Posted on 08/26/2005 6:31:03 PM PDT by Bush2000
Firefox's 'retreat' ensures Microsoft excels
Open source web browser Firefox has lost the momentum it has steadily gained since it was unleashed last year, according to Web analysts at Net Applications.
The online portal’s unique Hit List service reveals a slump in the Mozilla browser’s market share, falling from 8.7% to 8.1 % in July.
Coinciding with its demise, was the advance of Microsoft's IE that has gained some of the ground surrendered in June, climbing back from 86.6 % to 87.2% last month.
The revival for the dominant browser comes on the back of average monthly losses of between .5 to 1% for Redmond, as Firefox started to gain acceptance among a wider audience than just tech-savvy users.
When asked by Contractor UK whether Microsoft’s sudden gains were from the unveiling of a new IE, Net Applications said a re-launch tends revive industry interest, and could have bolstered Microsoft’s market share of the browser market.
When a company launches a new product, there is always renewed interest in what the company has produced and it would also be fair to say that this may have had an effect, said a member of the Hit List team.
Although, there have been browser issues with Windows 2000 in the news, so it is possible that again you may see a dip [in Microsoft’s market share]. Right now, people are looking for security and whenever there are issues with the security of one's system, they will use what they feel will be the most secure.”
Besides Net Applications, web developer site W3 Schools, confirms that adoption of Firefox is falling, just as IE is reaching its highest share of the market in 2005.
According to W3's data on specialist users, Microsoft IE (6) enjoyed a 67.9% share in July, improving to 68.1% in August matched against Firefox’s top share of 21% in May, which has now dropped to 19.8% for the last two months.
Observers noted that both sets of analysis concur that Microsoft’s loss, up until now, has been Firefox’s gain, but over the last month roles have reversed.
Security fears concerning Mozilla and its browser product have recently emerged, coinciding with Microsoft’s high-profile trumpeting of its new safer browser product (IE 7), complete with glossy logo.
Experts at Net Applications said they were surprised at Firefox’s sudden retreat, saying they expected a slow down before any decline.
Yet they told CUK: “Whenever there may be problems with security, there always is a decline with users changing browsers.”
Data from the Web analytics company is based on 40,000 users, gleaned from their global internet operations, prompting some commentators to question the so-called ‘global decline’ in the Firefox market share.
The Counter.com reportedly finds that between June and July, Firefox actually increased its share by two points, and overtook IE5 for the first time ever.
The Web Standard Project suggests webmasters should treat data from web analysis providers with caution, before rushing to make service changes.
So what can we conclude?” asks the WSP, a grass roots project fighting for open access to web technologies.
“Not much: Mozilla-based browsers are probably used by just under 10% of the web audience and their share is growing slowly. IE5.x is probably used by somewhat less than that and its share is declining slowly. IE6 is roughly holding steady.”
Meanwhile, Spread Firefox, which measures actual download rates of the browser, reports that it took just one month for the Mozilla Foundation’s showpiece to reach 80 million downloads in August – from its July total of 70 million.
At the time of writing, Firefox had been downloaded 80701444 times, meaning adoption rates of over 10m occurred one month after Net Applications says Firefox bolted in light of the dominant IE.
"Wasn't planning on it as what you say is true of all OS's. You mentioned that keeping systems fully patched is an issue for large enterprises (completely agree). All OS's need to improve on this."
Agreed, however the high level of integration of MS products and the privilige level they must run as makes them particularly vulnerable. While many UNIX daemons run as unpriviliged users, many MS Windows services run as local system or other priviliged users.
ALL OS's have security problems. The bigger the environment, the more will be present. Problems scale. :)
I have cracked systems of every variety of OS in common use. Onjectively, I don't think that any OS is inherently more secure than any other. They each have their unique issues.
It's dishonest to say that open source makes an OS inherently any more or less "secure" than a closed souce OS. It's also dishonest to accuse OS users of being or supporting communists.
"So let's pretend Linux actually is viable for the desktop of a large enterprise. How does that ensure patches are fully deployed to 100% of all machines?"
You have to use a patch management system, same as any OS.
"Assuming that a few machines are missed then those too can be exploited. Especially since Linux has more posted patches that need to be deployed."
Linux has more posted patches, but I would venture to say that not every application is installed on every UNIX system. If it ain't installed or running, you ain't vulnerable.
UNIX single signon systems are also not vulnerable to the same kinds of issues that Windows domain structures are vis a vis cached passwords, less strong authentication fallback like Kerberos -> NTLM for windows, and other platform specific issues. For either OS, 2 factor authentication is a good solution, but it's not financially viable for every deployment. It's not cheap.
The weakest points in any deployment are the users, trust relationships, policies and procedures, and applications, particularly web apps. That's all independent of OS.
"We really know what happened. When I knocked your argument down by saying you could replace the crypto dll, you changed the context of what you're talking about. We know you didn't care about Windows licenses early on or you would just say, I don't deal with Windows licenses."
You can change it, but you have to jump through a lot of hoops to disable the weaker fallback mechanisms such as NTLM, which can't always be done... it breaks some stuff. There's also the issue of Windows caching this stuff in the SAM.
Any UNIX can easily replace something like MD5 with Blowfish, for example, and SSHv1 is easily disabled as a fallback, and it doesn't break anything to do so.
I don't understand why is it with Linux things are dismissed like...well a good admin wouldn't have that feature turned on. Or they'd configure it to avoid that issue. However, with Windows everyone is a stupid noob. If you don't like cached passwords TURN THAT FEATURE OFF.
I said that.
Are you just arguing for arguments sake?
Yes, just kidding.
I didn't see where you said to turn that feature off. But I may have missed it. It's hard to keep track of a discussion on the same issue with 3 different people firing things off. But your post is agreeable to me.
But maybe the link will help other's understand that those horrible security design issues in windows can actually be turned off or replaced. So in essence it's a lot like Linux allowing the user/admin to customize security for his environment.
Depends on how you think about it. Secure in a general sense? The OSS development model won't make it more secure, but it won't allow security through obscurity -- obscurity that could later be compromised.
I expect to hear a big yes all around. Unless of course everyone else is just trolling trying to win an argument. I'd have to say I just schooled quite a few people today on some of the great features of Windows.
Hopefully in the future are discussions can be more civil (like the way it wound up in Adam_az's thread).
Hey another point of agreement. See we can find common ground! But now here's the tougher question. Which is the lessor of 2 evils. Security through obscurity OR buggy OSS code that has little support?
I guess the answer depends on how much code you can write yourself to fix the bugs. And how much suport the closed source vendor provides.
In general, we try to keep discussions about a platform's security to what comes in the box, and for Linux what comes in common distributions. After that, we can talk about how secure something is by default for a newbie, or how secure it can be configured to be by an expert.
Buying extra products in order to make your OS secure rarely comes into the discussion because the variables are too great, and because in a discussion of general security it will be applicable for only a very tiny portion of the installed base. It might be a good suggestion to individuals, but has little impact in general when the other 99.999% of machines don't have it.
BTW, can you point me to one of these high-security password drop-ins? I've used Windows in even a classified high-security environment and have never seen one.
Buggy OSS code vs. buggy proprietary code? OSS code that has little support will die. Living OSS code by definition has support, like Apache, Firefox and Linux, and usually faster responses for bug fixes than proprietary code from a large vendor.
If you happen to be stuck using OSS code that is no longer maintained, then you have the option of maintaining it yourself. If you happen to be stuck with proprietary code that is no longer maintained, then you're just screwed.
That's the beauty of it. You can create it for yourself! Just like Linux. OSS let's you create the code you need to meet your unique requirements. Well the modularity of Windows allows you to write your own.
"So my question is...for all those that were crying the sky is falling because of cached passwords and not having any salt with your hash, will you now advise your clients and update your own windows machines to use a custom crypto provider and disable cached hashes?"
Already do, but again, in some instances that just doesn't work.
If it's a laptop, the passwords HAVE to be cached, or else you can't login when you are away from the network, for example.
If you use W2k VPn then you often can't disable LM NTLMv1 or NTLMv2, or it just won't work.
NT 4.0 prior to SP4 do not support NTLMv2. There are a LOT of older NT4 systems out there, where applying SP4 breaks the app, and the app doesn't run on newer versions.
see
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/576.asp
also see
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659
In other cases, it's inadequate.
If you use HTTP basic authentication, then the passwords will be cached in the registry. Clearing the cache with MSIE doesn't resolve this. It's another side effect of the integration of MSIE into the OS.
Hardening Windows auth can be tricky.
So no such product exists? It is only conceptual in your mind based on your understanding of the Windows password model?
If the product necessary to bring Windows up to password security parity with everyone else doesn't exist, please do not recommend it. Otherwise, I am very interested in it.
Well the modularity of Windows allows you to write your own.
If Microsoft tells you the correct APIs and if Microsoft gives you a license in various cases, then you can do it. But unless you're developing embedded Windows, don't expect to be able to modify anything (and modifying is a lot better than having to write your own).
"The OSS development model won't make it more secure, but it won't allow security "
To be fair, it also gives attackers source code access.
On the other hand, it gives defenders source code access.
Closed source doesn't give either.
They're both a wash, just a different wash.
I personally prefer the open source model, which I think is a better wash, to abuse a term.
Yeah, if you're still working with NT4, that can be tricky. I imagine that's the case with all ancient OS's that weren't designed with the Internet in mind.
I just thought since you're an OSS type that you'd rather create your own.
"Yeah, if you're still working with NT4, that can be tricky. I imagine that's the case with all ancient OS's that weren't designed with the Internet in mind."
Internet?
Hell, I did a wireless hack for a retail chain lately, discovered that the servers running their stores are on NT4. They can't patch or upgrade beacause the app breaks. These aren't internet connected systems.
Wireless came after the Internet. So do the math. NT is old. They need to upgrade or quit adding applications and funtionality to NT (like wireless).
"Wireless came after the Internet. So do the math. NT is old. They need to upgrade or quit adding applications and funtionality to NT (like wireless)."
The NT4 systems are on an internal network. Not an internet connected network. Not a publicly accessible network.
The wireless part is irrelevent, I just happened to run into the machines while testing a wireless deployment.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.