Jon's Network

Some interesting new research out of ETH Zürich showed that Firefox’s Auto-Update mechanism works the best at keeping users updated with the latest and safest version compared to all other major browsers. The report, Understanding the web browser threat, used Google’s browser data from the last 18 months to figure out a lower bound on the amount of users that surf the internet using an outdated browser. It turns out that at least 45.2%, or 637 million users, were not using the most secure Web browser version on any working day from January 2007 to June 2008.

To improve this number, the paper suggests the following:

• browser vendors follow Mozilla’s lead and implement an auto-update mechanism that checks for updates each time the browser is used
• consumers implement URL filtering to reduce odds of visiting an infected website
• implement a “best by” dating system for software similar to what consumers are familiar with when they shop for groceries. This is supposed to increase awareness of the risk of outdated browsers and motivate users to update.
• someone implement an authentic, open repository of plugin version information that can be queried by vendors to make sure browser plugins are updated regularly

I don’t like the “best by” idea. A little red notice that states “145 days expired, 3 patches missed” isn’t much different from the existing software update schemes. Trying to raise awareness for the sake of awareness is futile. Outdated software alone doesn’t cause loss and discomfort like spoiled produce does so consumers won’t be motivated to pay attention to the “best by” date.