Who Is Running the Most Secure Browser?

By Larry Seltzer  |  Posted 2008-07-03 Print this article Print

Many users are undoubtedly not updating their browsers as quickly as they should, but you can't conclude any specifics about that from the recent study of Google logs.

The researchers who published a large study of Web browser security this week had a great idea and excellent data to work with. Too bad they overreached with their conclusions. A lot more is being made of this paper than is warranted.

The researchers, from ETH Zurich, Google and IBM, looked at log data provided by Google from their global user base for Web search and applications for the period between January 2007 and June 2008. This data was based on the browser user-agent string, which is also the reason the data is not as telling as the authors argue.

What did the study conclude? First, lots of users are not running the most up-to-date and secure versions of their Web browsers. Second, this is primarily a phenomenon of Internet Explorer users; Firefox users, on the other hand, overwhelmingly update their browsers quickly. These and other results led the authors to suggest that browsers get expiration dates, much like milk and pharmaceuticals.

It's fair to assume that the test sample is a highly representative one, as Google is both dominant in the search business and used worldwide. I could argue that users of Microsoft's search engine are more likely to use Internet Explorer than are Google users, but this is a small, marginal difference. The problem is not in the users, but in the user-agent string.

The user agent is a string that a browser, or "user agent" (the more general programming term for Web clients), presents to a Web server as part of a request. Click here to see your own browser's user agent. Click here to see a database of different user agents for different browsers and other "user agents." Servers log this data and often use it to determine which content to send to the client.

I always run both Firefox and IE7. Currently my Firefox user agent is:

    Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
and my ie7 user agent is:

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2; MS-RTC LM 8)
You can see pretty easily that the Firefox one is Firefox 3.0, that it's running on Vista set for U.S. English. 1.9 is the version of the Gecko engine and "2008052906" is the build data for that engine. In the IE7 string, we can also see that it's Vista. The "SLCC1" is not clear but may refer to security licensing components. You get versions for .NET CLR and Media Center. I don't know what "MS-RTC LM 8" is. [Update: Thanks to a reader at Microsoft for pointing out that "MS-RTC LM 8" refers to Live Meeting 2007.]

But note that the build data and Gecko version on Firefox give you a lot more version information about Firefox than you get about Internet Explorer. For IE, all you get is major version information, i.e. IE5, IE6, IE7, IE8. The study authors note this themselves:

The USER-AGENT header fields for Firefox, Safari, and Opera contain both major and minor version information, whereas Internet Explorer only contains the major version. Therefore, it was not possible to enumerate the patch level of Microsoft Internet Explorer using this method beyond its major release numbers.

The authors supplemented their study with data from Secunia's Software Inspector, a tool that tracks applications on PCs and whether they are up to date with latest versions.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel