Firefox has much to learn

Firefox has much to learn

Summary: It is widely asserted as "fact" that Firefox is more secure, but does that assertion really hold up under intense scrutiny? Peter Torr of Microsoft doesn't seem to think so.

TOPICS: Browser

It is widely asserted as "fact" that Firefox is more secure, but does that assertion really hold up under intense scrutiny? Peter Torr of Microsoft doesn't seem to think so. I can hear the howling now to the effect of "but the guy is just a Microsoft lackey on Bill Gate's payroll". While it is certainly true that he works for Microsoft and is clearly giving a point of view favorable to Microsoft, no one can deny any of the serious criticisms that he lays on Firefox. Here is a list of Peter's grievances that show a pretty flagrant disregard for the most basic of security principles.

  • Installing Firefox requires downloading an unsigned binary from a random web server
  • Installing unsigned extensions is the default action in the Extensions dialog
  • There is no way to check the signature on downloaded program files
  • There is no obvious way to turn off plug-ins once they are installed
  • There is an easy way to bypass the "This might be a virus" dialog

Since the initial posting and much "fanfare" from Slashdot, someone pointed how you can turn off plug-ins so Peter has since then conceded the fourth point. While there has been a huge firestorm of responses on the other points, I haven't heard any acceptable explanations on any of the other four points that Peter has raised. The most serious issue is the first where Firefox might even send you to a raw IP address link (the favorite tactic of phishers) to download unsigned code.

The other problem with Firefox is compatibility with IE. The first issue is HTML formatting and the second problem is the lack of support for ActiveX.

John Carroll wrote about the formatting issue over a month ago in this column. Chris Jablonski posted this blog on why Enterprise IT organizations are turning a cold shoulder to Firefox. I've personally experienced problems with my own home page in the way Firefox renders the Macromedia Flash banner. The blog that Peter Torr posted mentioned above also doesn't render correctly with Firefox. I can already hear the Firefox crowd say "so what" as they did to John Carroll last month, "that's Microsoft's fault for not following the HTML standards". While following the HTML standards is fine and dandy, you're not going to win over any hard-core IE users who rely on web pages tuned to IE which has over 90% of the market share. It's not a question of who's right or who's wrong and who's not following the HTML standards, it's a question of market reality which Firefox can choose to ignore at its own detriment if the goal is to win over IE converts. I would like to suggest a nice compromise. Firefox should look to see if a page is optimized for IE and abide by Microsoft's nonstandard formatting and render the pages as their authors intended. For Websites that abide by the HTML standards, Firefox could use it's current formatting engine. This would make Firefox the best of both worlds.

ActiveX support is a double edged sword because any mechanism that launches executable code can be abused, but I do think the dangers have been grossly exaggerated since the modern version of IE that comes with Windows XP SP2 is sufficiently locked down by default. Any ActiveX code that has or hasn't been digitally signed will be blocked by default and you really do have to go out of your way to infect yourself with something nasty. Firefox's method for securing ActiveX is to simply not support it, but that's kind of like securing your Internet connection with a sharp pair of scissors instead of using a Firewall. From a corporate perspective, ActiveX is simply too important and entrenched for most corporations to give up. I personally love the ability of Microsoft PowerPoint or Visio to output HTML with a rich user interface and vector scaled images. Most people who have ever seen the pan and scan controls of Visio 2003 HTML output will never want to return to a flat HTML and GIF format. Outlook 2003 Webmail probably has one of the nicest web interfaces of any web application I've ever seen, view it through Firefox and it's back to a privative static HTML format. For the Firefox camp, it's easy to discount some or all of these benefits but corporations simply don't see it that way. Even Macromedia Flash has it's share of security patches but I think still think Flash is too valuable a medium to give up. A lot of technical people prefer no flashy interfaces and just plain old text, but I have no interest in going back to the stone ages of animated GIF files or ASCII art. I personally like Flash (when used sparingly with low bandwidth in mind) and rich user interfaces, and I can't stand reading the plain text formatting of the IETF RFCs when I need to do research.

Having levied all these gripes about Firefox, I will say that it is probably one of the best IE alternatives I've seen to date. Firefox did an impressive job importing all of my Internet Explorer settings and it doesn't take an eternity to load like the newer versions of Netscape (although a little slower than IE). I really love the modular search bar (especially Google,, and Wikipedia) and I do love the HTML source viewer. But if Firefox is ever to succeed, it must do the following things.

  • Firefox should support IE formatting in addition to HTML standard formatting
  • Swallow Peter Torr's criticism and fix their serious security shortcomings
  • Support and secure ActiveX without throwing the baby out with the bath water

I expect to get a lot of flame for this, but keep in mind that success comes from listening to your customers and not insulting them. I hope the folks at Firefox will look at this blog as a fair and honest critique and give it some serious consideration. The success of Firefox would bring much needed competition back in to the Web Browser. A healthy competition between Firefox and Microsoft would bring the best out of both companies and benefit all of us.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wrong is wrong is wrong

    <em>It?s not a question of who?s right or who?s wrong and who?s not following the HTML standards, it?s a question of market reality which Firefox can choose to ignore at its own detriment if the goal is to win over IE converts.</em>

    Maybe Firefox's goal is not to coddle IE users. Maybe their goal is to do things right. I understand what you're saying, I do. But I applaud FF for refusing to lower their standards.

    As a web developer, having to hack-up my CSS to appease IE is infuriating. Many developers don't adhere to IE formatting b/c they *want* to, they do it b/c they majority of users use IE.

    That's what makes FF innovative. They have the guts to say, 'you know what, it's too bad that IE is crap but I'm not going make it easier for them to continue being crappy.' FF isn't ignoring anything, they're just willing to comply with *real* web standards and not the unbelievably bad standards set by Microsoft.
  • 24% of ZDNet users are on FF now

    True statistic: 24% of browser sessions on ZDNet News (and blogs, for that matter) are people using FireFox. For a publisher, that makes it imperative for us to make sure things work right. We can't ignore a quarter of our users -- especially since those are probably the early adopters.

    Stephen Howard-Sarin
    Stephen Howard-Sarin
    • All large respectable sites support everything

      What I've noticed is that the larger and more respectable websites do support just about any kind of browser. Any professional web developer or designer will produce WebPages that are globally supported. I?m not suggesting that ZDNet or any other site forget about Mozilla/Firefox support, but that Mozilla/Firefox should support IE formatting in addition to the standards based formatting.

      My point is, a lot of smaller sites and Intranet sites don't have the resource or the will to test a large matrix of environments. A lot of them just use an off the shelf HTML editor like DreamWeaver or MS FrontPage or even MS Word for that matter. That?s when you get usually get in to trouble with a non-IE formatting compliant browser. The whole point of the blog is that many IT departments are refusing to consider Firefox, and my suggestions for Firefox is to ?coddle? the business concerns rather than an insistence of one?s own standard. A lot of the comments here are saying that business concerns take a back seat to principle. But if business concerns are ignored by Firefox, wouldn?t that explain why some many businesses are ignoring Firefox? That is the point of this blog.
  • I want to implement FireFox ...

    ... for all users in our Canadian offices but I won't be able to unless I can get it to work properly with the Web Time & Expense application that is part of our Accounting system. Yeah, it uses an ActiveX control. I'm stuck with that requirement, but I'm not going to quit my job over it.

    If FireFox had a feature called "Allow ActiveX on the following sites only" and "Allow ActiveX only if site is SSL-encrypted", I think I could prevent the damage on our PCs. Believe me, I would be happier to dump ActiveX entirely, but it won't happen.

    Yes, I think FireFox should support "MSHTML" formatting of the unharmful kind. Again this is Microsoft's fault but I want my users to LIKE FireFox and to be able to use it without telling me "I need to surf this or that website for business reasons and FireFox sucks because I can't get my job done!"

    So for very practical reasons these things should happen, but in a CONTROLLABLE SECURE way, not Microsoft's way.
  • Comments on FF

    It is about time that people will stand up and
    build competition against a giant that consumes it all!!!