Slashdot Mirror
Interview with IE Lead Program Manager
crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
Forget Opera Man, I'd love a chance for the collective to ask this guy some tough questions about past and present design decisions in IE.
120 characters for a sig? That's bloody useless.
Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)
http://psychicfreaks.com/
why isn't IE7 doing a better job with supporting CSS standards?
> And he's kept his job?!?
If the product you were responsible for had a 97% market share (apparantly "only" in the high 90's now though) your job would probably be somewhat safe too.
It's been a while since I read much about IE7, but last I heard they were stripping a lot of its hooks out of the OS so that it sits "on top" like other browsers do. That alone should significantly reduce the security risk it poses.
IE6 has just been around too long; the hackers have had too long to play with it and find every possible exploit there is. If Opera were still sitting at version 5 (and controlled a larger market share) it would probably have just as many security holes discovered. It's the frequent updates and relative obscurity that make other browsers apparently more secure today.
120 characters for a sig? That's bloody useless.
every IE release since IE 2 or 3
Glad he's paying attention
The first lesson was that the Internet isn't an innocent place any more. When IE6 was under development 6 years ago, viruses were inconveniences and true Internet crime wasn't a concern.
Oh, really? Let's hear it for forward thinking...
-- Is "Sig" copyrighted by www.sig.com?
In corporate newspeak, all nouns are considered fair game for conversion to verbs.
120 characters for a sig? That's bloody useless.
"It's been a while since I read much about IE7, but last I heard they were stripping a lot of its hooks out of the OS so that it sits "on top" like other browsers do. That alone should significantly reduce the security risk it poses"
These hooks being only introduced in the first place so MS could justify that it wasn't bundling IE and that it was a necessary part of the OS. Once again MS putting security and the end user lower down its priority list than profits, control and market share.
True. If only his product wasn't riding Windows' coattails. Similarily, WordPad is essentially the world's most popular word processor!
I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)
I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.
ttuttle is a rankmaniac
IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7. Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
The cesspool just got a check and balance.
When your website is linked on /. you should expect a disproportionate amount of users from non-IE browsers. That being said, you still have more IE users than non-IE users. And if you were able/tried to parse out which browsers people were using (not versions but types) you would see IE with a 58% chunk and then a bunch of tiny, segmented slices representing all the different factions of the various Gecko-based browsers, Mozilla, etc ... Microsoft still owns the pie.
As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.
If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.
Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Sadly - I think someone previously hit the nail right on the head, and the guy is partially right about drawing the line between outrageous functionality and security. I know for a proven fact that users, when given the option of a 'secure' browser or one that lets them send web pages to buddies on their Yahoo! messenger... well you know which one they'll pick. The problem is maintaining functionality that allows the user experience to be rich and meaningful without being able to hook into the operating system... this still leaves the browser exposed! BHOs are an atrocity which we in the security world have had to live with for some time - I cringe every time my wife says "my browser is so slow" and I look into her "Manage Add-Ons" menu - there's always crap in there! See... browser security is a constant battle between user experience and what security features we want. I don't see IE7 being any better at it... and I think FireFox had the right approach... build a base browser and force the users to add-in plugins they want to use. Microsoft's bloated IE comes with everything they think you'll ever want, toaster included, so there's just so much to exploit. Anyway - I could rant but I'll stick to the hard truth... when presented with an option, users always choose the more functional, easier to use, more colorful version - and they don't care if it's more 'secure' ... all the education in the world isn't going to change human nature folks.
If MS themselves refuse to use .NET for their own programs, what does that say about the viability of it for the rest of us? It doesn't inspire confidence.
True. If only his product wasn't riding Windows' coattails. Similarily, WordPad is essentially the world's most popular word processor!
That wouldn't be correct, as most people DON'T use WordPad for their word processing. So actually your example proves that just because something is included in Windows doesn't automatically make it popular.
That's a bit of an odd thing to say. Microsoft essentially pulled the rug out from under the Mac Internet Explorer developers. What would have been the rendering engine for v6.0 was instead used for Mac MSN, and it turned out to be a great engine with great standards support. Killing Mac Internet Explorer just meant that the people who stayed with Mac Internet Explorer stayed with the old and buggy version you despise instead of having up to date support for the standards.
Bogtha Bogtha Bogtha
Cripes.
No wonder development is so slow.
Or how about being grateful for the free use of the software they are giving you? Or how about gettinmg involved in the solution rather than coming up with newer ways to spam the programmers who volunteer their time to make you a better browser?
I get your frustration. I'm a web developer, and deviation from standards causes me a great deal of pain and trouble, but when it's all said and done, I haven't contributed one line of code to the Firefox project, so anything they give me is a gift.
Tom Caudron
http://tom.digitalelite.com/
-Tom
This epitomizes MS culture and why they constantly fail. By making themselves the gatekeepers of "authorized" software, MS realizes anew way to take money away from developers. It completely ignores what users want. User's don't want to be restricted to a subset of software that is "authorized." They want to run any damn thing they please, but they want the OS to stop it from doing anything malicious.
I've said it before... new software on Windows should be running in a jail or sandbox or VM or something and by default should not be allowed to touch anything without the user being informed in real English and given the option to granularly deny the software, without stopping that software from running in most cases. This would solve the vast majority of Window's and IE's security problems. If they cared about security they would have leveraged one of the many VM companies they have bought out and fixed it, instead of developing their own malware scanning product and making money off of it.
Is there a message here perhaps?
Yes. That the time and effort required to rewrite a large, complex codebase in a new language/platform for arguably little benefit is better spent elsewhere
Indeed.
..... well ..... being Microsoft.
Microsoft are just being
If Windows was perfect, they would never be able to sell a new version. But Microsoft have to sell new versions of Windows; it's the basis of their business. Therefore, Windows has to be defective in order for there to be something to put into a "better" version in future.
There's a similar line of reasoning which explains why governments haven't solved the major social problems of the day. There's good work for a government in a fucked-up society. If there is no unemployment you don't need the Dole, if there is no disease you don't need a National Health Service, if there is no crime you don't need a police force, and so on.
Je fume. Tu fumes. Nous fûmes!
Having to spoof MSIE's user agent because they sniff your agent and display "This site is designed for Microsoft Internet Explorer" if you're using anything but would not have anything to do with that now, would it?
I can imagine the IT discussions there:
CFO: "Hey, let's get online banking done. What do your guys need from us?"
CIO: "Okay, we have internet explorer, frontpage, and dev studio here. Check. We'll get right on it."
(weeks/months later)
CFO: "Hey it doesn't work in Netscape 4.0"
IT: "Nothing works in Netscape 4.0. It's a steaming cowpie."
CFO: "OK, good show then, let's just display a message for folks running other browsers, and recommend that people use MSIE instead. Can you do that?"
CIO: "Yeah, all we need to do is check for something called the user agent."
(a couple of years later, conduct online banking using Safari, Konqueror, Mozilla, Firefox, Opera, etc. by spoofing user agent)
CFO: "Hey Chuck, I just got a call from the chairmain of the board. He said the directors think our website is outdated and also we need to get all of our services online. What will it take?"
CIO: "Oh we have MSIE, Frontpage, Visual Studio.Net, and IIS, I don't think it will be any problem."
CFO: "By the way one board member remarked his mac doesn't work with our site. In fact he said that he had to buy a PC just to do online banking. Do you think we should fix this?"
CIO: "Let's check the web logs, shall we? OK, it looks like 99.999% of visitors use MSIE. I don't think we have to worry about it."
CFO: "Great, so we can reallocate the budget we had slated and send executives to Hawaii for er, team building instead."
CIO: "Sounds great to me."
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
.Net doesn't guarantee security. You might as well say "I though any program I wrote in .Net wouldn't have bugs." You won't have buffer overflows, but that is merely a small class of bugs you need to be concerned about. .Net is fine for large projects. If you can't understand that there are factors external to the language and environment then you have no business making judgements in the first place.