I predicted Peter Torr would start a flame war with his Firefox post, and sure enough… To his credit, he’s addressed most of the criticisms directly in this follow-up post, entitled, I love Slashdot. My favorite part:

You’re spreading FUD

Well, yes, I suppose I am.

• People should fear code they cannot easily verify
• People should feel uncertainty about downloading and executing code that they cannot easily verify
• People should doubt the integrity of code they cannot easily verify

And, to re-iterate what I said earlier, manually checking MD5s or compiling the source does not qualify for 99% of users.

This debate is very, very healthy. If Microsoft pays attention to the success of Firefox and improves IE to remain competitive, we all benefit.

Microsoft’s Peter Torr invites a flame war with his essay, How can I trust Firefox? He walks through the installation and configuration process with Firefox and determines that it reinforces some particularly bad habits for users. He concludes:

I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn’t currently have any unpatched security vulnerabilities talked about in the press doesn’t mean they don’t exist (Secunia currently lists three unpatched vulnerabilities, for example).

Mozilla has had its share of security vulnerabilities in the past (just as IE has), and — despite what the open source folk might say — Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It’s just something you should be aware of. Just because you don’t see any unpatched security bugs in Bugzilla doesn’t mean they don’t exist, either.

But the thing that makes me really not trust the browser is that it doesn’t matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.

• Installing Firefox requires downloading an unsigned binary from a random web server
• Installing unsigned extensions is the default action in the Extensions dialog
• There is no way to check the signature on downloaded program files
• There is no obvious way to turn off plug-ins once they are installed
• There is an easy way to bypass the “This might be a virus” dialog

This is definitely food for thought. My take? I use Firefox. It’s a nice piece of software, and in terms of usability I believe it is a better choice for folks who want a powerful Web browsing tool. But contrary to what some ill-informed folks in the media are saying, it is not a cure-all for security problems.

I allow comments on this Web site. In fact, I encourage them. In the past, I’ve had to shut down comments for fairly long periods of time because of “comment spam,” automated attacks that fill the comments section with plugs for whatever sleazy product you can imagine.

The comments are open again because I upgraded to the latest version of Movable Type and installed the latest version of MT-Blacklist, an awesome program created by Jay Allen. If you leave a comment here, it may get held for my approval. That’s a small price to pay, considering that MT-Blacklist has blocked more than a thousand pieces of comment spam since I installed it two months ago.

Via this thread at Brad DeLong’s Weblog, I learn that Jay is now working for Six Apart, the developers of Movable Type. Congratulations, Jay!

If you have a blog, the combination of Movable Type and MT-Blacklist is absolutely awesome. So here’s a public thanks to all the folks who made this software possible.

A VC writes:

One of the main attractions of Firefox is the lack of spyware and associated stuff like popups that you get when you switch.

Well at least for me, that’s over.I got about four or five Firefox popups last week. The one shown above was courtesy of Panasonic.

I’d be curious to find out if this is happening to others.

Yes, it’s happening here. The makers of some types of popups have figured out how to work around Firefox’s popup blocker. Not only that, but apparently the Movable Type (blog software) Quick Post shortcut actually turns off the Firefox popup blocker!

This, by the way, is yet another piece of evidence that Firefox (although it is a wonderful bit of software) is not a magic bullet of security. As it gets more popular, it will get attention from the people who make popups, spyware, and other annoyances. Anyone want to bet on how long it takes before the first piece of spyware gets installed through Firefox?

Update: I created a clean Firefox profile and the browser is correctly blocking popups again. This suggests that an extension (probably related to tabbed browsing) is to blame. Is the incredible popularity and utility of Firefox extensions a double-edged sword?

Scot Finnie writes a characteristically exhaustive review of Firefox. In general, he gives it a big thumbs-up, as I do. But he misses a few points – or more accurately, he’s missing a few extensions.

Scot says, “You can’t change the order of Firefox’s tabs. They appear in the order they’re created. The ability to reposition them using drag-and-drop is an obvious omission that Mozilla should rectify.” Already fixed: Get the miniT (drag+indicator) extension.

“You can’t leave tabs open when you close the browser and have them reappear automatically the next time you launch Firefox. … You can’t name and save sets of tabs to be reopened later.” You need the TabBrowser Extensions.

In fact, as Scot’s review points out, the wide availability of extensions is the greatest strength of Firefox. In its default configuration, it handles about 90% of my browsing needs, and extensions handle most of the rest. There are only a small number of specific instances where I need to use IE anymore (notably SharePoint sites).

Zaine Ridling has posted a couple of interesting comments here recently. I followed the link on his name to The Great Software List and was astounded.

This page is provided so that you don’t have to spend weeks finding the perfect program. You can come here and confidently download software of the highest quality and not fear that you might waste money. You won’t go wrong choosing any of the programs on this list. And if you do find a great software program not listed here, maybe you’ll share your find with me and it might make the list.

This list is intelligent, cleanly designed, and just packed with great information. I already use several of the programs on this list and can attest to the thoroughness of Zaine’s reviews and the accuracy of the details he’s posted.

It’s earned a permanent place in my bookmarks list.

In the comments on another post, longtime reader Ken asks a great question:

…I would love to get your thoughts on so-called “performance software” generally, such as utility suites (e.g. Systemworks, SystemSuite, System Mechanic, and the like), defraggers (such as Diskeeper and PerfectDisk), memory managers (e.g. Memokit, Cacheman), etc. — especially on Windows XP SP2. Ditto for “Internet Security” suites” and third party firewalls. My opinion on all of this is that with the possible exception of defraggers and a good stand-alone anti-virus program, less is more and native Windows XP (especially after SP2) is more than good enough for most users (even better for experienced users who know what not to download from the Internet). Do you agree?

Great question. I’m a minimalist when it comes to utilities. (If it ain’t broke, don’t fix it.) So here’s a quick summary of each category in Ken’s list:

• Utility suites. I don’t typically use them. I used to be a big fan of Norton Utilities, but I can’t think of the last time I needed to perform some maintenance task that couldn’t be done with a single-purpose tool. I especially distrust those that run at startup.
• Defraggers. I use and recommend Diskeeper and have heard good things about Perfect Disk. I don’t obsess about fragmentation, though.
• Memory managers. Snake oil, especially on Windows XP.
• Internet security suites and third-party firewalls. I use Trend Micro’s PC-cillin Internet Security 2005 and have installed it on several clients’ systems with excellent results. In my opinion a knowledgeable user can get by with just antivirus software and the Windows Firewall added by Windows XP SP2. For unsophisticated users, a firewall or anti-spyware monitor that is too aggressive can cause as many problems as it solves.

When you add it all up, I think your summary closely matches my preferences. Less is more, indeed!

If you want to see a list of all the software I currently have installed on my everyday computer, see this page.

Paul Thurrott writes about Firefox:

The browser wars are back, and this time it’s personal: Upstart Web browser maker Mozilla Foundation now expects its surging Firefox browser to command 10 percent of the Web browser market by the end of 2005. “I think we’ll get to 10 percent over the next year,” a Mozilla Foundation spokesperson told ZDNET this week. “We don’t have 10 percent of the Web at the moment, but we have the momentum.”

I guess the readers of this blog are ahead of the curve. Nearly 25% of my site traffic comes from Firefox.

In fact, I use Firefox as my primary browser. I don’t agree with Paul T. that IE is “bug-laden and insecure.” Firefox crashes about as often as IE6 on my machines, which is to say not very often. Thankfully, I don’t have to choose one or the other on the basis of stability. And SP2 has taken care of most of the security issues with IE.

I think Firefox is more usable, and I absolutely love the extensibility model, which lets anyone write an extension that can add a feature to the browser. Tabbed browsing? Love it. Support for Blogger? Great. An extension that lets me right-click a page or a link to open it in IE? That’s smart. See the whole list here.

A lot of people are painting this as a battle between evil, incompetent Microsoft and a bunch of upstart genius programmers. I see it a little differently. The Firefox team has built a better browser. It works well with Windows. And they’re doing a great job of listening to their customers and improving it. That makes me appreciate Windows as a platform even more.

If you haven’t tried Firefox yet, I recommend it. More info and download links here.

Jeff Sandquist – Microsoft Evangelist has a great rule when it comes to new software:

I love to try out new software all the time, in fact its sort of an obsession. I’m always on the prowl for cool new applications. After seven days of use though if I’m not totally blowon away or if its not improving my PC life, its straight to add/remove programs I go. (Please, have a good un-installer).

I actually go as far as to set a reminder in Outlook for seven days from the installation date. When that reminder goes off I either send the author a cheque for their great work (even if its a 30 day evaluation) or I remove the application from my system.

Read the whole post to learn what criteria Jeff uses to decide which software makes the cut.

Actually, I have a similar rule. I will not install a new program when I first hear about it, no matter how tempting it sounds. Instead, I wait at least two weeks, and during that time I check the software out. Any known problems? Any unfortunate interactions with other programs? Only after I satisfy myself that the program is safe and reliable do I allow myself to install it. You’d be amazed how many programs that sound irresistible at first turn out to be completely, um, resistible.

If more people took this skeptical approach to software, the Windows world would be a better place.