I mostly agree with Haavard Moen's Opera blog post.
My first thought after reading his post was that Haavard's point could have been made better by simply reminding people what it was like on the Web in 2003 and 2004 before Firefox came on the scene and when Internet Explorer constituted about 95% of Web browsing.
Not only did IE make up the overwhelming majority of browsing before Firefox, but it was ancient technology that had been mostly abandoned to new development by Microsoft (since IE 6 shipped in 2001.)
Because an exploit in IE 6 meant an exploit for virtually every computer connected to the Web, it became a very appealing target for bad guys trying to infect computers with worms and viruses and other malware.
Because it was an old technology that Microsoft had relegated to a very low priority, newly discovered security holes were left open for weeks, months, and even years while fundamental architectural flaws meant that finding new holes and developing new and ever more sophisticated and powerful exploits and payloads was getting easier for the bad guys with every passing day.
The result was that browsing just wasn't a safe activity. Users couldn't protect themselves except by not using the Web.
That was a Web monoculture and those were pretty bad times for everyone online.
But then I reminded myself that almost half the people online today weren't even using the Web back in the days before Firefox. Half a billion people online today don't remember a Web before Firefox because they weren't online before Firefox.
If it's not particularly useful to try to personalize the danger of monoculture with the "remember the days before Firefox" example, then how can we explain it, in terms that will really hit home, to all of these more recent Web users?
I don't think Haavard's post will really sink in for most people reading it. It works for people who already understand the concepts and have the historical context to see how bad things can really get. But I'm afraid that most people won't believe that it's a real danger because we haven't seen any catastrophic infections recently.
That's just plain luck, though. The recent Flash Player flaw Haavard mentions opens the door to an exploit that if deployed carefully could infect virtually every Web connected computer. I'll say that again. Virtually every web-connected computer is at risk right this minute.
Hopefully Adobe will correct this flaw and deploy it to the billion or more people affected, but until that roll-out is complete, we're talking about a very serious problem.
We'll be lucky if this isn't catastrophic. I suspect it won't be, but that's not because of anything Adobe has done to date. It's because we're probably going to get lucky. But is trusting luck really a viable long-term approach to security of the Web? I don't think so.
Will it take a year of exploits like we saw in 2003 and 2004 to get people thinking again about the dangers of internet-connected software monocultures? I sure hope not.
Posted by: Gen Kanai | July 23, 2009 4:32 PM
Gen, you're absolutely right about China and Korea. But China and Korea can't hold the Web back for the rest of the World and hopefully the Web will advance far enough that they'll get tired of being at the back of the line for innovation and new features and at the front of the line for exploits and they'll do something about it.
Ultimately, users have to demand something better. For that, they either need to think their current situation is untenable or they have to believe that a change will bring great new opportunities. Right now, I'm guessing that they think the status quo is good enough.
But, as my post and Haavard's both illustrate, we're all, in even the strongest of Firefox strongholds, still part of a pretty scary monoculture when it comes to Flash. So just breaking the IE stranglehold isn't enough. We've got to create competition around video on the Web, vector graphics on the Web, rich interfaces on the Web, etc. etc.
- A
Posted by: Asa Dotzler | July 23, 2009 5:09 PM
I'd be happy to join a no-flash movement. There's already Firefox extensions and Greasemonkey scripts out there that help end users (e.g. watch Youtube without flash) and there's a variety of new web tools that replace the various reasons for developers to use Flash. With a small number of commited geeks and a central point of focus we could start making the web safe for non-flash users.
With Flash either non-existant or appalling on the mobile web this is the perfect time for such a movement to take shape.
Posted by: Bod | July 24, 2009 6:31 AM
Bod (and Asa),
Kroc Camen has made a good start for a movement, as he is encouraging people to replicate this message around ‘#flashfreeweek Support the open-web, go a week without Flash http://camendesign.com/blog/flash-week’
If you choose to keep it going after a week, I am sure the Web will love you for it!
Posted by: John Drinkwater | July 24, 2009 1:32 PM
I know you know this but the monoculture of IE is still alive and well in South Korea in 2009. My post regarding this issue is from 2007 but nothing has changed since then. IE is the only browser S. Koreans can use for the web.
http://blog.mozilla.com/gen/2007/02/27/the-cost-of-monoculture/