavaTester.org site. To test Flash, try the Adobe Flash tester page. You can double check that neither plugin is installed by entering "about:plugins" in the address bar, without the quotes.
A search of the Firefox tech support website and forum turned up nothing about this. Here's a search for "flash player" and one for "Java plugin".
I haven't tried this with other plugins and not being a Mac person, haven't tried it there either. But, I did try it under Ubuntu 8.04 where the auto-install of both plugins ran fine (but you may have to restart Firefox).
My best guess is that this is a Firefox bug. If you're running Firefox 3, and don't have one of these plugins already installed, please try it and let me know. You can email me at michaelhorowitz at gmail. Thanks.
NOTE: I posted this as a question in the Firefox Forum, but it went unanswered. The price we pay for free software is the lack of tech support. I will follow-up, as best I can on this, with Mozilla, Adobe and Sun. This is a Firefox 3 issue, I tested the auto-install of Flash on Windows XP with Firefox 2 and it worked fine.
See a summary of all my Defensive Computing postings.
My last two postings were about making secure HTTPS web pages more obvious in Firefox 3 by adding back the colored address bar from version 2. There is yet another visual trick available with Firefox 3 that also makes secure web pages harder to miss.
As noted earlier, the new site identification button, which used to be merely a favorite icon, now turns blue on most HTTPS pages and turns dark green (see below) on those that offer extended proof of their identity (such as jr.com and paypal.com).
The dark green site id button includes the strongly verified website name and is thus much wider and more obvious. In contrast, the blue site id button show below is easily missed.
With a little configuring, we can get the blue site id button to also include the website name. While, domain names displayed in blue are not as well verified, the point is to get the extra visual clue that the page is encrypted.
This comes from a comment to this article by Johnathan Nightingale, who works on security at Mozilla.
"I would recommend that color blind users (or others, for that matter) also consider changing the browser.identity.ssl_domain_display pref in about:config. Changing this from 0 to 1 causes the verified domain to be displayed in the button for basic-identification sites."
To do this, first enter "about:config" in the address bar (without the quotes), then click on the all-too cutesy "I'll be careful I promise" button.
Next, in the Filter box, type "browser.id". That should leave your browser looking like the below:
Double click on browser.identity.ssl_domain_display and change the default of zero to 1.
Click OK and you're done. There is no need to restart Firefox, you'll see the new expanded blue site id button the next time you view an HTTPS page. I verified this in Windows XP, 2000, Vista and Ubuntu Linux 8.04. It should work in Macs too.
Combining Tips
Finally, if you read my earlier postings about restoring color (either yellow or green) to the address bar for encrypted HTTPS pages, then the end result is shown below.
There is no missing the fact that this page is encrypted.
See a summary of all my Defensive Computing postings.
My last posting was about how Firefox 3 no longer changes the color of the address bar to indicate encrypted Web pages. It was a feature I liked in version 2, and I explained how to restore the yellow address bar in Firefox 3 for Windows.
However, I never got the concept behind yellow. To me, yellow means "warning" rather than "good" and Web pages displayed using the HTTPS protocol are good things, not something anyone needs to be warned about.
Green means good. Firefox 3 uses dark green for the new site identification button. IE7 uses a light green address bar (see below) when the phishing filter is enabled and you're looking at a Web page with an Extended Validation certificate (IE7 doesn't color the address bar for normally encrypted Web pages).
So, if you're going to force Firefox 3 to color the address bar for encrypted HTTPS pages, why not use green?
Follow the instructions from my previous posting, but insert the below into the userChrome.css file. The only difference is the background color; this specifies the same light green that IE7 uses.
#urlbar[level] .autocomplete-textbox-container
{ background-color: #D0F2C4 !important; }
Here are three screen shots from Firefox 3 of the same page, the NewEgg user log-on page. This is a normal, secure, HTTPS page, it does not use extended validation. Chose the behavior you prefer.
Update June 27, 2008: This also works with Firefox version 2.
My next posting is about expanding the blue site id button to make HTTPS pages more visually obvious.
See a summary of all my
Defensive Computing postings.
