Browser wars: Episode II

The success of the Mozilla Project's Firefox browser has exceeded all expectations since its launch last autumn, grabbing a significant share of the browser market and sustaining about a million downloads a week. The browser wars are back, it seems.

But while the decision of which browser to use is relatively simple for users, the situation is more complicated for large organisations, many of which have become so dependent on Internet Explorer that a wholesale switch is practically impossible. The irony is that a few years back, companies were deliberately implementing single-browser policies as a way of cutting costs for development, training and the like. Security concerns have now given organisations all the reason they need to have another look at multiple browser support, with many enterprises evaluating Firefox or other alternative browsers, and some universities and public-sector bodies having already dumped IE. Microsoft has taken note and executed an about-face on its browser policy, announcing a stand-alone Internet Explorer 7.0 will begin beta testing this summer.

Browser policy decisions are complicated by the fact that many Web applications and internal enterprise systems currently require IE, and that Firefox is expected to attract more security problems as its popularity increases. Industry analysts say companies should prepare for a multi-browser world, but exactly what this new world will look like is unclear.

The Mozilla Foundation stresses that the real battle isn't between browsers, but between two types of technology -- Microsoft's, which is tied to Internet Explorer, and standards-based technology, which can be used with Firefox or any other standards-compliant application. In theory, this means that sites and Web applications that work with Firefox should behave the same way with Opera, Safari or other Mozilla browsers (like the Mozilla suite and Camino), and switching should no longer be an issue.

"The old world is about IE 5.5 and Microsoft proprietary things like ActiveX. The new world is about W3C standards," says Tristan Nitot, president and founder of Mozilla Europe. Testing internal applications for standards instead of for a particular browser may seem like extra trouble for companies, but in the long run it will reduce security risks and save money, Nitot says.

Momentum
There's increasing evidence that the Firefox phenomenon has real momentum. Many of the figures have become familiar; Firefox usage exceeds 25 percent on some Web sites targeting technical audiences, it has surpassed 25 million downloads, it is used by 5 to 10 percent of the Web population. Firefox hasn't been around long enough for enterprises to have adopted an official policy toward it, but many IT departments have made it their choice, according to anecdotal evidence and testimonials collected by the Mozilla Foundation.

Gartner says Firefox is the predominant browser in the IT department at one of the top five IT vendors, though the (unnamed) company in question doesn't have a formal policy supporting it. Recent data from Web analysis firm XitiMonitor shows a steady rise in Firefox usage during the workday, suggesting that many business users are installing the browser without official sanction. XitiMonitor's research puts Firefox's market share at above 10 percent, with other non-IE browsers together making up about 3 percent; other researchers put Firefox's share slightly lower.

Support from industry giants such as Google (which provides Firefox's download infrastructure), Amazon (Firefox support for the A9 search toolbar) and IBM is bolstering the browser's profile, and ISVs that have aggressively tied their products to IE are beginning to shift to a neutral stance. Nitot says Oracle, Business Objects and others have committed to delivering products compatible with Gecko, the HTML rendering engine that drives all Mozilla products.

A handful of businesses and large organisations have come out with significant Firefox deployments. Komatsu Canada Limited -- a leading distributor of heavy equipment for the mining, forestry and construction industries -- says most of its 1,300 Canadian employees use Firefox as their default browser, switching to IE for sites that only support that browser; Mozilla's Thunderbird is also the company's main email client. In a statement on the MozillaZine Web site, the company's CIO said improved security justified the deployment, despite the lack of enterprise management tools.

Several universities have large-scale rollouts of Firefox, according to the Mozilla Foundation, including Yale, MIT, Boston University, Western Kentucky University, Southern Oregon University, Pennsylvania State University, Duke University's business school and the UK's University of Bradford. The French Home Office is one of the major public-sector bodies evaluating the browser.

Security and features
The number one driver of Firefox's popularity is security, specifically a number of high-profile security scares around IE, according to analysts. Microsoft chairman Bill Gates, in announcing IE 7, acknowledged that "browsing is definitely a point of vulnerability". In the past, it was generally accepted that IE had more than its share of vulnerabilities per thousand lines of code, as a result of its architecture and Microsoft's corporate culture and development priorities, according to Gartner, although this has improved in the last two years.

Microsoft's close integration with Windows is a problem in itself, critics say, as it means IE flaws have a more serious impact than bugs in a stand-alone browser. This integration means it takes longer to create fixes, since testing has to include the entire operating system, and applying the patches is often more time-consuming and expensive. Other factors increasing IE users' risk are its use of ActiveX controls, often used as spyware vectors, and IE's open and extensible architecture, allowing malicious "browser helper objects" to worm their way deep into the operating system.

On top of all this, the browser's effective monopoly has made it the natural focus for attackers, something Firefox hasn't yet had to cope with. Paul Randle, Windows client product marketing manager at Microsoft, says the company has "consistently maintained that that Web browsing functionality is an integral part of the operating system", but has nevertheless released various standalone IE updates anyway, including IE 6 in 2001 and IE 6 SP1 in 2002. Last year's update to IE 6 was bundled with SP2 due to enterprise customer feedback, Randle says, but times have now apparently changed due to more browser-targeted attacks. "Now our customers are asking for more updates to the browser, and we're responding by releasing the new version separate from the service pack or OS update," Randle says.

Microsoft's response
If Microsoft's problems have opened a window of opportunity for Firefox, Microsoft will, to a great extent, end up determining how popular Firefox becomes through the effectiveness of its response, says Ray Valdes, Gartner research director for Internet platforms and Web services.

The two main points in Firefox's favour, its relative security and better user experience, can be argued to be the result of a lack of serious development effort on Microsoft's part over the past few years. Microsoft had no real competitive pressure to worry about, and was under pressure not to break customers' existing application sets. When the company announced it wouldn't be making upgrades to the stand-alone version of IE, it seemed users couldn't expect any real improvements before the arrival of Longhorn.

The announcement of IE 7 made it clear that Microsoft intends to compete against Firefox, at least for Windows XP SP2 -- it seems Windows 2000 users will be left high and dry. IE 7 promises better defences against phishing, malware and spyware, and may include other long-awaited features, such as improvements to CSS and PNG support.

Microsoft denies it is motivated by the increased competition. "This is not related to Firefox. This is about ensuring that our customers get the protection and functionality they ask us for," says Randle.

In a best-case scenario for Microsoft, the security and usability improvements in IE 7 and Longhorn, as well as other factors, could keep IE from sliding below 70 percent, with Microsoft later regaining up to 90 percent share, Gartner believes. Some browser improvements, adding features such as tabbed browsing, should be straightforward. "Microsoft has historically been able to execute well in any competition centred around features, for example, with Microsoft Word," says Gartner's Valdes. "However, improved features are only a secondary concern to users."

The real challenge will be improving IE's security, and getting that improvement message across to users. "There are perceptions that must be shifted, and it is difficult to provide tangible evidence that the average observer can directly relate to," Gartner's Valdes says. "How does one demonstrate the absence of something? How does a user directly experience the absence of vulnerability? The campaign to change hearts and minds must be made on a less direct level, that is, on an emotional, political and social level."

The news that IE 7 won't be released for Windows 2000 is good news for Firefox, prolonging the browser's window of opportunity, Valdes says. Microsoft says it is leaving its options open where Windows 2000 is concerned, but industry observers say a release is unlikely, leaving an application switch as the best option for improving browser security. "In some sense, they have ceded the security war -- a war of perceptions -- for system releases prior to SP2," Valdes says. "They are seeking to win the war of perceptions by building on the substantial security-related advances in SP2."

The neglect of pre-SP2 systems has already encouraged some companies to look at browser alternatives. Voltrex Options, a London-based brokerage house, migrated fully to Firefox after its 1.0 release, mainly to lower the risk to its workstations. "As the majority of desktop machines run on Windows 2000, none of the extra security features in XP SP2 or any future versions of IE are available to us," said Voltrex network manager David Hallowell, who has done some volunteer work for the Mozilla Foundation. "If Firefox had not been around we'd have evaluated Opera or the Mozilla Suite for deployment. [Firefox] has an interface so similar to IE that no one here has had a problem being able to use it."

Limitations in Firefox
But Firefox is hampered by some of its own current limitations. The Mozilla Foundation admits the current version is aimed at end-users, rather than organisations, and at the moment it lacks enterprise tools for deployment, management and patching. Many companies say they wouldn't even consider deploying Firefox as their principal browser without these features. There's no commercial support infrastructure, although the project is planning to announce partnerships to provide this.

As for security, observers say attackers will start to turn up the heat on Firefox once it passes the 20 percent mark, and it remains to be seen how the open source organisation will cope. What's more, as serious flaws and exploits inevitably turn up, they are likely to erode the browser's reputation for better security. Then there is the inescapable fact that many companies are tied to IE by their own applications and those of major ISVs. For this reason alone a complete switch simply isn't an option for many companies, at least not in the near future.

But progress is being made even on this front. Once upon a time, many companies would only test their Web applications for IE compatibility as a matter of course, but this attitude has evaporated, says David McGuinness, an independent consultant who has worked with the Mozilla Foundation. "With the increasing popularity of Firefox companies are more willing to ensure that their site is tested completely in that browser," he says. "It is now very unusual to find a company that only wants their site tested in IE."

Companies switching from a single browser to multiple browsers should expect an extra cost, but this should only be incremental, and is offset by benefits such as flexibility, the ability to reach more users and user satisfaction, says Gartner's Valdes. "One of the benefits to be gained, albeit hard to quantify, is a reduction in vulnerability for the organization," such as avoiding large costs when a security breach happens, he says.

An increasing number of companies are likely to end up with various combinations of IE and non-IE usage, industry observers say. Votrex, for example, came across the inevitable Web applications that only worked with Internet Explorer -- including the firm's corporate bankers. "To get around this we can just create shortcut icons on the desktop to those few sites that still [require] IE," Hallowell says. For companies tied to IE-only internal applications, one option is to limit IE usage to the intranet and specify Firefox for the Internet.