Introduction

The Internet is becoming a more and more dangerous place to be, due in no small part to the inherent security risks posed by viruses and spyware. Additionally, applications that access the Internet as part of their normal operations may have errors in their code that allows hackers to launch attacks against the computer on which those applications are running. The safety and integrity of digital assets is further compromised by the fast-growing threat of cybercrooks who devise and implement large-scale hoaxes such as phishing and ID theft.

In the light of all this, it’s clear that users need a reliable and secure web browser between them and the Internet, which will be free of these problems and won’t let harmful content invade the computer.

The web browser industry continues to be dominated by the Windows-bundled Internet Explorer, with an 85% market share, but in recent years a new breed of free, more functional and resilient browsers has appeared – the most popular being Mozilla/Firefox and Opera. All have received serious security upgrades to help protect against recent scares and safeguard users online.

Internet Explorer is at version 6.0, essentially the same product that was included with Windows XP in 2001. Eighteen months ago, the release of Windows XP Service Pack 2 substantially increased IE safety; however, it did not eliminate many of the loopholes exploited by hostile program code. At present, Firefox is at version 1.5, but its very different development history (see next section) means that it can be considered at a similar level of maturity as Internet Explorer.

Currently, Microsoft is preparing its next-generation browser, Internet Explorer 7.0, which it plans to introduce sometime during the first half of 2006. The company has stated that it intends to make the browser stronger and more secure to help protect its users against the many problems that have dogged the software over the years.

We, along with Internet users everywhere, await the final results with interest. In the meantime, we decided to undertake our own security evaluation of both IE 7 (beta) and its closest rival, Firefox 1.5.

History and overview

Internet Explorer is a proprietary graphical web browser developed by Microsoft. In 1995, the company licensed the commercial version of Internet Explorer 3.0 from Spyglass Mosaic and integrated the program into its Windows 95 OSR1 edition. Later, it included IE4 as the default browser in Windows 98 – a move which continues to raise many antitrust questions.

Firefox is an open-source browser developed by the Mozilla Foundation; anyone who is proficient enough can collaborate in writing and improving its program code. Mozilla is known for its stringent approach to security, promising a bounty of several thousand dollars for any major vulnerability found in the product.

Security incidents and threat response

While no browser is perfect, major security lapses happened rather more frequently with IE than with Firefox. To be fair, Firefox has less than a 10% market share and is thus a rather less enticing target than IE; that’s probably also why security researchers focus much of their attention on the vulnerabilities of Microsoft’s browser, not Firefox’s. Some people have argued that if the market shares were reversed, bugs in Firefox would start appearing on a more frequent basis, as has recently been the case with Internet Explorer.

The open-source architecture of Firefox contributes to the overall safety of the browser; a community of skilled programmers can spot problems more quickly and correct them before a new release is available for general use. It’s been said that threat response time for Firefox averages one week, while it may take months for Microsoft engineers to fix critical bugs reported by security analysts – an unacceptable situation for users who remain unnecessarily vulnerable to exploits (hacker attacks) during that time.

>From the threat response standpoint, Firefox is clearly the winner.

Security features

Phishing safeguard

New protection against financial fraud and identity theft has been incorporated into the new IE. A so-called “phishing filter” now appears on the Internet Options menu, which is intended to protect users against unknowingly disclosing private information to unauthorized third parties. Here’s how it works:

If a user visits a spoofed site which looks exactly like a genuine one – usually as a result of clicking on a link in a fraudulent email - the browser senses a phishing attempt and compares the site against a list of known phishing sites. If the filter finds the site is a phishing culprit, it blocks access to the site and informs the user of the danger of leaving his/her personal details on sites like this. The database of known phishing sites is updated regularly, and users have an option to report a suspected phishing instant to Microsoft for evaluation.

We’re pleased to report that, even in beta, the filter appears to work quite well, correctly identifying half of the test sites we visited as phishing sites.

In Firefox, phishing protection is delivered through third-party extensions such as Google Safe Browsing (currently in beta for US-based users only (see http://www.google.com/tools/firefox/safebrowsing/index.html); this can be plugged into the browser’s extension menu.

As additional protection against accidental phishing, the authors of IE have stated that they plan to make their product display the URL of every visited site. With IE 6, this capability was not available and many pop-ups appeared without displaying an address in the previously non-existent address bar. Unfortunately, in neither browser were we were able to achieve more than a fifty percent URL display ratio; we trust that this percentage will increase as the release of IE 7 approaches and Mozilla continues to work on improving its functionality in this area.

Restriction of executable Web content

In the current version of IE, suspect websites have been free to install almost any software they want on visitors’ machines. While XP SP2 has dramatically reduced this possibility, many unnecessary add-ons and toolbars can still be easily installed by inexperienced users. IE 7 should provide more protection for naïve users, as it will offer to run in protected mode, thus restricting access to the host OS files and settings and making these critical elements of the computer inaccessible to malware.

The default setting for Firefox 1.5 is to have installation of extensions and add-ons disabled; the user must manually change settings in order to enable adding extensions to the browser.

There will always be a tradeoff between security and functionality, but security experts always maintained that letting websites unrestrictedly launch executable code within the browser creates unlimited potential for exploitation. IE 7 will offer much greater flexibility in configuring which external code will be permitted to run within the browser and what impact it would have on the OS.

ActiveX restrictions

Aside from some graphics enhancement of web pages, in most cases ActiveX is more damaging than beneficial. Many sites that serve up spyware and pop-up ads use ActiveX scripting technology, and ActiveX scripting in the Windows environment can be allowed to run unrestrictedly with administrator (root) privileges. Firefox 1.5 does not support Microsoft’s proprietary ActiveX technology and so the Firefox browser is more resilient against spyware infection.

In IE6, even with SP2, ActiveX is allowed to run by default, which automatically renders IE users less protected against the threat of spyware. In the upcoming IE 7, it is not yet known whether Microsoft will continue this approach, but early indications point to this being the case. This would be unfortunate, since the current approach is a clear security vulnerability.

Of course, IE users can manually disable ActiveX scripting on a particular website and let ActiveX be started automatically on all other sites visited. Or, vice versa, they can disable ActiveX scripting on most of the sites visited and permit it to run on a particular site. All this can be configured under the Security tab in IE’s Options menu. However, it is hardly realistic to expect Internet novices, who need the most protection, to do this.

Java, JavaScript and Visual Basic components

Java and JavaScript can be enabled and disabled by both browsers. Firefox allows users to specify permissions for particular actions performed by these scripts. IE 6 allows users to create a group of trusted sites to which global limitations on these scripts will not apply. In IE 7, more flexibility will be added that will lead users toward a more customized display of web pages belonging to a particular site; it appears Firefox also plans to introduce more flexible parameters.

Internal download manager

IE 7’s download manager will be revamped, and feature an option to pause and resume downloads - a feature not available with the current version. Specific actions will be able to be defined following the completion of a download, and users can check the newly-downloaded file with their anti-virus before running it. This approach is already in place with Firefox, so Microsoft appears to be playing catch-up here.

Encryption of data on protected sites

When you submit sensitive information, such as transaction details to a bank or financial institution, it travels in an encrypted form through a secure HTTP (SHTTP) connection. The information is encrypted by your browser and decrypted at the receiving end. The new version of IE will use stronger encryption algorithms to reliably transfer your data without the risk of being intercepted and deciphered by someone in transit. A padlock icon indicating that a user is on a secure site will be placed in a more obvious place than currently, and more detailed information will be provided to help visitors check the authenticity of such sites.

Firefox currently has a better-organized display of security certificates for its users, so clearly Microsoft has a room for improvement.

Updating

Both browsers are updated automatically when new code is ready. Firefox has this update mechanism already in place, and for IE 7, it is expected that updates will be provided through Windows update technology.

Privacy enhancements

IE 7 will have the ability for users to flexibly set what private data will be saved and can be applied to different sites; users will be able to easily remove browsing history and other private details such as passwords, cookies, details submitted on web forms, download history, and temporary files. In IE 6, these files were stored all over the place and users have complained that there is no clear way to delete this information. Firefox 1.5 already provides this capability.

Conclusion

IE 7 promises a lot of interesting security and privacy enhancements that will help users stay more secure. With the final release users will receive a good, solid browser that, if Microsoft promises are fulfilled, will help it to compete well on the security front. As we have seen, Firefox 1.5 is already a role model, and it will be interesting to see what lies ahead for this talented challenger.

About The Author

Igor Pankov is a Product Marketing Manager at Agnitum Ltd., the developers of Outpost Firewall PRO. Free Version is available for download at http://www.agnitum.com/products/outpostfree/download.php.

Let's face it. Building a web site that browses consistently on multiple platforms and multiple browsers is not always as easy as we would like.

It is safe to say that most designers spend most of their time building their sites on a given platform. Those with the highest standards should, upon completion, take a look at their creation in different browsers and different platforms.

Sure, you could see how it looks in Window 98 with Internet Explorer and let that be good enough, but do you really want to risk a bad web experience for millions and millions of potential visitors? Consider this....

A recent statistic I saw reported that 12% of internet users were Macintosh users. Ignoring this fact is like creating a catalog that can only be optimally viewed by one in eight of your customers.Furthermore, not all of the Windows users are using Windows 98. Windows 95 continues to be widely used, and Windows 2000 and NT represent a significant percentage of visitors.

It would be remiss to ignore the small, but growing contingency of Linux users. Though small in number at this time, the popularity of the OS grows daily.

Platform issues aside, Internet Explorer, despite Microsoft's inclusion of it with all Windows Installations, does not represent the only browser option. Netscape continues to enjoy a strong following of users numbering in the millions, and Lotus Notes is being used by numerous corporations as the "standard" browser and e-mail application.

Then, of course, there is AOL. Although basically an IE engine "under the hood" AOL continues to include certain differences. Considering the vast numbers of AOL users, this browser must not be overlooked. If your site does not look good in AOL, then you are risking turning away a huge percentage of potential visitors.

It should be clear that cross platform and multiple browser compatibility is a must. Therefore, understanding a few very basic and simple techniques to help keep your pages looking their best in the most places is also a must. Following, you will find a few tips and ideas to help you do just that.

#1 Paint the canvas your visitors will see

As a web site designer wanting to be as efficient in my work as possible, I have configured my Mac to use two monitors. As my mouse leaves the screen of one, it appears on the other. Thus, I have a canvas that, on most days, is 1856 pixels wide over 32 horizontal inches. If I want to, I can easily boost that to over 2000 pixels wide. But, my clients and the average visitor on the web do not have two monitors. In fact, most of them have the screen resolution set to 800 X 600 or 1024 X 768. What's more, every single time I have gone to a client who uses AOL, their browser window opens to what looks to be a 640 pixel wide default no mater how large the monitor or screen resolution.

On one of my first projects, I had designed a site to a modest 700 pixel wide format with a nice top navigation area. I went to my clients office to get some "point and discuss" feedback to find her new 21 inch monitor -- set at 640X480 resolution. My designs looked terrible!

If you intend your web site to appeal to the broadest range of visitors, you need to design in a way that will look good even at low resolutions. Check with some of your typical visitors and see what kind of resolutions they normally use.

#2 Use Tables to Control Width

Tables are great things when trying to control the way text and images go together. In order to achieve a nice looking design, using tables is the first technique to consider.

Tables can be assigned a fixed width in pixels or a fixed percentage of the window width. There are advantages to both approaches. If you are not concerned about the relative vertical arrangement of objects in a table cell, using the fixed percentage allows for more fluid layouts.

If, however, you want to keep text wrapped around an image with more consistency, using the percent approach could lead to major differences. Text will wrap quite differently in a cells of different pixel widths.

To have better control, consider using fixed pixel width. However, you must now start making some compromises. If you want to offer a site that looks good at 640X480, you will need to set your table width to 600 -- 620 MAX! You will want to center the table in the window to provide a nice look when wider windows are used. However, if your visitor has monitor resolutions set to 1600X800 and has the browser "maximized" your page will have 500 pixels of blank space on either side of your 600 pixel table.

Fortunately, few people will be browsing at this configuration. My experience visiting clients, friends, and family suggests that, even if monitor resolution is set at over 1000 pixels, the actual width of the browser window will be reduced to something less.

You must decide if you will risk an odd looking page for those few who have HUGE monitor resolution or risk the annoying scroll bar for those with the basic 640X480

#3 Compromise your Font Use.

Supposing you select a fixed width table and have a cell that is 300 pixels wide. You write a headline in this cell, pick a font, and size it to look just right. Good for you. Too bad that headline will come up different on different systems.

Even on the same computer, there are very slight differences between how Netscape and IE render fonts. Remember the 1 in 8 visitor using a Mac? For technical reason it is beyond the scope of this article to describe, fonts are significantly smaller on a Mac than on Windows. Don't forget that your visitors can also set the default size for font display in their browser, too. If they do that, you are really starting to lose control of how fonts are displayed!

One solution is to use cascading style sheets, but that technique goes beyond the casual designer's typical experiences. The other solution is to compromise. Make sure that it looks good on the predominant platform -- currently Windows -- but don't use the smallest font possible either or your Mac visitors won't be able to read it!

#4 Check Your Final on Multiple Platforms

I commit to my web design clients that their site will be look good to ALL visitors. To make sure this is the case, I have an Intel computer as well as my Macintosh. I have the Intel computer configured to boot into Windows 98, Windows 2000, and Linux. I test all the pages I design in these environments. I test in both Netscape and Internet Explorer on the Windows systems and the Mac. I enlist a partner to test with Lotus Notes and AOL.

This may seem excessive, but frequently there will be some little thing that shows up in one of the platform/browser configurations that requires some minor correction. Would it be good enough if I did not make the correction? Probably. However, it is always best to make a good first impression and on the web, where you have about 5 to 7 seconds to get visitors to commit to take an actual look, every little thing counts.

If you do not have access to multiple platforms, enlist your friends. Stop by a library or a Kinkos and use their computers (often these places may have Macintosh computers as well as Windows computers).

These four simple suggestions are the beginning of a journey toward the much larger goal of making the content of your web site universally available to your visitors. Ultimately, reaching this goal depends upon many factors. However, progress toward this goal must commence with awareness.

Understanding that your site will appear differently on different browsers and based on different user preference settings is an important first step toward awareness. Using tables and being conscientious with your use of fonts takes you one step further. Checking your work on various systems will begin to hint at how much further you have to go.

But, every journey must begin somewhere....

I hope this helps in your future marketing decisions.

About The Author

David Bell is Manager, Online Marketing, at http://www.wspromotion.com/, a leading Search Engine Optimization services firm and Advertising Agency.

article compliments of ArticleCity.com

Top Informational Websites

Internet Explorer downloads

MSN Search Insider

Netscape

Firefox

Safari RSS for MACOSX

Plugins.com six apart professional network plugins directory

enjoy multimedia: plug ins