Minority report

I found this amusing. In a post about the new Slashdot Discussion2 forums, a Slashdot administrator notes that the code is still in beta:

IE doesn’t work (patches welcome, but since only a quarter of you use it, it’s not a huge priority)

I’m just trying to imagine what would happen if any other site in the world said, for instance, “We’re not going to support [fill in the browser name] because only 25% of our visitors use it.”

I understand that Microsoft-bashing is de rigeuer at /., but still…

Update: Well, Discussion2 seems to work OK in IE7 with some minor display glitches (apparently these are also observed in the fully standards-compliant Konqueror browser as well, so it’s not just an IE thing). And the usual flame war is going on in the comments, with I would guess about 25% of the commenters pointing out the hypocrisy of actively not supporting a large group of users.

My favorite comment so far:

Judging the mainstream based on Slashdot is like trying to learn about normal human interaction by people watching at a Star Trek convention.

OK, back to work.

One less reason to use Firefox

It took a while, but someone finally released an add-on that fixes the most annoying part of searching pages in Internet Explorer. The Inline Search for Internet Explorer add-on replaces the modal Find dialog box with a bar that sits at the bottom of the page, exactly like the one in Firefox. As you type in your search term, it locates the first instance on the page immediately. You can find the next or previous instance using the buttons on the toolbar or by pressing the up or down arrow keys. You don’t have to click a Find button or close the dialog box when you’re done either.

I’ve been using IE7 more and more and generally prefer it to Firefox these days. I still keep Firefox around for the small number of pages that just won’t work properly in IE7.

(Thanks to Omar Shahine for the pointer, via Mike Torres.)

A phishing follow-up

My e-mail inbox has been remarkably free of phishing messages lately, so I haven’t been able to compare the performance of the IE7 and Google/Firefox phishing filters, as I promised last week. (The filters on my e-mail server do an excellent job of blocking this junk.)

Today, I finally got one – a come-on from a Romanian server attempting to get my Bank of America credentials. The good news is that both IE7 and the Google Toolbar for Firefox nailed it. (Firefox 2 Beta 1 alllowed it right through, but that’s to be expected since the phishing feature isn’t turned on yet.)

In looking at the two browsers side by side, I was able to compare the different behaviors. Here’s IE7:

Ie7phish

The URL appears in the address bar, but the page itself is completely blocked. I have to choose to click a link to go to the suspicious page. Any other option sends me somewhere else, away from the unsafe site.

Now here’s how the Google Toolbar flags the same site in Firefox:

Ffphish

The phony page is visible, but grayed out. If I try to click on the site, it doesn’t work because the Web Forgery dialog box has completely taken over the focus. That’s good. And the Get me out of here! link is unmistakable in its effect. The only part I don’t like is the big X in the upper right corner. I don’t know about you, but I’ve learned, Pavlov-style, to click that X whenever I see a popup window or a warning dialog box. In this case, though, clicking the X dismisses the dialog box and allows you to go to the page.

That default behavior seems wrong to me. If I’ve chosen to use a piece of security software, I want it to protect me from any threat unless I specifically and unequivocally choose to ignore its warning. The X in the dialog box is ambiguous, and in my opinion the default behavior in that case should be the exact opposite: I didn’t choose to ignore the warning, so send me somewhere else, far away from that threat.

If anyone at Google or Mozilla is listening, consider this a feature request.

IE7+ turns out to be a minus

Back in May, I passed along word that Microsoft was planning to call the Vista version of its new browser IE7+.

Never mind.

Microsoft has reconsidered that decision. Tony Chor, Group Program Manager, says:

Well, the feedback we got on the blog was overwhelming – many of you didn’t like it. So, as we’ve said on our website, we heard you. I’m pleased to announce that we’re switching the name back to “Internet Explorer 7”. No plus. No dot x. Just “Internet Explorer 7”.

Of course, this is Microsoft we’re talking about, so the official names are ridiculously overcomplicated. The official full names are:

For Windows XP: “Windows Internet Explorer 7 for Windows XP”
For Windows Vista: “Windows Internet Explorer 7 in Windows Vista”

I’m just going to call it IE7.

Firefox phishing filter fails

[Update: Mozilla’s PR agency says the anti-phishing feature isn’t fully enabled in Firefox 2 Beta 1. Details here.]

Over at ZDNet, I’ve just published a lengthy comparison of the security features in the most recent beta releases of Internet Explorer 7 and Firefox 2. (The comparison is entitled IE7 or Firefox 2: Which browser is more secure? It includes a detailed image gallery so you can draw your own conclusions.)

One prominent feature of each new release is technology to detect so-called phishing sites, which try to spoof legitimate sites and deceive visitors into giving up personal information like credit card numbers and banking account login details. Like most people, I was initially skeptical about whether this technology would work, so over the past few months I’ve been putting IE7’s phishing filter to the test. Normally I just delete those phishing messages, but lately I’ve been clicking on every single one to see what happens. Surprisingly, IE7 has nailed one fake site after another. I haven’t kept detailed records, but the hit rate has been nearly 100%.

I’ve only begun using the Firefox beta in the past few days, so I have only a small sample size to work with. But so far it has missed every one of four phishing sites I’ve pointed it to, each of which has been detected by IE7. I’ve tried monkeying with the settings for the anti-phishing option in FF2, with no luck, and I’ve repeated the installation on a separate computer with identical results. (Both computers were running stock installations of Windows XP.)

Frankly, this is baffling to me. Both Microsoft and Mozilla have been testing this feature for a year. In Mozilla’s case, the testing has been done by Google, which developed the technology as part of its Google Toolbar for Firefox. As a control, I installed Google’s Firefox toolbar on the latest official release of Firefox, 1.5.0.6. It failed to detect two obvious phishing sites as well. (Two other links that I had used for testing yesterday have already been taken down.)

I’m going to begin monitoring this feature a lot more closely and will report my results periodically here.

IE7 Beta 3 is out

Today, Microsoft released Beta 3 of Internet Explorer 7 for Windows XP (Service Pack 2 required), Windows XP Professional x64, and Windows Server 2003. (Direct download link is here.)

My comments are over at ZDNet.

More Firefox irony

So, you’re a Firefox evangelist and you’re going to preach about the evils of ActiveX:

For years, Mozilla struggled with website compatibility issues because it did not support Microsoft’s ActiveX technology, another major vector for security attacks on users. Not only would it have been a lot of work to reverse engineer and build Mozilla support for ActiveX, it would have opened Mozilla up to some of the worst threats on the Web. It would have been a bad idea. With the upcoming IE 7 (promised almost a year and a half ago) Microsoft says that “allowing ActiveX controls to run in IE should be the exception”. Good idea. And only about 5 years late.

(Clearing throat and doing best Keith Olbermann impersonation here…)

OK, then maybe your webpage shouldn’t include an embedded ActiveX control:

Here’s a snippet of the source code from the page (with angle brackets converted to square brackets and URL broken so I don’t try to force a QuickTime control down my visitors’ throats):

[object codebase=”http: //www.apple.com/qtactivex/qtplugin.cab” width=”480″ classid=”clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B” height=”376″] [emphasis added]

Just sayin’.

Firefox not so secure after all?

Why does a top evangelist for Firefox feel it’s necessary to misquote, distort, and generally avoid the truth about IE? Maybe he thinks his readers are stupid.

IE7+Vista = IE7+

The version of Internet Explorer in Windows Vista has a new name. According to Microsoft’s IE Blog:

With the release of Windows Vista Beta 2, I want to announce that we will be naming the version of IE7 in Windows Vista “Internet Explorer 7+”. While all versions of IE7 are built from the same code base, there are some important differences in IE7+, most significantly the addition of Windows Vista-only features like Protected Mode, Parental Controls, and improved Network Diagnostics. These features take advantage of big changes in Windows Vista and weren’t practical to bring downlevel. The IE7+ naming gives us an easy way to refer to this version. (“The version of IE7 in Vista” doesn’t roll off the tongue as easily…)

It also has the marketing side-effect of making the version of IE7 in XP the equivalent of IE7–minus.

Ie7-plus-logo

My problem with the new name is that a reasonable nontechnical observer running Windows XP will hear about it and think that the “plus” part is an add-on that they should be entitled to as well. Given that the changes relate to features in the OS, I would have preferred a naming convention that reflects that reality: IE7/XP and IE7/Vista.

But nobody asked me.

Google cries foul, but for what?

I’m having a hard time understanding why Google is so outraged at Microsoft’s design of the search bar in IE7. Steve Lohr summarizes the complaint in today’s New York Times:

Google, which only recently began beefing up its lobbying efforts in Washington, says it expressed concerns about competition in the Web search business in recent talks with the Justice Department and the European Commission, both of which have brought previous antitrust actions against Microsoft.

The new browser includes a search box in the upper-right corner that is typically set up to send users to Microsoft’s MSN search service. Google contends that this puts Microsoft in a position to unfairly grab Web traffic and advertising dollars from its competitors.

The move, Google claims, limits consumer choice and is reminiscent of the tactics that got Microsoft into antitrust trouble in the late 1990’s.

I don’t get this at all. Let’s look at IE7 up close and compare it to Google’s preferred browser, Firefox.

Continue reading “Google cries foul, but for what?” →