Another version of Microsoft's Internet Explorer web browser was released last
week -- and already the first of what will undoubtedly be yet another
wave of security bugs has been uncovered -- it happens every time!
Also angering some in the Net community is Microsoft's decision to usurp
the standards organisations by implementing, once again, it's own set of
extensions to the commands used by web designers to lay-out and control
web pages -- thus further widening the compatibility gap between IE and
its competitors.
Of course Microsoft and its supporters will probably say "who cares?" after
all, IE is now used by more than 80 percent of web surfers and so it is
the standard -- like it or not.
No doubt AOL (who own Netscape) will be somewhat less than swayed by such a
comment, as will the many sensible web designers who realise that to
be truly effective, a website must work reliably with at least the three
major browsers: IE, Netscape and Opera.
I can see both sides of the argument -- but my real bitch is with the massive
level of complexity and bloat that has crept into both IE and, to a slightly
lesser degree, Netscape.
Given that these browsers are "give-aways" and loss-leaders for the companies
that produce them, it's unlikely that we'll ever see a truly reliable browser
from Microsoft or Netscape. Just ask NASA, or any experienced software engineer
how impossible it is to produce anything other than very trivial software that
is perfectly reliable in the "real world" and you'll see that the latest crop
of browsers are already way beyond the size at which reliability can be ensured.
Of course we've learned to live with software bugs -- they're a fact of life
and in most cases they tend to be relatively minor and irritating rather than
devastating. Well that was the case -- until the world decided to connect many
of its computers together via the Internet.
Because of this connectivity, the kind of bugs that simply irritated in
the past now have the potential to spell total disaster. A bug is, by definition,
an unexpected behaviour or response by a piece of software -- and when we get
such deviation from the norm on a computer connected to the Net, there are always
potential security implications.
If your copy of Microsoft Word would occasionally crash and cause you to loose
the last 2 minutes of typing that was not so bad -- but if your copy of IE
has some strange abhorrent behaviour lurking deep in its bowels it could allow
a malevolent hacker to gain access to critical or valuable data on your system
without your knowledge.
Until recently, productivity was the key determining factor in deciding
the acceptability of applications software. So long as the software provided
a reasonable return on the investment by saving time or providing extra benefits
then it was a prime candidate for the job. Today however, even the most productive
software may be an extremely poor investment if it opens your system to intrusion
by other unauthorised parties.
But how will you know?
Very few business users of the Net have the time to scour the industry media
for security alerts and update or change their browser software accordingly --
but you can be sure that the hackers do. The very fact that so many of the
recent viruses have proliferated at break-neck speed is a clear indication
that the vast majority of business Net-users simply don't maintain an adequate
awareness of security issues. It's also a good indicator that relying on
the "it'll never happen to me" mindset is a totally inadequate excuse for
not being aware of the risks.
So, what's the answer?
Modular browsers that are built around a small and proven-secure core with
individually certified modules attached to provide extra functionality?
An independently assigned security rating system (such as the one used by the
US military) for all browsers?
You tell me!
As always, your feedback is welcomed.
