Friday, December 19, 2008
Why people stick to IE...or why should they change?
It's interesting to see some reactions afters the IE 0-day thing that happened last week. There is one that always appear on these situations, the old question "why people don't change from IE?".First, I believe this question should be answered in two parts, home users and corporate, with the final answer being the result of both together. Andrew Hay answered that properly for the corporate side. For the home user I believe that biggest challenge is to make people aware of other browser existence and that changing from IE to another won't be that hard. Mostly an awareness problem. However, if there is a situation where the recently Firefox-converted-user tries to access a website and it doesn't work well, he will switch back to IE and assume that "switching browsers is no good cause the other browsers don't work".OK, the problem of "why people don't change" is not that hard to understand. However, my question is a little different, why should we change? Or, should we really change?Security issues are the results from threat presence and vulnerabilities. Internet Explorer is a huge target today, making the "threat presence" something quite big. But that happens mostly because of IE's market share. If you are trying to exploit browser vulnerabilities you will probably aim on the browser with more users, making it easier to find a vulnerable target. Will that still be true about IE if others browsers are able to catch up on the market share? I'm certain that exploits, malware and drive-by attacks will start to be very common to other browsers if they are able to achieve a higher market share.Finally, on the vulnerability side, there are some indications that IE is not that bad, or that it is at least as bad as the others. It's not fair to judge the security of a software by looking into a single vulnerability, as it seems to be the case for IE now.Having said that, I must say that I use Firefox for security reasons. I do that mostly because most of the THREATS are IE related, not necessarily because I think IE is more vulnerable. If Firefox market share grows to a point where malware production targeting it starts to be higher than for IE, I'll certainly switch browser again (Chrome?).OK, some might say that I just presented a different reason why people should move from IE to Firefox, but that still needs to be done. Yes, I would suggest that for home users, but if the move starts to happen in a massive way and also including corporate users, the results from it will probably be innocuous. Funny isn't it? To keep Firefox more secure, it's better that people don't change.That's the perfect example where a Nash equilibrium solution would fit. That's also aligned with Dan Geer ideas about software monocultures. How to achieve that perfect solution? If I knew it I would be a millionaire by now :-)