2007-01-28: browser security by fix rate

Back in 2005 I compared the patch rates of IE, Firefox and Opera. In the past few days the subject of browser security has come up a few times, so I thought I'd revisit the topic to see what (if anything) has changed.

data source

I'm using Secunia advisories again, to keep the data source consistent. The product pages are:

Note that Secunia's data starts from February 2003, regardless of each product's release date. You can investigate Secunia's methodologies if you will; there are some quirks. However I'm not after a perfect scientific investigation, so much as a broad strokes impression.

what am i comparing here?

Since each browser has a different release date and lifespan, comparing raw numbers of problems isn't really useful. However we can compare the percentage of patches/fixes from the vendor - it's not how many security issues were identified, rather it's about how many were fixed.

I would have added in "time to patch" and "days vulnerable" and so on, but Secunia doesn't currently graph that information (as far as I know).

I thought about sorting out standardised timeframes and so on, but the bottom line here is how secure can a user's browser be today? I say "can" since we can't assume that all browsers are up to date with the latest patch (or even close), but we can at least evaluate the potential for a conscientious user to keep up. After all, we can only apply the patches that are available.

Having discussed the user acceptance issue in the previous article (to patch or not to patch?) I won't rehash it here. However I will mention that according to Secunia Opera users really need to update their browsers.

patch rates - july 2005

First, let's remind ourselves of the data from 2005:

Browser patch success rate (Feb 2003 to July 2005)
Browser IE 6 Firefox 1 Opera 7/8**
Number of advisories since Feb 2003* 83 21 42
Vendor patch 55% 81% 100%
Vendor workaround 1% 0 0
Partial fix 13% 5% 0
Unpatched 30% 14% 0

* Firefox advisories start from August 2004.
** Opera 7 and 8 are combined to create a better comparison in terms of the number of advisories.

[Note - yes I know it didn't really make sense to combine Opera 7 and 8, but both had a 100% success rate so it didn't really change the outcome.]

patch rates - january 2007

First off, let's compare the patch rates of the same browsers (and we'll add Safari so people don't accuse me of forgetting Macs). Remember that these are all superceded versions now:

Browser patch success rate (Feb 2003 to Jan 2007)
Browser IE6 FF1 Op8 Saf1
Number of advisories since Feb 2003 110 39 15 15
Vendor patch 67% 87% 100% 93%
Vendor workaround 2% 0 0 0
Partial fix 11% 3% 0 0
Unpatched 20% 10% 0 7%

So, no change for the three browsers compared last time. Safari slots in at second, after Opera and before Firefox.

Now let's have a look at the latest versions of the four browsers:

Browser patch success rate (Feb 2003 to Jan 2007)
Browser IE7 FF2 Op9 Saf2
Number of advisories since Feb 2003 4 2 3 6
Vendor patch 25% 50% 100% 33%
Vendor workaround 0 0 0 0
Partial fix 0 0 0 0
Unpatched 75% 50% 0 67%

This produces very clear results, but the low number of advisories exaggerates the margins. The previous versions all have a higher number of advisories, but actually the only change in ranking is that Safari drops from second to third. The sharp drop in patch rate between Safari 1.x and 2.x makes it hard to get any useful conclusions - has Apple really dropped the ball?

For the other three browsers, the rankings remain:

  1. Opera (100% patched, no change)
  2. Firefox (50% patched, down from 87%)
  3. IE (25% patched, down from 67%)

It's worth noting that the patch rate for both Firefox 1.x and IE 6.x improved between 2005 and 2007. However both dropped noticeably between their previous and current versions (same as Safari). The proportion is exaggerated by the low number of advisories for the newest products.

conclusions?

Well, one clear thing is that Opera is the only vendor with a 100% patch record according to Secunia. Opera is also the only vendor that maintained its patch rate between versions - in fact you have to go back to Opera 6 to find an unpatched advisory (and there's only one).

It's also clear that IE has the worst patch rate of all the browsers compared. You could say that's a result of having a much bigger user base and a correspondingly higher incident rate. But then Microsoft has more resources than the other three vendors combined so it's a pretty weak excuse for leaving security issues unpatched.

Meanwhile Firefox does pretty well for an open-source product, consistently beating IE - even if not by much. Apple meanwhile needs to get Safari 2 sorted out; but we'll see what happens as more data becomes available (for all four browsers).

So at this time Opera wins the patch stakes. The argument can be made that Opera attracts fewer attacks due to small marketshare. That could be true - there's no way to truly know, since malicious hackers aren't polled - but when I'm doing my banking I don't care if it's true. I just care that my browser is secure; and Opera currently has the best record for fixing security issues.

2007-01-20: fixing blogger archive links

A couple of weeks ago, Mike Schinkel was kind enough to let me know that all the archive links on this page were broken (note to self: check error logs more often). Why they broke now is beyond me, although the rollout of the new Blogger might have something to do with it (lots of changes going on).

At any rate the problem was that the first character in the archive path was being dropped, resulting in links to "rchive/" instead of "archive/". The settings panel happened to match Blogger's help page exactly, yet things were still broken.

Blogger support don't really respond personally, they just let you know when a round of fixes go in. However all current work is focussed on the new version of Blogger. That's understandable but it leaves me stranded with an 'old Blogger' site with problems. I can't migrate yet since one of my blogs is "too big" - I guess they're waiting for server load to reduce before they process blogs with 3000+ posts.

Tired of waiting, I tried a few things and found that you now have to include the opening slash as well as the trailing slash: "/archive/". Why? Well someone at Blogger probably knows, but personally I don't really care so long as it works :)

So anyway, the archive links are back in business; and if you are having the same problem try adding the opening slash.

...and before people tell me to migrate to some other blog tool, I still don't want to maintain the blog tool - just the blog!

2007-01-14: two weeks on twitter

The first time I heard about Twitter I thought it was a stupid idea, possibly because the name seemed like it would be too accurate for comfort. I also didn't really like the idea of another social network requiring care and feeding. But in the end I got sucked in, and having used it for a couple of weeks I think it has a lot of potential.

some terminology

I've noticed a few terms floating around, so let's cover a few of them before we get started:

Twit/Twitter/Twitterer
A person who uses Twitter ("twit" is tongue in cheek, you at the back).
Twitterati
A group of Twits, eg. "the Aussie Twitterati" (aka. the Auspack)
Tweet
A Twitter update. "where's that tweet about the bar meet?"
Twitterchat/Twitter chat
A stream of Twitter updates that read like IRC/chat rooms.
Microblogging
One term used to describe the short posting style of Twitter.

Not everyone will agree with the terminology of course.

life with twitter

It seems fairly obvious that people use Twitter in ways the creators didn't intend. Although it's a service rather than content per se, this quote from Jeff Veen still springs to mind: Few use your content the way you intend. Everything you create online is being ripped apart and recombined with other stuff by thousands of curious geeks. Or at least, it should be.

Twitter was intended to be a status system, with all posts answering the question "what am I doing right now?". However as soon as you do that, other people want to respond - humans are social animals, after all. The result often turns into something like a chat room or IRC - and I pity anyone trying to keep up via a mobile phone. It has been said that Aussies use Twitter in IRC mode more often than other groups.

So at once it creates a tension - the great idea was to know what your friends are doing. The problem is that as soon as people respond, the traffic can easily make it impractical to follow the flow when you're out and about (unless you really are happy to be glued to your phone). If you really just want to know what people are doing, Twitterchat adds noise to the signal.

However if you're at home on the computer, Twitterchat is just dandy. IRC was always plagued with technical issues - you had to get the client installed (or know your way around shell) and find a server for a start; then find a channel and hope you didn't get a netsplit (seemed quite common for Aussies). Twitter avoids those problems - you can just hit a website and away you go.

should it be about status or chat?

Twitters know that they should just be saying what they're doing (posting their status). But they also get sucked into the chats. It's almost like you need a filter - actual status tweets versus general chatter or responses. But then you'd need people to tag their tweets one way or another - and if they followed rules like that you wouldn't have the problem in the first place.

So is Twitter a status stream or a chat tool? It's both, depending on the hive mind's mood. Is that a problem? Depends on what you want out of it at the time. Given that the status aspect is rarely going to be seriously useful to me, I don't mind the chat.

You could perhaps have Twitter proper, then let people spin off to a Twitter chat room for general chatter. If you piped the status posts into the chat room, you'd get the best of both worlds. People who don't want to chat wouldn't have to; those who do would still get status messages.

interesting uses

twitter tours

A Twitter Tour is a string of Twitters forming the tale of travelling somewhere. Gian is leading the charge on my contact list with two detailed Twitter Tours so far. I really like the way the string of status messages can tie together a routemap and photos.

The output is not really that different to blogging about going somewhere, except for the fact that you can follow the person's progress and chat to them while they're actually doing it - which is pretty cool, really. Plus you're getting the actual impressions of experiences along the way, rather than the overall/filtered impression after the fact. It feels a bit more "real".

twitter games

Put people together and sure enough they'll come up with new ways to amuse themselves given the toys...err...tools at hand. Twitter games are a classic case. On my list, Molly is definitely the ringleader for Twitter games. I went to make a list and discovered it was Molly who had suggested all of the following:

Twitter games can be quite fun, although I have to admit it's hard to discuss the finer points of different operating systems using haiku.

twitter polls

Twitter Poll is just a term I use to describe a message along the lines of "should I do x?" or "what do you think about y?". Users regularly solicit thoughts and advice from other users. I've even seen quite effective technical support take place within minutes of someone grumbling that something was broken.

twitter news

Several flavours of BBC news (eg. twitter.com/bbcnews) are being Twittered thanks to one enterprising user, who used the Twitter API to crunch the Beeb's newsfeeds. No idea what the BBC thinks of it, if anything.

I'm not sure I would really want the news following me on Twitter... I wouldn't mind getting BOM weather alerts though!

what sucks about twitter

There are many things that show that Twitter is a new service that really needs some rough corners knocked off. I'll just cover a couple of them, since I'm not aiming for an exhaustive breakdown of its interface and design.

handling of connections

For a social network, Twitter is rather bad at handling friends requests. For a start, you can't import a list of friends - a problem which has already been discussed at length. So you're left trying to work out which of your friends is on Twitter, using which variant on their online identity... which just feels like work. Boring, repetitive work.

Once you do find people and start adding them, you discover some people have opted for a minor layer of privacy - so you have to wait for them to accept your request to add them to your Twitter friends list. If people notice your request and respond quickly, all is peachy. If they don't notice, it can go pear shaped.

The only alert that a request has been made is a text link on the web interface, so a user could literally never notice that someone has made a friends request. If they don't actively accept or reject a request, there's no way to know if they've been online or not - have they even seen your request?

So it can be quite easy for one user to appear to snub or ignore another user - intentionally or not. It can lead to a new variant on social networking anxiety.

direct messages

Direct messages are like really private tweets - short emails, essentially. They suffer the same problems as friends requests if they're sent while you are not receiving updates via mobile or chat. The web interface just tells you how many direct messages you've received, not how many are new or unread. You can't archive the old ones, so you just sort of have to remember the number you're up to. So you could easily miss a direct message - once again, social network anxiety fodder.

archive handling

Twitter's interface makes it quite hard to get a view of the the tweets posted since you last logged in. I guess the intention was that people would just jump back into the flow - or never leave it ;) But naturally enough people want to know what they missed, but can only find the last 24 hours. Which is silly really since everyone's entire history is stored.

teething problems?

It seems like the volume of SMS traffic generated by Twitter is causing some trouble in some parts of Australia.

what rocks about twitter

Twitter at its best is a little like a coffee shop full of friends. You can tune in and out, lurk, or start conversations. Because it's not actually IRC people know that you could be dropping past rather than actively watching. So you can check in a couple of times through the day or have a window sitting open all the time. It's your choice.

It also has to be acknowledged that Twitter really can go where you want it to - web, IM or mobile. That's really quite a broad reach. Since it uses SMS rather than WAP or wifi, even Aussies can use it from their mobiles (although beware of pocket posts).

Twitter is a nice, informal way to keep up with people - especially if you're not in regular email contact. Twitter's forces quick, easy messages - you can't get stuck writing a 1000 word email which never gets sent. This keeps it "light" - even a busy person can participate.

where's the money?

Sooner or later I think we'll see a business plan emerge. A few obvious ideas:

  • premium features requiring paid subscription
  • charging to receive updates via mobile
  • ads on the site
  • direct marketing (twitterspam)

In any case, someone must be paying the bills for all the text messages... sooner or later they'll want to see some return on investment. I'll be curious to see how/if Twitter is changed when that happens.

so what to make of it?

I think the tweet that most accurately sums up my experience so far was when I posted: blogs about twitter, twitters about blogging, then goes to bed. If you take it too seriously, you'll go nuts.

It's faster than email; slower than IRC (in a good way); doesn't demand immediate attention like IM and has a social/group aspect that SMS alone can't touch. It is quite odd, but I can't help thinking this is a sign of things to come. Communications channels that are flexible and quick, personal and tribal... it's approaching what I imagined when cyberpunk authors talked about personal comm units. In fact, more recent reading like Cory Doctorow's Eastern Standard Tribe is a little freaky when I consider the disrupted circadian rhythms of certain Twits.

So what do you make of something like Twitter? Whatever you want to, really - at least for now. No doubt it will evolve as time goes on... it will be interesting to watch.

2007-01-11: iTwitter, until the telcos stop me

Well it's a brave new year and what are people up to? Twitter and iPhone Mania, mostly. Funny thing is how both of them suffer from bad telcos here in Australia!

Twitter

You must have heard of Twitter by now... If not, it's the latest craze for social networking. Twitter sits somewhere between IRC, IM, blog comments and moblogging. The basis of Twitter is (supposed to be) the question "what are you doing right now?". You answer the question - possibly in the third person - and your friends can tune in and see what you're up to.

Unsurprisingly, people start responding to each other and the result is rather like IRC without the netsplits. My perception is probably skewed since Molly observes that the Auspack uses Twitter like IRC more than others tend to.

So anyway, you can post and receive short status messages via the web form, your chat client or your mobile phone (hence the short message length - to facilitate text messaging). Twitter can follow you everywhere! Well unless you're in Perth, that is.

The Perth port80 crew had a meetup tonight which was notably quiet on the Twitter front. On their return to their PCs, they reported that their mobile Twitter posts were being blocked by the telcos - apparently the volume of traffic is causing the gateways to refuse the messages (rumours suggest intentionally, but there's no official word).

Much grumbling about telcos ensues!

iPhone

The iPhone has been announced to an overly-enthusiastic Macworld crowd (too many espressos maybe?). People are raving about it, which is a little amusing for a phone that is yet to pass its FCC application! Note the tiny text at the bottom of the page: This device has not been authorized as required by the rules of the Federal Communications Commission. This device is not, and may not be, offered for sale or lease, or sold or leased, until authorization is obtained.

Considering the usual lag to the Australian market, Aussies won't be packing iPhones for at least 12 months. The most optimistic TV spot just said "sometime next year". I've also heard that they will only work with Telstra, so it's unlikely that any of its features will be cheap (Telstra is not known for generous pricing after all).

Add to that the US$599 price tag - AUD$768 if the price isn't hiked - and it's likely to remain a fairly exclusive toy. It might not even look quite so cool by the time it gets here - a 2mp camera really isn't that much to write home about, for example. Plus, 8gigs may not go such a long way if people start packing in the multimedia.

That said, hopefully the iPhone will still have a major positive effect on the market: it might raise expectations. Love them or hate them, iPods raised the bar for music players. 512megs or 1gig no longer cut it and suddenly personal music players became really useful as companies scrambled to catch up.

The iPhone could do this for mobile phone handsets. As well as being a phone, it is a viable music player and web browser. With a real web browser and wifi capability, you don't even have to crawl along on WAP; you can use real websites.

Let's hope that public wifi takes on in Australia by the time the iPhones get here, of course. Currently you'd be lucky to get wifi anywhere other than your home, particularly since most workplace wifi requires VPN software - blocking devices like the Sony PSP. Mind you, with OSX running the show perhaps the iPhone will support VPN.

I also wonder if the Safari install will use handheld stylesheets if they are available? Getting some support for the handheld media type would be a boon for mobile web content in general. At the moment it is still not seriously worth creating a handheld stylesheet since so few mobile devices honour them.

the more things change?

I came across a great quote today which seems quite appropriate: One must make a pessimistic analysis of the situation, but when it's time for action, one must act with hope. - Gramsci

So, right now we have telcos which are pricing innovation out of the market, or blocking standard services (SMS) when people use them in new ways. As I said in December, the cost of telecommunications is choking their own future in Australia.

I will act with hope however and look for positives.

We can hope that a really popular mobile web device could drive up demand and prompt telcos to adjust their pricing strategies. We can hope that the spread of wifi-capable devices will inspire more free public hotspots or cheap private hotspots like cafes. We can hope that devices like the iPhone and services like Twitter will raise consumer awareness and have more people asking telcos for a better deal.

Here's hoping 2007 is a good year for mobile connectivity.

...and now I have to go Twitter some more.

Blog Archive