Firefox's 'retreat' ensures Microsoft excels

Contractor UK ^ | Aug 22, 2005 | Contractor UK

[Bush2000]

Firefox's 'retreat' ensures Microsoft excels

Open source web browser Firefox has lost the momentum it has steadily gained since it was unleashed last year, according to Web analysts at Net Applications.

The online portal’s unique Hit List service reveals a slump in the Mozilla browser’s market share, falling from 8.7% to 8.1 % in July.

Coinciding with its demise, was the advance of Microsoft's IE that has gained some of the ground surrendered in June, climbing back from 86.6 % to 87.2% last month.

The revival for the dominant browser comes on the back of average monthly losses of between .5 to 1% for Redmond, as Firefox started to gain acceptance among a wider audience than just tech-savvy users.

When asked by Contractor UK whether Microsoft’s sudden gains were from the unveiling of a new IE, Net Applications said a re-launch tends revive industry interest, and could have bolstered Microsoft’s market share of the browser market.

When a company launches a new product, there is always renewed interest in what the company has produced and it would also be fair to say that this may have had an effect, said a member of the Hit List team.

Although, there have been browser issues with Windows 2000 in the news, so it is possible that again you may see a dip [in Microsoft’s market share]. Right now, people are looking for security and whenever there are issues with the security of one's system, they will use what they feel will be the most secure.”

Besides Net Applications, web developer site W3 Schools, confirms that adoption of Firefox is falling, just as IE is reaching its highest share of the market in 2005.

According to W3's data on specialist users, Microsoft IE (6) enjoyed a 67.9% share in July, improving to 68.1% in August matched against Firefox’s top share of 21% in May, which has now dropped to 19.8% for the last two months.

Observers noted that both sets of analysis concur that Microsoft’s loss, up until now, has been Firefox’s gain, but over the last month roles have reversed.

Security fears concerning Mozilla and its browser product have recently emerged, coinciding with Microsoft’s high-profile trumpeting of its new safer browser product (IE 7), complete with glossy logo.

Experts at Net Applications said they were surprised at Firefox’s sudden retreat, saying they expected a slow down before any decline.

Yet they told CUK: “Whenever there may be problems with security, there always is a decline with users changing browsers.”

Data from the Web analytics company is based on 40,000 users, gleaned from their global internet operations, prompting some commentators to question the so-called ‘global decline’ in the Firefox market share.

The Counter.com reportedly finds that between June and July, Firefox actually increased its share by two points, and overtook IE5 for the first time ever.

The Web Standard Project suggests webmasters should treat data from web analysis providers with caution, before rushing to make service changes.

So what can we conclude?” asks the WSP, a grass roots project fighting for open access to web technologies.

“Not much: Mozilla-based browsers are probably used by just under 10% of the web audience and their share is growing slowly. IE5.x is probably used by somewhat less than that and its share is declining slowly. IE6 is roughly holding steady.”

Meanwhile, Spread Firefox, which measures actual download rates of the browser, reports that it took just one month for the Mozilla Foundation’s showpiece to reach 80 million downloads in August – from its July total of 70 million.

At the time of writing, Firefox had been downloaded 80701444 times, meaning adoption rates of over 10m occurred one month after Net Applications says Firefox bolted in light of the dominant IE.

[antiRepublicrat]

It doesn't work. Or rather, it works, as long as SYSKEY hasn't been used to move the ADK out of the registry.

Putting another condition on it? Come on, we all (well, you and me, I don't know about Q) know any individual modern system can be locked down so well that will be impractically difficult to get anything off of it. Various third-party tools will make it almost impossible.

However, that represents a small section of well-guarded vines in a 500 acre vineyard that's ripe for the picking.

Mmmm, now I'm up for a glass of wine. How about you? And how's the Turbo doing with the latest gas prices? I had a friend with a late 70s Turbo Carrera and that thing had a voracious appetite.

[antiRepublicrat]

Yes, you replied then I replied and you changed and said this is only in regards to passwords.

Don't like it when people try to stop you from building strawmen, do you?

[for-q-clinton]

Don't like it when people try to stop you from building strawmen, do you?

What on earth are you talking about? But before I call you out [again], let's get a common definition of a strawman.

Main Entry: straw man
Function: noun
1 : a weak or imaginary opposition (as an argument or adversary) set up only to be easily confuted

Now explain. This should be good. I bet you have to try to tie at least 3 different points together to try and make some sense of that comment.

[general_re]

Come on, we all (well, you and me, I don't know about Q) know any individual modern system can be locked down so well that will be impractically difficult to get anything off of it. Various third-party tools will make it almost impossible.

Well, yeah, although SYSKEY is built right into Windows, and is enabled by default since Win2k. By default it stores the hash in the registry, but you can move it rather painlessly - which, since the obfuscation routine is well known, is a good idea.

However, that represents a small section of well-guarded vines in a 500 acre vineyard that's ripe for the picking.

Hey, security is a process, not a product - you know that as well as anyone, I'm sure. To a large degree, your fate is in your own hands, so it's incumbent on every admin and user to take an active role in securing systems, regardless of OS.

And then there are some things beyond anyone's control - no matter how salty your password hashes are, if the information on there is valuable enough, I'll just get a rubber hose and f'ing beat it out of you ;)

[antiRepublicrat]

Now explain. This should be good.

You're losing on Windows passwords, so you bring up Linux's generally inferior usability and shoot that down. That's a strawman.

[for-q-clinton]

Main Entry: straw man
Function: noun
1 : a weak or imaginary opposition (as an argument or adversary) set up only to be easily confuted

In order for that to work, I'd have to try and say Linux has better useability than Windows, just so other's could shoot it down. By my saying Linux isn't better in useability and everyone agreeing, is just the opposite of a strawman.

If anything, your assertion that Linux password feature that allows for better user experience (useability) is a strawman because it's clear Linux is not a better experience overall.

[killjoy]

Yes, they do. They reveal that Firefox momentum has chilled to the point that it's not gaining market share. That's significant, given all the bluster and bravado we've heard around here lately.

No, they have no meaning statistically. You are talking about a different of less than 1%. Try taking a statistics class and learning about standard deviation, confidence intervals, and standard error.

[Bush2000]

You're losing on Windows passwords, so you bring up Linux's generally inferior usability and shoot that down. That's a strawman.

Sigh. You can't seem to let go of that password issue. I've already taken you to the woodshed several times on this issue. Listen carefully: IT DOESN'T MATTER WHETHER YOU SALT THE PASSWORDS OR NOT. WHEN THE PHYSICAL SECURITY OF THE SERVER IS COMPROMISED, YOU'VE LOST THE SERVER. You're wasting everyone's bandwidth arguing over this. Give it a rest already.

[Bush2000]

No, they have no meaning statistically. You are talking about a different of less than 1%. Try taking a statistics class and learning about standard deviation, confidence intervals, and standard error.

Find another strawman. Whether or not it flucatuates +/- 1% is of no interest to me. What I got from this article is that Firefox market share has essentially stopped growing.

[Bush2000]

I say use Advanced EFS Data Recovery from Elcomsoft (they same guys who broke PDF protection) to get around the EFS, then use Rainbow Crack on the passwords.

As pointed out by general_re, anybody who cares about the physical security of the server being compromised and, therefore, uses EFS isn't going to store the SYSKEY on the same box. They're going to put it somewhere else. It doesn't make any sense to use EFS and leave the key on the server. So how are you going to crack it? Answer: It won't be easy. At least, not without throwing an inordinate amount of computing power at the problem. Your primary hope is to find the SYSKEY and compromise EFS.

So here's the bottom line and I hope you finally get this: Strong passwords and encrypted file systems are only flawed barriers. Arguing that one is more "inferior" to another is a ridiculous enterprise because they were never intended to provide uncrackable security under the scenario that you've laid out; namely, that the server's physical security has been compromised.

[killjoy]

Find another strawman. Whether or not it flucatuates +/- 1% is of no interest to me. What I got from this article is that Firefox market share has essentially stopped growing.

I couldn't care less about IE or Firefox. I use them both since they both have advantages and disadvantages. I am simply pointing out that the numbers mentioned in the article have no meaning.

[antiRepublicrat]

Arguing that one is more "inferior" to another is a ridiculous enterprise because they were never intended to provide uncrackable security under the scenario that you've laid out; namely, that the server's physical security has been compromised.

Again, why did all the *NIX vendors dump Crypt() if password security isn't important? Simple, poor password hashing leaves one layer of your security vulnerable, and you want all layers as strong as you can get them. There still remains the basic fact that you ignore, no matter what extra protections you come up with, that almost all Windows boxes in the world as they are right now can be easily password-cracked, while few *NIX boxes are so easy.

[antiRepublicrat]

IT DOESN'T MATTER WHETHER YOU SALT THE PASSWORDS OR NOT. WHEN THE PHYSICAL SECURITY OF THE SERVER IS COMPROMISED, YOU'VE LOST THE SERVER.

Most password cracking was done on *NIX password files pulled over the network. Crackers would then direct computer resources to cracking them, and later return to the machines with the valid passwords. Then the passwords were moved into a protected area, but all that meant was that rooting one box gave you a whole list of passwords to possibly use on others. Plus it meant that if the flaw that allowed rooting were later fixed, you still had access through the valid passwords.

We historically put a life span on passwords so that there is not enough time to crack them before they are changed. With the latest technology, the Windows password expiration should be in minutes.

You see a place where Windows security needs improvement, and you go into total denial. Sad, really.

[antiRepublicrat]

In order for that to work,

You're right. I used the wrong word. It still doesn't change the fact that you switched subjects to divert attention.

[for-q-clinton]

You're right. I used the wrong word. It still doesn't change the fact that you switched subjects to divert attention.

Try making up other things...like that word you tried to use because it sounded good. It's completely related and you know it.

But go ahead and get the word/post in if that will make you feel better.

[antiRepublicrat]

Try making up other things...like that word you tried to use because it sounded good. It's completely related and you know it.

Now you're trying to deflect the argument completely away from passwords.

[for-q-clinton]

But go ahead and get the word/post in if that will make you feel better.

Sorry I left out a word on that post...meant to say.

But go ahead and get the LAST word/post in if that will make you feel better.

[Bush2000]

I am simply pointing out that the numbers mentioned in the article have no meaning.

If you're talking about the difference between 8.7% and 8.1 %, I agree with you on that point. That could easily be statistical noise because it falls within the margin of error. But, more importantly (as I suggested earlier), Firefox's market share has essentially frozen at around 8%. Many Firefox advocates have been predicting that their browser would take significant market share away from IE. Now, it appears, Firefox is primarily gaining ground at the expense of Mozilla, not IE. While that may not be interesting to many people, it reaffirms that the dynamics of the Web client won't be shifting all that much for the forseeable future.

[Bush2000]

Again, why did all the *NIX vendors dump Crypt() if password security isn't important?

Read for comprehension. I didn't say that password security wasn't important. I said that not having physical custody over your machine essentially renders password protections moot.

There still remains the basic fact that you ignore, no matter what extra protections you come up with, that almost all Windows boxes in the world as they are right now can be easily password-cracked, while few *NIX boxes are so easy.

You have to get to the password hashes first. If you've lost root access on a 'nix box, your box is compromised and password protections aren't going to save you.