I mostly agree with Haavard Moen's Opera blog post.
My first thought after reading his post was that Haavard's point could have been made better by simply reminding people what it was like on the Web in 2003 and 2004 before Firefox came on the scene and when Internet Explorer constituted about 95% of Web browsing.
Not only did IE make up the overwhelming majority of browsing before Firefox, but it was ancient technology that had been mostly abandoned to new development by Microsoft (since IE 6 shipped in 2001.)
Because an exploit in IE 6 meant an exploit for virtually every computer connected to the Web, it became a very appealing target for bad guys trying to infect computers with worms and viruses and other malware.
Because it was an old technology that Microsoft had relegated to a very low priority, newly discovered security holes were left open for weeks, months, and even years while fundamental architectural flaws meant that finding new holes and developing new and ever more sophisticated and powerful exploits and payloads was getting easier for the bad guys with every passing day.
The result was that browsing just wasn't a safe activity. Users couldn't protect themselves except by not using the Web.
That was a Web monoculture and those were pretty bad times for everyone online.
But then I reminded myself that almost half the people online today weren't even using the Web back in the days before Firefox. Half a billion people online today don't remember a Web before Firefox because they weren't online before Firefox.
If it's not particularly useful to try to personalize the danger of monoculture with the "remember the days before Firefox" example, then how can we explain it, in terms that will really hit home, to all of these more recent Web users?
I don't think Haavard's post will really sink in for most people reading it. It works for people who already understand the concepts and have the historical context to see how bad things can really get. But I'm afraid that most people won't believe that it's a real danger because we haven't seen any catastrophic infections recently.
That's just plain luck, though. The recent Flash Player flaw Haavard mentions opens the door to an exploit that if deployed carefully could infect virtually every Web connected computer. I'll say that again. Virtually every web-connected computer is at risk right this minute.
Hopefully Adobe will correct this flaw and deploy it to the billion or more people affected, but until that roll-out is complete, we're talking about a very serious problem.
We'll be lucky if this isn't catastrophic. I suspect it won't be, but that's not because of anything Adobe has done to date. It's because we're probably going to get lucky. But is trusting luck really a viable long-term approach to security of the Web? I don't think so.
Will it take a year of exploits like we saw in 2003 and 2004 to get people thinking again about the dangers of internet-connected software monocultures? I sure hope not.
