Asa Dotzler: Firefox and more

Your point 3 is useless. Most sites are sniffing for 'Firefox' specifically, not Gecko. This cause numerous problems for many browsers that use the Gecko rendering engine but are not 'Firefox'. See bug 334967, the Camino bug 384721, and bug 385999.
(and I am not so happy about having Camino now include (like Firefox) in the UA string, although I understand that decision -- I removed it in my own build).
And as far as Safari is concerned, it doesn't help them much to have that 'like Gecko' in the UA string.

As for your point one, Opera just notified me that an update was available (it has done that for quite a few versions).

Philippe, got any data to back up your claim that "most sites" are sniffing for Firefox and not Gecko? The list in the bug you referenced doesn't look like "most" or even "many" sites to me.

As for update notification, that's not enough and it's not what I said Opera needs. Automatic _updates_, like Firefox, IE, and Safari all have is what I'm calling on Opera to implement. Notifications are a half-way measure and not nearly sufficient for keeping most users safe.

- A

I agree with 1 and 2 (who wouldn't?), 3 is a bit hmmmm mostly because in my experience most sites actively sniff out Opera first and send it crappy code. The typical Opera browser sniffing revolves around old JS code - I still regularly see six+ year-old code that simply needs to be updated. Playing around with UA strings won't help there.

4. I've never seen Opera Software target Firefox users. What little I've seen has them targeting all users in general, especially in the mobile area where they're strongest.

5. While there are a few things Opera can tweak, moving the tab bar is not one of them. That suggestion just reveals the typical "browser only" focus found outside Opera. Opera is not "just a browser" and never has been. In a multi-function suite, a toolbar arrangement that is good for browser-only applications would be a very poor UI decision indeed. In fact, Opera's toolbar arrangement is suitable for browser-only apps as well as suites, so I'd much rather see Firefox, Safari, IE, etc follow Opera. I'm not holding my breath, though.

Does Opera really not disclose all of their security fixes? This is news to me. Opera always lists fixed security issues in the changelogs with full advisory pages for non-trivial or non-enhancement ones, and it doesn't hint that there were any other issues fixed. Security research groups like Secunia would list unfixed vulnerabilities they discovered after a certain period of time whether Opera acknowledges them or not.

David, until this latest release, Opera has disclosed no vulnerabilities that were not attributed to 3rd parties. So, the assumption has been that they either don't report vulnerabilities that they discover internally or they're not finding any vulnerabilities internally. Not finding any internally was not a very generous thing to assume since it basically would mean that their QA and developer teams were incompetent. It was much more charitable to believe that they simply chose not to disclose when they weren't forced to by the 3rd parties finding bugs.

- A

Andrew,

There have actually been quite a few very vocal Opera users and fans who adamantly disagreed with my earlier calls for 1 and 2.

Most sites don't sniff for Opera at all. They sniff for Firefox/Gecko and use that to decide whether to hand the browser Gecko or IE code. A few sites explicitly sniff Opera in order to block it completely but that's actually pretty rare.

Opera has actively targeted Firefox users with Google Adwords campaigns and custom landing pages that keyed on users searching explicitly for "firefox".

I'd argue that the suite nature of Opera is actually one of the major problems with the Opera browser. In the early days, when all of the other suite components had their menu items and toolbar items exposed in the primary interface by default, Opera was almost unusable. I made this criticism early and often and Opera eventually changed to hide almost all of the non-browser menu and toolbar items. What's left, as you correctly point out, the odd tab strip placement, is simply more residue of the Suite and adds to the discomfort for new users. The suite nature of Opera is a negative, not a positive.

- A

Asa,

I agree with you on number 1. Although there are many Opera users who are on the most current version, because like Firefox, Opera prompts the user when there is a new version available. There's the option to not update, like in Firefox, because some people don't like upgrading software, or feel that older versions have something to offer that newer versions don't. Because of that, there are a couple Opera users using 6.x and 8.x. However, there's also Firefox users using 1.0.x and 1.5.x. Nevertheless, it would make it quicker to download updates. With the Firefox installer, if some of the Firefox files get corrupted, will the automatic software update repair the corrupted files, or does the user need to do a fresh install?

On number 2, Opera is already known for its security and high priority of its users safety. That is evident by their Secunia record. When push comes to shove, I'd rather have my browser have all the security holes fixed than know what security holes are unfixed. I don't think it's a necessary step for Opera. Nevertheless, if Opera felt like it wanted to release its fixed security holes, I would support them.

On number 3, having a really long, non-sensical useragent string really pisses me off. Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0). If you are suggesting Opera change its useragent string to "Mozilla/4.0 (compatible; Opera 9.22; Windows NT 5.1)", then you are completely nuts. That makes useragent parsing too difficult. Opera already offers the user to identify and mask as Firefox. I don't know what you want Opera to do. Do you just want your stats for Firefox to be inflated by poor parsing scripts?

I understand your reason for number 4--it's self-preservation. But keep in mind that competition among everybody ultimately makes every browser the best. IE's not going to improve very quickly, so as far as innovation goes, it would be in Opera's best interest to compete with other browsers that are capable of competing back. Opera already focuses its advertising energy on "opening the web" and "open web standards". As far as that goes, it's attacking IE, not Firefox. In addition, research would need to be done to see whether making this useragent string change would help sites render better. Opera's ultimate goal is to have an open web that doesn't care what web browser is accessing the site. If Opera's ultimate goal was achieved, there would be no need to spoof its useragent to be "like Gecko". Opera wants to be like Firefox--well known enough that it doesn't need to say "like IE" in order to be allowed entry to websites. Firefox didn't have to say "like IE", so why should Opera?

On number 5, I disagree. IE7 is inconsistent with the rest of the operating system by having the address bar above the "File, Edit, View..." menu. That just doesn't make sense. Firefox has the address bar in a different location, and Opera has it in yet a different location. There really is no "standard placement" for the address bar. Furthermore, Opera's address bar is located in the most logical place, because the address is specific to each tab; the address is not global regardless of what tab is selected. Thus, Opera's placement most logically reflects what a filing cabinet folder would look like, with the address being the first item below the name of the folder. Because it is logically placed, new users to tabbed browsing who are familiar with filing cabinets will have the easiest time understanding Opera's setup. As far as importing cookies and browsing history--because Opera is a different application, and people may want to use two browsers simultaneously for different purposes, it might not be the best thing to import settings from other browsers. However, it might be nice to have that functionality built in, and allow the user upon installation of Opera, to be given a list of checkboxes asking them if they wish to import favorites/bookmarks, cookies, form data, credentials, and/or history into Opera. Importing everything from other browsers is cluttery for people wanting a fresh start with an application--Opera doesn't need to be cluttered with 3-year-old tracking cookies from moments it's installed. Importing user data from other browsers should not be a default action.

Overall, your criticism was constructive, and I do understand and partially agree with you on your feature requests.

With the Firefox installer, if some of the Firefox files get corrupted, will the automatic software update repair the corrupted files, or does the user need to do a fresh install?

I agree with point 1 a bit, its probably the most necessary feature for Opera to have. It saves time for the user, and the server hosting the patch files. It'll take less time to update then using a full install.

Point 2, well from what I've looked at the changelogs, opera mostly mentions every security issue there is that is fixed. I believe that security issues are better fixed then mentioned. Meaning that Opera really doesn't need to speak from the rooftops that its issues are fixed. However firefox aren't really better at mentioning the security issues, reason being? They are listed on a seperate page, whereas opera's changelogs puts them on one page which is easier to find.

I don't think Point 3 will make Opera any the more recognisable by websites, Opera already has a "Mask as Firefox", and it seems all this request is probably to inflate "Gecko" stats on websites.

Point 4, well IMO I don't think Opera are really out to target firefox users, if they were, I'd think they'd offer more options that relate to specific firefox behaviours. The main things Opera has got an idea from Firefox is an about:config and a better inbuilt source viewer/editor.

Point 5,well if opera allowed rearranging of toolbars(aka drag and drop) then I'd think this would be a better option then flipping the toolbars by default altogether, it would be difficult to be able to keep the address bar above the tabs AND make sure its visable when the tab is restored. It'd be nice though to import data from other browsers, however this probably would be a difficult job, especially if the retrospective browser developer doesn't help with how to parse the files in the first place.

I think we can all agree with #1, notifications are absolutely not enough to get people over to new builds nearly fast enough.

#2 — I'm very happy have a browser that takes quickly fixing security issues seriously; which Opera most certainly does. With disclosure, where do you draw the line in engineering terms; Opera is very strict in its security policies by design (which irks lots of panel/bookmarklet/config tweakers!). Should each preventative design decision be catalogued, because many things are 'potentially' exploitable?

#3 — actually Opera has been spoofing as either Netscape/Gecko/Firefox or IE for years. They are most certainly platform agnostic when trying to get a site which blocks it fixed. IE has been the dominant discriminatory platform after the destruction of the opposition in the browser wars. It follows that more of Opera's fixes have traditionally been for IE-based proprietary sites, as IE was more aggressive in trying to fence off the web for itself. But just open up Opera's site-specific preferences and see Opera can be *both* Firefox or IE. With Opera's site overrides and browser javascript system, Opera always tries to spoof as Firefox first and only as IE when it is the only way to fix the site. So your wish is already fulfilled…

#5 — The status bar will return in Kestrel (and I will turn it off, unless they doing something better than other browsers). Disagree with the tab bar position, but then I prefer ergonomics over being a populist platform. The thing lots of Opera users have asked for, is because Opera is flexible UI wise, it would be trivial to have config sets for migrating-from-browser-X setups to make people quickly at home while still maintaining an ideal layout for those who want it. Opera can clone IE or Firefox menus / buttons / key bindings pretty closely, and this may be an option for solving migrating-users cognitive dissonance. I still find it disappointing that many users can't adapt to better user interfaces, that they stick to old and ineffective comfort blankets &mash; a problem all interface designers face. This is holding back great new design, as Firefox found with its cool Places (it is not easy to design something radical that doesn't make people say, “but where is button X?”)

The three things I'm missing from Opera are:

1. Be open source
2. Automatic updates
3. When I type a word or phrase into the location bar, “do the right thing” like Firefox, rather than complaining that the address is not valid.

OT:
Asa, the server sends ISO-8859-1 as the encoding of this page, but at least the comments seem to be encoded in utf-8 (quotation marks in the above 2 postings are displayed incorrectly with iso-8859-1 but correctly when manually choosing utf-8 in the browser). Maybe you can fix that.

Regarding point 5:
"Why do you think it makes sense for Opera to have the address bar below the tabs instead of above?"
Yenny: "Because the address bar belongs to the specific tab so it makes more sense to have it there."

(from an interview with Opera usability/QA staff)

Perfectly said. I agree with the earlier point made by IceArdor that there isn't really a "standard" for address bar placement... and really, why would you want to standardize that?

non-troppo-

FYI- "I prefer ergonomics over being a populist platform." -I'm going to quote that liberally throughout the forums and blogs on this great internet. Just like to give a pre-emptive thanks for giving me that.

#2
Opera already informs about the vulnerabilities and bugs repaired in the changelogs. what opera yes could do is open its bugtracking system for better monitoring of bugs.
Opera yes take seriously the security of its products by the sake of its users and the facts demonstrate this. what you say, Asa, it is only your opinion not the reality. or perhaps Mozilla warns PUBLICLY ABOUT ALL (ABSOLUTELY ALL) the vulnerabilities and bugs of its products even the not repaired or corrected ones? Can you affirm this??????????.

#3
This only would serve for inflating statics for Firefox and gecko browsers, Opera would not gain anything doing it.
The sites must know what Opera exists for that webmasters also coding their pages for Opera and not only for IE or Firefox.

#4
Before of asking to Opera being team player with Firefox (though now yes Opera does with WHATWG and others groups) why then much firefox users advert in their pages about firefox to Opera users? why almost none recommend Opera as secondary alternative for browser?. It�s not wrong that Opera and their users adverts to all users of other browser as Internet Explorer and Firefox because they are their competence.
Besides the rise of Firefox: has not meant any gain of market share in fact Opera lost market share with the popularity of Firefox, either has served for avoiding the discriminitation and blockade of Opera in many pages.

#5
There is no standard nor guidelines about the location of address bar and tab bar, IE7 and Firefox have it in different places. Then which is the standard one? Firefox? IE7?.

#2
Opera already informs about the vulnerabilities and bugs repaired in the changelogs. what opera yes could do is open its bugtracking system for better monitoring of bugs.
Opera yes take seriously the security of its products by the sake of its users and the facts demonstrate this. what you say, Asa, it is only your opinion not the reality. or perhaps Mozilla warns PUBLICLY ABOUT ALL (ABSOLUTELY ALL) the vulnerabilities and bugs of its products even the not repaired or corrected ones? Can you affirm this??????????.

#3
This only would serve for inflating statics for Firefox and gecko browsers, Opera would not gain anything doing it.
The sites must know what Opera exists for that webmasters also coding their pages for Opera and not only for IE or Firefox.

#4
Before of asking to Opera being team player with Firefox (though now yes Opera does with WHATWG and others groups) why then much firefox users advert in their pages about firefox to Opera users? why almost none recommend Opera as secondary alternative for browser?. It�s not wrong that Opera and their users adverts to all users of other browser as Internet Explorer and Firefox because they are their competence.
Besides the rise of Firefox: has not meant any gain of market share in fact Opera lost market share with the popularity of Firefox, either has served for avoiding the discriminitation and blockade of Opera in many pages.

#5
There is no standard nor guidelines about the location of address bar and tab bar, IE7 and Firefox have it in different places. Then which is the standard one? Firefox? IE7?.

IceArdor,

Opera does users a major disservice by making it easy for them to not install the latest (and only secure) version. There are plenty of Opera users on older versions like Opera 7 and 8 and those versions are not secure. Plain and simple, those users are critically at risk for being hacked. Firefox maintains the previous version of the software for at least 6 months after the new version ships. That means fixing security bugs so users on 1.5.0.x are safe and don't need to move to Firefox 2 until 1.5.0.x is no longer getting security fixes. Opera does not maintain any old version with security fixes so users on old versions are going to be hacked if they don't move forward. This is not just about usability, it's about security. If Opera publishes the number of users on each version, and there are near zero numbers for all older versions of Opera, then this would not be an issue but there aren't going to be near zero numbers for Opera 8 and older versions of Opera 9.x. I see plenty of them in my logs here.

The Secunia "record" is misleading precisely because Opera has not traditionally disclosed all fixed security issues.

On user agents, adding a "like Gecko" would in no way affect stats. All stats packages are smart enough to differentiate. It would help Opera users, plain and simple, and there's no good reason not to add a "like gecko" to opera's default UA. Opera simply isn't well know like Firefox to have most sites taking specific measures to accommodate it.

IE 7 is not the browser to compare to when worrying about getting IE users comfortable with Opera. IE 7 is still a minority browser and one of the reasons is that it's uncomfortable for users to migrate to. The change in the menu bar location was one of the most hated "new" features of IE 7. Opera Software should worry about making Opera comfortable to the majority of users out there on each platform. For windows, that's IE6 and Firefox which both have their address bar and tab strip in the same place. For Mac, that's Firefox and Safari which both have their address bar and tab strip n the same place. On Linux it's Firefox which has its address bar and tab strip the same as the Mac and Windows version.

As for migration, sure people might use two browsers. That's even more reason to improve migration. Perhaps Opera, which is likely more often a "second" browser than IE or Firefox, should not just do migration, but should do active sync for all of those data stores. That way any time a user fires up their second browser (Opera) it will be in sync with their primary browser. I think you seriously underestimate the value of making the transition easy.

- A

Simon, automatic updates is not just about making it more usable. It's about security and the window of vulnerability for Opera users. Users should be pushed hard to move to the latest (and only secure) version of Opera. With Firefox, we maintain security on the previous version of Firefox for some time so it's not as critical that we push users hard to move from, say 1.5.0.x to 2.0.x, but Opera doesn't maintain any older releases. Also, as soon as Opera releases any new version with a security update, the bad guys can start crafting attacks for the old version. The number of days it takes Opera to move its users to the latest version is a critical measure of how secure Opera users are. That number will never be good unless Opera Software builds an automatic update system.

On disclosure, Opera has historically _not_ mentioned every security issue fixed. They have never before mentioned any fixed issues that they discovered internally. They only mentioned issues they were forced to because the flaw was discovered by a third party security researcher. They've even failed to note the fixing of critical security bugs at all in a release note so that users had no idea the release was important to their security. Combined with no automatic update system, users were left with the impression they were safe even without getting the new version. That's a huge disservice to users, bordering on negligence.

On user agents, anything that requires user intervention, like the UA switcher is already a failure condition. Adding "like Gecko" would very likely help on many sites and not require any user action, making for a better user experience for all Opera users. This constant drumbeat of concerns over stats from Opera users is just silly. All site stats packages can pick out what browser is visiting much better than you think. Adding a "like Gecko" would in no way diminish Opera stats. Safari does it and it doesn't hurt them a bit.

If you don't believe that Opera actively targets Firefox users, you missed their campaign that took out advertisements on Google for people that were searching for the word "firefox" and directed them to a custom landing page at Opera designed to convince Firefox users to move over to Opera. They have and probably are actively targeting Firefox users. Firefox has never done that to Opera and shouldn't. We have a shared goal of moving people away from IE 6 and that's what we should be doing, not trying to steal each others users.

On migrating other browser data, Firefox didn't get any help from IE or Safari. They actually didn't have APIs for large pieces of it like passwords on Windows or even "default browser status" on Mac. We had to reverse engineer all of that and it was worth it. Fortunately for Opera, our code is open source so they wouldn't even have to do the reverse engineering, they could see exactly how we did it and emulate that in their own code. Being Open Source is good for the industry, isn't it :-)

- A

non-troppo,

Yes, Opera should disclose all existing and potential security vulnerabilities, including design changes, with each new release. It would be good for the browser industry as a whole, allowing other vendors to share the work Opera did and address similar issues in their own products (other browser vendors watch what Mozilla fixes and make those same kinds of fixes to their product where it makes sense) and it would give users confidence that Opera is actually finding and fixing more than just those bugs they're forced to fix because third parties threaten public disclosure if they don't.

- A

yuiole, you are simply wrong. Opera has not traditionally disclosed even _fixed_ security bugs that they find internally. They only disclosed what they were forced to by third-party security researchers. Firefox has always disclosed all _fixed_ security bugs with every single release. I never said that anyone should disclose unfixed security bugs. I said _all_ fixed security bugs.

On the user agent, you all really don't understand how site statistics packages work. They're _all_ smart enough to identify Opera correctly unless you actively spoof a completely different user agent. Adding an additional flag to the user agent would help with browser sniffer scripts and would not hurt with site statistics packages. Those are two very different things that many Opera users seem to get confused about a lot.

Opera Software used web advertising to explicitly target Firefox users. I'm not talking about bloggers saying which they think is better. I'm asking for Opera Software, the company, to commit to not targeting Firefox users.

As for interface design, did you read what I wrote? I'm not claiming that any location for a toolbar is better or worse or which is "standard". I'm saying that _consistency_ is important for new users. Opera can continue to ignore that on key UI components but it will hurt user adoption. It's their call. So far, they've taken many of the suggestions I've made to increase consistency with Firefox and IE to ease new user transitions, but they are certainly free to ignore this advice. It would be foolish, but they're free to do it.

- A

A temporary solution could be to use Appupdater to track Opera releases. It can keep programs up to date in a home or corporate environment on Windows. It's like apt-get for Windows or Windows Update for all the random apps on your computer. http://www.nabber.org/projects/appupdater/

#1: Right. Too much blabla but still right.

#2: If Opera suddenly gets tons of users (and change their updating system), yeah, otherwise I think secrecy makes some part of the security.
I agree that the BTS should be more open, though.

#3: Like others mentioned, Opera can spoof IE/FF. That's enough. I seriously hate overly overly overly long UA string's like IE/FF have. It's also stupid to include platform information but that's another thing entirely... And a "like Gecko" actually is misleading, because it's NOT like Gecko.

#4: Opera has been making a lot of landing pages; I don't believe there's one specifically designed for FF-conversion... and what can *Opera* do make *Google* say things when users type in "Firefox", Google's one and only and favourite browser? If anyone's to blame, then it's Google. Do you really think when Opera's influence on Google isn't even enough to stop Google from discriminating Opera and its users, do you think Opera had such an influence on Google as to target Firefox? No way in hell I believe this.

#5: I think you've got stuff wrong there. Imho, Opera is not a very likely "second browser". Almost every Opera user also has either FF or IE as secondary browser (or both), while I haven't heard of any notable amount of people using Opera as a secondary browser. It's FF I'd like to be in sync, thanks for giving me the idea, I might file this as a feature request at bugzilla.
Btw. if you like Opera to be in sync with the stuff it already imports, "File->Import and Export" every time you think you need an update.
I can see that people will want a status bar... but maybe not. Safari doesn't have one, and I haven't seen anyone driven away by it. I don't even know how to enable it there! No idea where I'm going, prone to phishing. Opera provides tooltips by default. Another concern is: "How to get people to try (address) tooltips if nobody tries them?". But well, I can see that the whole situation isn't entirely clear, I don't think either the status bar nor tooltips are the perfect solution as they are.
And about the tab bar placement, come on, don't make yourself ridicolous. If you *really* can't stand it, change it, because you can. I can't understand it, though. I can work with both, except when the personal bar and developer bar are *between* tab bar and address bar, not above or below it. But, seriously, look at other TDI/MDI applications and you see that Opera follows their convention and logic. It's confusing for someone familiar with those applications to use e.g. IE6. Oh, but wait, IE6 doesn't HAVE tabs. Kinda leaves FF to worry about...

Ok, I think it's great you took the challenge, but you loose points for "from" where "in" was concerned, you kinda diverged there a bit. I guess all contructive criticism of the PRODUCT will be considered with everyone else's opinions on the matter. So thank you for your input. Have a nice day.

Grey,

I'm not sure why you can muster something as strong as "hate" for something that users should never have to interact with. User agent strings are there for machines. Why should the UA not be used to maximize compatibility?

You apparently don't understand how Google Adwords work. Opera Software purchased ads with the "firefox" keyword and bid their ads up high enough on that keyword that they were displayed to users searching Google for Firefox. The ad that Opera placed directed those users to a Firefox-specific landing page, linked to from no where else at Opera's website, that had messaging specifically targeting Firefox users (and some other nifty bits like a banner that claimed 100 million Opera downloads, something they acknowledged was wrong and removed.) Your understanding of this advertising mechanism is clearly lacking and your "belief" that Opera hasn't targeted Firefox users with Opera Software purchased advertising on Google is simply wrong.

On profile migration, importing or even keeping in sync bookmarks is far from sufficient. Where is password migration? Where is history migration? Where is cookies migration? Without real migration, new Opera users have a much more difficult time adjusting to their new browser. Denying that is just silly. If Opera would rather go your rout, and defend the current, insufficient, behavior, rather than improving it, Opera can continue to lose those new users before they even have a chance to learn the ways Opera might benefit them.

On toolbar locations, you're missing the point, like so many Opera users. Most people do not customize their software. Many people have been using the web for a decade now and are comfortable with the configuration, the look and feel, and the accrued data for the applications they're using. Giving them something different means less conversion. If that's OK for you and for Opera Software, so be it. But to argue that somehow the current strategy of being very different and confusing to new users is a winning strategy confounds me.

- A

I think everyone should put *less* in the useragent string by default, not more.

I'm not saying the option to change it should be removed, but most browsers already send far too much redundant junk in the UA.

In fact I'd go as far as to say Opera are doing a good thing by refusing to shove "Mozilla/5.0" in it like everyone else. They've still got room for improvement though.

IE6 HAS NO TABS, then How will the users of this browser (majority of users of browser) feel more confortable if not even tried and know them???????
perhaps you are speaking of firefox users migrating to Opera :D :D :D

Opera REPAIRS ALL THE BUGS AND VULNERABILITIES even those not found by third parties. Why do you affirm this without any foundation or basis, only speculation?????

ant, why do you care what's in the UA as long as websites can correctly sniff to determine as close as possible what the browser's capabilities are. Sites are already sniffing for IE and Gecko and Opera is a lot more like Gecko than IE. Given their miniscule market share, it's unlikely that every site out there is going to sniff for Opera any time soon. Opera should want to receive the Firefox version of the site more than the IE version, by default, without user interaction because that is the version of the site that's going to best work for the Opera user. That is, unless it's more important to keep "clean" some unknown mumbo-jumbo words that most users will never see than it is to give most users an improved browsing experience.

yuiole, Opera may repair all bugs and vulnerabilities, including those found internally, but it has been their policy to not disclose any internally discovered flaws when they ship a new version. I've never claimed that they don't find and fix bugs internally. I very directly asked the Opera Desktop team (and Daniel Goldman) to affirm that they do find and fix bugs internally but just don't disclose them and their refusal or inability to answer was sufficient confirmation for me. I independently verified this by examining every publicly disclosed vulnerability that Opera lists and not one of them until 9.22 was attributed to an Opera engineer. The only reasonable conclusions based on that information are that a) Opera Software is incapable of or unwilling to find security flaws in their own software, or b) Opera Software had a policy of not disclosing internally discovered and fixed vulnerabilities. The second conclusion is the more charitable one and I'm happy to continue believing that until Opera makes a chance.

- A

To search firefox in the main google page I don�t see Opera's advertising links:

Google's United Kingdom
http://aycu29.webshots.com/image/23308/2000850993142542972_rs.jpg
Google.com (International)
http://aycu27.webshots.com/image/19866/2000888781818347280_rs.jpg
Google's Canada
http://aycu32.webshots.com/image/24031/2000847941407530888_rs.jpg
Google's Ecuador (my country)
http://aycu10.webshots.com/image/23609/2000883526853238549_rs.jpg

In other pages I don�t know yes it shows or no, but in google there is no links of Opera

Opera yes reports about bugs and flaws found internally. I don�t think all bugs reported come from third parties.

yuiolle, the ad campaign is not running now. I didn't claim it was. I called on Opera to commit to not doing it because they have done it in the past.

yuiolle, please look at all previous to 9.22 Opera release notes and provide links to security bugs that are attributed to Opera engineers (or are simply not attributed to third-party security researchers.) If they have in the past, I couldn't find them and I don't think you will be able to either.

If they are disclosing all fixed bugs now, I applaud them and they have clearly taken my concerns to heart after I communicated to the Desktop Team and to Daniel Goldman the importance of disclosing this information on _fixed_ bugs.

- A

Asa,

I think it's easy to upgrade Opera to the latest version. Some people stay on Opera 7 and Opera 8 by _choice_, just like some people using Firefox stay on Firefox 1.0.x and 1.5.x by choice. At 4.7 MB, it really doesn't take very much time to download all of Opera--and by having the full installer, it ensures that corrupted files are replaced. I see plenty of users on older versions of Firefox--I don't understand how Firefox's update system makes it more secure. If a Firefox user wants to update, they'll update, and they're prompted to update. Opera does exactly the same. The only difference is that Opera's update file is a meg or two larger. On 56k, that's less than 6 minutes--the user can continue to browse while they're waiting for the download file. Fortunately, most users are browsing on faster than 56k. I'm on 5Mb/s, so it takes just several seconds to download the update. My friend had Firefox on his computer, and he regularly used it. But in the upper right-hand corner, it had the red update symbol. There's plenty of Firefox users on old versions. Internet Explorer's update system is WAY more complicated than Opera's or Firefox's, btw.

I'm pretty sure Opera has fixed each security hole they've known about. Either way, you have no leverage against Opera on the Secunia record until Firefox also has a 100% fix rate.

Lots of user agent sniffers are stupid. If you make a really simple user agent sniffer to find "Firefox" or "Internet Explorer" or "IE", but you also have Opera in the code--and say the coder doesn't know about Opera, then they'll say that you're using "IE" or "Firefox". There ARE tons of crappy scripts on the web. Traditionally, detecting the browser from the navigator.userAgent string has posed problems, as the useragent can be different from version to version and platform to platform for just one product. "All stats packages are smart enough to differentiate." It's very ignorant of you to say that all user agent sniffers are 100% accurate at prediction. I'm not entirely convinced that "like gecko" would help Opera--I want to see some actual data on that before I'm convinced. You operate on too much speculation and assumption.On user agents, adding a "like Gecko" would in no way affect stats.

"For windows, that's IE6 and Firefox which both have their address bar and tab strip in the same place." IE6 doesn't have tabs, last time I checked. :) Even if other browsers have it in that location, anyways, it doesn't make it the correct place. Why should Opera break their browser just because everyone else is doing it. Traditionally, Opera has been one to prefer to stick out rather than implement something that doesn't make sense or is incorrect. Perhaps Firefox and Safari should relocate their address bar.

I don't think you understood me about data migration. Some people use different browsers for different tasks. Some people might visit forums and browse the web using Firefox and pay bills using Opera. Does it make sense to clutter Opera up with bookmarks and cookies for the forums, when it's only being used to pay bills. Does it make sense to add cookies from a bank to Firefox--especially if Firefox has a security vulnerability that could allow a hacker to steal your bank info from those cookies. By syncing your cookies onto multiple browsers, you've got to make sure that every browser is up to date, and you better hope that any one vendor slacks off in releasing an update.

Why do you assume an event that still doesn�t happen?
Why do you speculate of this way?
Why don�t shows facts that confirm your affirmation?

IceArdor, it is a dangerous choice to stay on older versions of Opera since Opera Software does not maintain security updates for older versions. Firefox does maintain security updates for older versions and when Mozilla stops maintaining those older versions, we use our automatic update system to move users forward to the versions we do secure. Opera leaves many of its users insecure by not maintaining older versions and not giving them a simple mechanism to move forward to their only secure version (the newest version.) Your suggestion that the full installer and all of the user interaction required there is good in the case of corrupted files. That's another cop-out. In the case of corrupted files, Firefox can clean those up or replace them completely. We offer tiny (hundreds of KB, not thousands) updates that don't require any user interaction and that keeps our users more secure than any other browser. Your friend was on Firefox 1 which did not have automatic updates like Firefox 1.5 and 2 have. That was the old "notification" system like what Opera has and it's just ineffective. There are virtually no users left on 1.0, though, and all users on 1.5 and 2 get automatically (no user interaction required) updated for security and stability. Until you've actually investigated and understand the mechanisms available in Firefox and IE (both orders of magnitude more effective and easy to use than Opera's) I'd encourage you to stay away from making claims that aren't supportable.

The leverage I have on the Secunia report is that Opera doesn't disclose what they've fixed (that they found internally) so they have a dramatically artificially low number of documented vulnerabilities at Secunia. That makes Secunia and any other measures of bug counts an apples to oranges comparison. When Opera discloses what Firefox discloses, then we can compare results. Until then, it's a bogus measure.

You're confusing stats packages and UA sniff scripts in web pages. All stats packages that are used with any consistency can identify browsers accurately. That's not the same as saying all website sniff scripts can identify browsers accurately. You're confusing two very different tools here.

Opera can continue to go it's own way on UI and they can also continue to have sub 1% marketshare globally. That would be a shame though, both for the health of the web and for people looking for an alternative to their default browsers.

You're right, vendors absolutely need to not slack off on releasing (and actually getting users to update) security fixes. See my point #1 about automatic security updates. You're wrong, however, to assume that most people use two browsers regularly. Most people, and aren't those the ones that you'd want to attract, use one browser. If they leave IE and go to Opera or Firefox, Opera or Firefox should have all of their settings. They may go back to IE occasionally for a site that doesn't work in their new browser, but that's fine. No one (or rather, no substantial number of people) will use an alternative browser like Opera just occasionally. That's not the use case Opera should be optimizing for. Doing so will help to ensure that Opera maintains its stellar sub 1% marketshare.

- A

yuiole, please go to Secunia here and look at all of Opera's vulnerability reports and find me reports that credit Opera with finding the flaw. You can't. All of the pre-9.22 reports credit third parties.

http://secunia.com/search/?search=opera

- A

I also think the UA string is irrelevant to users, what matters is best fixing the web. But as I've hinted above, you can check Opera is already doing what you asked for:

/prefs/Site Preferences Downloaded (OS X) | override_downloaded.ini (Win)

Spoof/Mask as FF: 37 sites
Spoof/Mask as IE: 12 sites

Considering that IE-only sites have traditionally been far more prevalent on the web, Opera's intention here is clear. Note in half of the Firefox spoof cases, Opera removes its UA name entirely - free traffic for Mozilla unless stats use javascript (which Opera spoofs as well). I find it pretty disappointing any browser manufacturer has to do this at all (Safari also has to do something similar). Ah, one rosy day we'll have a truly open web…

non-troppo, so there are only 49 sites on the web that present problems for Opera? That seems pretty odd to me. What about the millions or billions of other pages out there that aren't listed in the override file?

Also, whatever was "traditionally" the case on the web, Firefox is changing that. In Europe, for example, about 1/3rd of all people use Firefox and no self-respecting site there can afford to not cater to Firefox along with IE. Sites are mostly doing one of two things. They're not sniffing at all and assuming some version of IE. Or, they're sniffing but only for IE versions and Firefox. I did say "mostly" not all, though. Still, given that reality, it seems like Opera should do more to ask for the Firefox code as a default circumstance since Opera's rendering is actually closer to Firefox's (and the standards) than it is to IE's. In cases where there is no sniffing, this doesn't help, but in cases where a site is trying to decide to hand Opera IE or Firefox code, Opera should want the Firefox version. I fail to see what's so controversial about that. Safari does it and it helps them with little or no downside. Why won't Opera?

- A

Asa: Several of Opera's changelogs (9.1, 8.52, 8.01, 8.0b2 etc) do contain entries which are not linked to 3rd-party disclosures (wand data enhancements, security bar strengthening). So Opera certainly have disclosed, but they do not have as clear a disclosure policy as Mozilla (though I still imagine not every bugfix that *may* have a security implication in bugzilla makes it to your advisories). As a vendor, this may be annoying (though no other vendor seems to have Mozill'a policy either); but as a user, I think quickly fixing any unpatched security issue, 3rd-party related or not is the most important thing, and Opera has been utterly solid here.

r.e. UA: I've agreed with you and provided evidence that Opera already does this when possible; It uses masking only when other means are not available. Opera has a fairly advanced set of technologies for overcoming vendor lock-in, of which the UA is only part. More intelligently, it can replace Javascript variables or functions on-the-fly (like Greasemonkey), which it does in preference to the more brutish global UA switch. UA is not everything, it is part of a set of technologies to enable us to use the web, but when it has to use it, it tries to always spoof as Firefox.

non-troppo, those aren't really in the same classification as a critical security exploit. I'm assuming that Opera engineers are capable of and motivated to find real security bugs (though I may be wrong on one or both of those assumptions) but I don't see any proof of that in their disclosures.

As a user, I'd like the reassurance that Opera engineers and QA are actually spending resources trying to find and fix holes in their own software and not relying exclusively on the occasional bug report from a 3rd party. As a user, I want confidence that Opera takes security seriously. As a user, I'd like to be able to measure Opera's efficacy in protecting me from exploits discovered by Opera employees and 3rd-parties. As a user, I want to be able to hold my vendor accountable for their actions or inactions.

Mozilla's security policy demonstrates to users that we've got a commitment to security and we back that up with actual engineering and QA resources as well as working with 3rd-party security researchers. Mozilla's policy also makes it easy for other browser vendors to find areas to investigate in their own software. This is good for the user and it's good for the web.

Mozilla's security process is explicitly designed to have all of the above-mentioned features. The transparency ensures that we can be held accountable for keeping our users safe. It allows the entire ecosystem the benefit of our security investigation and fixing. It ensures that if we are not fixing security issues fast enough, or shipping those fixes fast enough, that we can be held accountable.

Mozilla's security policy and process is there to ensure we make the most secure browser possible and that is indeed very different from the security policies and processes of other browser makers who seem to prefer to minimize any negative public relations even if it means that their users are less secure or can have less confidence in their vendor's stance on security.

Where is your proof that Opera quickly fixes any unpatched security issue when it's not a 3rd-party discovery. With Mozilla, you can actually measure us on this because you can see when all of the security bugs were discovered, how long it took us to fix the hole, and how long after the fix we shipped a new version that included the fix. With Opera, it's completely opaque except for those situations where a 3rd-party forces disclosure and so opens it up to scrutiny.

- A

>> ant, why do you care what's in the UA as long as websites can correctly sniff to determine as close as possible what the browser's capabilities are.

Good point, to be honest I'd prefer if browsers (and websites) stopped using UAs completely and instead did the HTTP content negotiation thing better. It seems about as logical as telling every website what make and model your keyboard is.

Opera should be a team player. Ha-ha, very funny. How about practicing what you preach, Asa? :)

As for the location of the address bar, it belongs to the page so the logical position is below the tab bar.

Heh, I'm actually very pleased that the Opera team has listened to what I've said here and that Opera is a better browser because of it. I think that makes me a team player. Maybe I'm not your favorite player, but I am on the team that's trying to make the web a better place.

As for the location of the tab strip and addressbar, you may be right. That may be the logical position. That may even be the more usable position. I'm not making the argument that it isn't either of those. I'm saying that if you want more people to use Opera, then Opera needs to be more comfortable for new users. Opera has made great strides since Opera 7 when I first started encouraging them to move in the Firefox direction by simplifying their menus and toolbars and making Opera feel more comfortable to new users coming from IE. I hope they continue and I've offered a few suggestions here that I think will help them continue.

- A

Don't flatter yourself, Asa. As if you are the only one capable of coming up with certain ideas.

You make yourself look silly by pretending that you are to credit for all those changes in Opera.

Unless Opera employees actually told you that they listened to you, you must either be an arrogant fool or extremely dishonest.

By the way, all the suggestions you have about Opera now and in the past made were made by Opera users in the forums long before you mentioned them. Stealing credit for other people's ideas does not reflect well on your character.

The thing is, Opera is not a default browser on any or many operating systems at all (maybe the odd linux), safari(mac), IE(windows) and Firefox(many linux distros) all have some sort of operating system has a default browser upon. Opera does not have that luxury. I'm sure it might help a little to add "like gecko" to Opera's UA. However I think this might not change sites proclamation with Opera and other browsers.

-- How many sites actually sniff for "Like gecko" string? There needs to be more then 10 examples otherwise its point moot.

-- Currently Opera supports some IE Javascript functions which it doesn't hide, things like document.all support isn't hidden at this moment(although userjs can repair that...), and many sites do make use of document.all to sniff IE out.

-- Having something like a string "Like Gecko" might confuse users because simply put Opera is not a gecko engine product but presto engine by opera.

Simon, it seems to be working for Safari, which adds that string for both its Windows and Mac version and has for years now. The case where it would be move valuable is when a site sniffs for Gecko or IE and nothing else and Opera is going to have to take the code for one of those. Opera is considerably closer to Gecko in terms of its capabilities than it is to IE, so one would think it would handle the Firefox/Gecko code better.

As for document.all support, that should not be advertised. Sites are using that to determine if a browser supports IE DOM features (and assuming that browser is actually IE, so that means the complete set of IE DOM features and bugs) and they're using it to decide whether to hand the browser the IE site or the Firefox version. Opera should want to get the Firefox version. It can't possibly chase (and shouldn't want to) the entire IE DOM, bugs and all.

Firefox too has document.all support but we don't advertise it so that it's only used in the case that the site doesn't try to sniff DOM capabilities at all and just assumes everyone is IE. See, the point in sniffing DOM capabilities like document.all is specifically to determine whether to give the browser the IE page or the Firefox/Gecko page, so advertising document.all support just gets Opera the more difficult, less standards compliant page. Opera really does support the standards/Firefox/Gecko code more fully. That's what it should ask for.

Oh, and I almost forgot. Firefox doesn't have the luxury of being the default browser either, yet we're highly competitive and have more than 100 million users worldwide. Some of the reasons we're doing so well are the exact things I'm suggesting for Opera.

- A

Asa, I agree with you on transparency, and commend Mozilla for trying for consistent disclosure, but you are stretching your case when you then suggest:

"Mozilla's security policy and process is there to ensure we make the most secure browser possible and that is indeed very different from the security policies and processes of other browser makers who seem to prefer to minimise any negative public relations" — emphasis mine

Not disclosing items has no bearing on an ability to take security deadly seriously. If Opera jumps on every possible security issue with fervour, and architects everything to be triple-anally secure, but doesn't tell user X, it doesn't make their work magically evaporate. It just means user X doesn't know about every detail (which no matter how they are written, will go over a majority of users heads) and the vendor can't market it except for the fact that there are no public or in-the-wild security breaches (i.e. battle tested security results). Contrarily, just because you have a webpage with some disclosures on it, doesn't make you more secure, it does make you more transparent[1]. As you are suggesting, not disclosing is a probably a worse marketing tool for cynical users; lets hope Opera's marketing guys think about getting a webpage of disclosures that may help them get more users, even if they are no more secure ;-)

----
[1] Just to re-emphasise, more transparency is good. However I trust Opera because I've seen a consistent pattern of behaviour, and the numerous bugs I've posted have received immediate attention; 3rd-party bugs are always promptly fixed, which has been noted by several of the disclosers. This is not irrelevant, and it is not negated by not disclosing every possible issue.

Asa, I agree with you on transparency, and commend Mozilla for trying for consistent disclosure, but you are stretching your case when you then suggest:

"Mozilla's security policy and process is there to ensure we make the most secure browser possible and that is indeed very different from the security policies and processes of other browser makers who seem to prefer to minimise any negative public relations" — emphasis mine

Not disclosing items has no bearing on an ability to take security deadly seriously. If Opera jumps on every possible security issue with fervour, and architects everything to be triple-anally secure, but doesn't tell user X, it doesn't make their work magically evaporate. It just means user X doesn't know about every detail (which no matter how they are written, will go over a majority of users heads) and the vendor can't market it except for the fact that there are no public or in-the-wild security breaches (i.e. battle tested security results). Contrarily, just because you have a webpage with some disclosures on it, doesn't make you more secure, it does make you more transparent[1]. As you are suggesting, not disclosing is a probably a worse marketing tool for cynical users; lets hope Opera's marketing guys think about getting a webpage of disclosures that may help them get more users, even if they are no more secure ;-)

----
[1] Just to re-emphasise, more transparency is good. However I trust Opera because I've seen a consistent pattern of behaviour, and the numerous bugs I've posted have received immediate attention; 3rd-party bugs are always promptly fixed, which has been noted by several of the disclosers. This is not irrelevant, and it is not negated by not disclosing every possible issue.

non-troppo, I agree that opacity does not mean that they do not do a good job, it just means that there's no way to know if they're doing a good job. There's no mechanism for accountability.

And I'd like to point out that it's not just about jumping on security issues when they come up, it's about dedicating engineering and QA resources and building tools to actively discover and then fix security issues. All web browser software is complex. We have to consume crazy wacky content from the web and turn it into something that works for the users. That means there are going to be many, many security bugs that come up, no matter what -- it's just a function of the complexity of the type of software we build. If Opera disclosed the work they completed for security with each release, we'd be able to make our own judgement about their abilities and their commitments. What we have now is an unknown. We literally have no idea how much Opera is doing to protect their users and that's just scary to me.

And it's not just Opera. Apple and Microsoft need to do more as well. They both also fail to disclose any information about their process for security finding and fixing. The only information you can get from those companies is what's forced by disclosure threats from 3rd party researchers.

I don't consider this a marketing issue at all, actually. I think it's about the trust relationship between the user and the software vendor. You're right that most users will not understand the details of every security exploit fixed in a given release. That's actually one of the values that the tech press plays. It's also a role that can be played by third party public-interest groups who want to help users weigh the various products they're using.

Think of it like automotive crash testing. Public-interest and consumer-protection groups can compare the safety of various vehicles and the consumers don't have to understand the how and why that one vehicle is safer than another, they can trust the press or the independent inquires. Vehicle manufacturer can advertise their ratings or awards in this area. Design and manufacturing techniques are improved because competition makes that happen and what do we have? We have automobiles that are a million times safer than they were just a few decades ago.

With software, there isn't a comprehensive or even somewhat useful safety test available so that's where vendor disclosure comes in. If the vendors are honest about what they're doing to keep their products secure, and if there are mechanisms for apples to apples accounting, then users can make informed choices.

Secunia is sort of in the business of accounting but unfortunately, their information is so limited that it cannot be an apples to apples comparison. Security journalists like Brian Krebs are gathering and comparing other data like the "time to fix" and other outfits are gathering information on "time to deploy". But without information on the vendor discovered issues, these comparisons are horribly incomplete. If we could improve the information they all have then they could produce meaningful rports. And with this information, packaged up by the press, the third party auditors, and the browser vendors, users could make real informed choices.

I don't believe that there will ever be a perfect measure, just as the crash testing isn't a perfect measure, but the more information we have, the more informed the customer can be. And more informed customers means that safety and security will become a more serious focus area for more software vendors. I'm actually really surprised that software vendors are allowed to keep so much of this a secret when all of our data, our identities, our finances, everything we do online depends on it so much.

Now, Opera and the other vendors can chose to not subject themselves to this kind of accountability, but eventually the users will learn enough, either from vendor-driven education, the security and tech press, or independent audits, that the real security situations for various browsers will become obvious and the vendors with the best programs and results will take users from the vendors.

Opera can opt in to a better process now, that's actually in the best interests of users, or they can not.

I was asked for 5 things I'd like to see, and one of those things was Opera becoming a better citizen and more accountable to its users in the area of security. I stand by my suggestion.

- A

First off- I think non-troppo nailed my thoughts in his last quote (as usual)... but a "simple user" point of view:

I agree that opacity does not mean that they do not do a good job, it just means that there's no way to know if they're doing a good job. There's no mechanism for accountability.

Well... no way is a bit of stretch right? There are some ways to know they are doing a good job. Transparency isn't the only way to hold them accountable is it?

The fact that I've used Opera exclusively since 2001 and haven't had any issues with security is one way to know they're doing a good job. If that's just because the marketshare is so low, fine, but still I don't care about how my browser is secure, I just care that it is. Personally, I don't want bragging rights about security/bugs patched etc. Secunia and all the bug tracking sites is a really, as you say- an unfair comparison based on which companies disclose stuff. I pay very little attention to those statistics- I just want my Mac/PC to be clean... and it is and always has been under Opera. If that's because Opera is under the radar that's fine by me, if that's because they wrote a secure piece of software and maintain rigorous patching/bug fixes, that's fine too. My way of measuring them is with my PC. It's clean. When it's not, I'll hold them accountable for it.

...that said, I'd like to reiterate non-troppo and your comments on commending Mozilla for its policy. I would *like* Opera to disclose everything (assuming they aren't), but even if they did, I'm not so certain I would do anything different than I currently do.

Eddie, (and non-troppo, too) thank you for your feedback. This discussion has been considerably more productive than many I've had before with Opera users.

Eddie, I see where you're coming from. You don't care why it is that you haven't been exploited, just that you haven't. But, if you think about this, the various reasons that you haven't been exploited are actually pretty differnt in terms of their value in predicting the future. If you haven't been exploited because Opera is a small enough market to "fly under the radar" of the bad guys, then if and when Opera does grow its marketshare, you will find yourself in a bad place. If you haven't been exploited because Opera Software invests heavily in security, then should Opera gain marketshare, you will likely stay mostly safe.

I think we'd all like to see Opera gain some marketshare, and if that happens, I suspect you will come to care more about the _why_ of your current comfort levels around security.

- A

I've read some of this discussion, though not all, I didn't have the time, I am sorry. I would like to say a word on browser sniffing that relates to my own working experience in web design and web application developing:

We do not browser-sniff in our websites, and we think that is incorrect to do so, even worse if you do browser sniffing through reading the user agent (which is some times misleading).

We just know how to write javascript code that will work in the three or four major browser platforms out there (which represents 95.5% of the market). There are cases, however, in which you just cannot perform a function the same way in all browsers. In those specific cases, we check for method and properties existence in a case by case scenario, which gives you a much realistic web programming, because you are not assuming a function exists because you believe that you are working under "some" browser platform. Instead you check for the very existence of the function itself, iterating through all know variations of it.

We believe this is the most practical way to program on the web, and also the easiest to deal with in terms of upgrading a software. If Opera changes its user agent in the future, the software doesn't break if it is looking for the real javascript available to it, rather than for some user agents...

I'm not saying that if Opera grows it will be less secure (by attraction more malicious behavoir)

And my unstated point there was that yeah- those are very different predictors of the future. I think you focused more on the marketshare part of my argument and less on the "Opera's security" part. I assume in reality it's more heavily tilted to that side of the security slider- and that less "attention" is a minimal part of the fact that Opera has been solid for me for all these years.

...and when I first say Daniel's post, my first thought was "I can't wait for someone to tag Asa!" As always, a great read.

-Eddie

Perhaps off-topic, but I added some stuff that I would like to see in Opera:

1) Consider removing unnecessary/redundant configuration options, like "Show scrollbars" (why would anyone wanna turn this off....???)
2) If Opera is gonna ship with a widget theme that looks completely different to the native widgets, at least make it look better/more appealing. (The "glow" of the widgets isn't enough)
3) Use a proper About Box, not a web page table thing. I feel it would look more professional with a proper About Box.

...couldn't think of anything else...

Eddie, I see where you're coming from. And yes, I could have spent some time talking about the other possible reason for your not having been exploited. Opera may indeed spend significant time and resources doing code audits, building and employing attack tools to test their security features, building and using fuzzing tools to assess stability and potential attack vectors, performing security reviews on all new code, inviting participation from 3rd party security researchers, running code through memory corruption detection and memory leak detection tools, etc., etc.

The only thing I can say is, again, that because of their lack of transparency, there's no evidence at all that this is what they're doing. Opera's opaque security model, essentially security through obscurity, doesn't give me any confidence that they are employing sophisticated tools and process to keep the browser secure.

I do understand that your measure is basically "I haven't been attacked yet" and that's cool. That tells you something about the past but it gives you almost zero indication about the future.

- A

urgh, Asa, Opera is an internet suite, not only just a browser so option 5 is invalid. What happens to the address bar when you have a mail, or chat window open ?

About 4. I don't recall a single time the Opera team doing targeted advertising to any specific market segment. Care to explain ?

xErath, that Opera is a suite is one if it's problems, not it's benefits, in terms of gaining more adoption. And yes, though you may not recall, Opera did run an advertising campaign specifically targeting Firefox users.

- A

I think the internet would be a much poorer place if there was not a place for internet suites. Unless you're (Asa) a closet Seamonkey enthusiast hoping for a competition-free niche, you'd also have to be against Seamonkey too? Especially as (I believe?) that project is still consuming Mozilla resources probably better spent on the main projects.

I suppose if you're anti-suite you'd also like to see Thunderbird split into separate mail client, newgroup reader, and newfeed reader applications, and remove the newfeed reader support from Firefox?

Besides, a default Opera install looks just like a non-suite browser-only install. So if your only complaint about Opera's suite nature is the toolbar arrangement that makes sense in both suite and non-suite situations, then there is really very little to worry about.

Andrew, you're drawing some odd conclusions. I'm in no way "anti-suite". I think suites are fine. I'm just letting some Opera users who have commented on my tab strip suggestion know that the suite nature of its product has hampered growth.

First it was creating a lot of clutter. I posted a long time ago about the UI mess it was causing and Opera worked hard to clean it up. They did a pretty good job but they're still left with some odd and uncomfortable (to new users) UI because of the suite nature of the product.

If you go back to my original comment, I was saying that if Opera Software wanted to make a browser that was more approachable and more likely to hold onto new users, that it needed to adjust a couple of UI elements like the tab strip and the status bar. Opera users argued that they shouldn't/couldn't move the tab strip because of the suite nature of the product.

My reply, which you've taken to be anti-suite, was just pointing out that if indeed the UI was locked as it is today, uncomfortable for new users, because of the suite nature of the product, then the suite nature of the product is bad for Opera's gaining more users.

- A

xErath, the reason the address bar in Opera is in the right place is not because it is a suite. Many use it as just a browser. The reason is that the (content of the) address bar is specific to each tab, while the tab bar is always the same one.

"I posted a long time ago about the UI mess it was causing and Opera worked hard to clean it up."

Jesus CHRIST Asa, stop pretending that Opera listens to you. Why the hell would Opera change something just because a Mozilla troll told them to?

Stop pretending that you are guiding Opera's development. You are making an ass of yourself.

liar, I did post about the Opera UI mess and Opera did work hard to clean it up and it's much better today. Opera's clearly been paying close attention to Firefox's successes and doing their best to adapt. For nearly every suggestion I've made, Opera fans and users flamed me and said why it wasn't a good idea or why Opera shouldn't do it and then Opera released new versions that implemented pretty much everything I recommended. Even in this thread, there's serious opposition to most of my suggestions, but I'm willing to bet that in upcoming versions of Opera, many of them will be implemented.

- A

I don't have a problem with Asa claiming that Opera devs have been paying attention to Firefox development because it's a normal thing to do, Firefox devs have been doing the same thing (tab drag&drop, sessions, and many more over the years). However, claiming that Opera has implemented something just because he suggested so must be a joke/bait from Asa's side, otherwise it just shows a serious ego problem and this is something that arguments cannot cure.

I must say that this was a fair blog post by Asa, some cheap shots here and there but this is included in the package (hard to see a blog post by him where he doesn't troll a bit). :-)

On item #5: "Opera, on first run, should import all settings"... this should be rephrased to:

"Opera, on first run, should *OFFER TO* import all settings".

Never, under any circumstances, do this without asking first!

When I first in stalled Firefox, it asked me if I wanted the IE favorites. I'm glad it did, because I had *NO* intention of bringing them over, since they were just the default install of commercial bookmarks etc.

On item #3 - User agent sniffing. I'm going to agree with others here, that that is a minor issue, if one at all.

In an ideal world, we wouldn't need to sniff, but we do. I pull out key bits, to determine if a browser is of type A, B, or C...

Then in code, I will *presume* a standards based browser by default, then add workarounds, if required for specific browsers.

e.g. This one is highly annoying, but it happens almost daily.

var foo = document.createElement('div');
var fooStyle = 'border:1px solid #ff0080;color:#ffaacc;';
//set the style attribute...
if(!IS_IE){
foo.setAttribute('style', fooStyle);
} else {
//MSIE doesn't follow specs here either (*suprize*)
foo.setAttribute('cssText', fooStyle);
}

So far, the only real issue with Opera has been the lack of support for the CSS style property of overflow. overflow: auto; is fine, but overflow-x: auto; and overflow-y: auto; don't work properly. Which can be frustrating, because I often only want overflow-y: auto;

tx.

"I haven't been attacked yet" and that's cool. That tells you something about the past but it gives you almost zero indication about the future.

My thoughts:

#1 and #2 - agreed. I still don't understand why there's a contingent of fans fighting auto-update tooth and nail. It seems a clear case of "Eew, Firefoxism! Don't let it touch my browser!" (Personally, I'd rather see more software integrated into the OS update system, like you can on Linux with apt or yum.)

#3 - meh. Would certainly be a better choice than spoofing IE, but it's less important now that Opera has automatically-updated ua.ini for site-specific UA spoofing and browser.js to dynamically repair problem sites & JS.

#4 - I agree that Opera and Mozilla are better off cooperating, at least now, but I'm not so sure about the public commitment, especially if it's just Opera. The way it's phrased, it sounds too much like you're asking them to hold up a white flag and get out of the way, which might explain some of the hostile responses you're seeing. (Ah, who am I kidding? For some people, just seeing your name on the same page as the word "Opera" is enough.)

#5 - probably right, definitely agree on profile import -- with user confirmation. Aside from sometimes wanting a fresh start, there's also the possibility of several browsers being installed already. Better to offer the user a choice of profiles to import than to just pick one, even the current default.

Eddie, Mozilla's security process, and the volume of activity coming from Mozilla's security team and the security community in general, are all strong indications that Mozilla is pro-active, not just reactive. Because of Opera's opaque process, there is no evidence that Opera is taking serious pro-active steps to find and then fix flaws in their software.

- A

"indications" isn't evidence... it's an indication. Just like my Opera experien