Slashdot Mirror
Interview with IE Lead Program Manager
crackman writes "Matasano Security is running an excellent interview with Christopher Vaughan, a lead PM on the IE team. Christopher has worked on every release of Internet Explorer since version 2. He discusses IE7, security lessons learned from IE6, the future of .NET managed code in IE, and more."
Forget Opera Man, I'd love a chance for the collective to ask this guy some tough questions about past and present design decisions in IE.
120 characters for a sig? That's bloody useless.
Why was there no development on IE for several years? If you were on every release of IE, you must have noticed this... you're workload would have been really small ;)
http://psychicfreaks.com/
why isn't IE7 doing a better job with supporting CSS standards?
> And he's kept his job?!?
If the product you were responsible for had a 97% market share (apparantly "only" in the high 90's now though) your job would probably be somewhat safe too.
It's been a while since I read much about IE7, but last I heard they were stripping a lot of its hooks out of the OS so that it sits "on top" like other browsers do. That alone should significantly reduce the security risk it poses.
IE6 has just been around too long; the hackers have had too long to play with it and find every possible exploit there is. If Opera were still sitting at version 5 (and controlled a larger market share) it would probably have just as many security holes discovered. It's the frequent updates and relative obscurity that make other browsers apparently more secure today.
120 characters for a sig? That's bloody useless.
every IE release since IE 2 or 3
Glad he's paying attention
The first lesson was that the Internet isn't an innocent place any more. When IE6 was under development 6 years ago, viruses were inconveniences and true Internet crime wasn't a concern.
Oh, really? Let's hear it for forward thinking...
-- Is "Sig" copyrighted by www.sig.com?
In corporate newspeak, all nouns are considered fair game for conversion to verbs.
120 characters for a sig? That's bloody useless.
True. If only his product wasn't riding Windows' coattails. Similarily, WordPad is essentially the world's most popular word processor!
I think IE could do better in this area. There's a very simple definition of what active code in a browser should be able to do. Simply put, it should not be able to touch any other part of the system without user permission. When it is allowed to access other parts of the system (to open or save files, or to print a web page) the user should be asked if it's okay, and the question should be asked unambiguously. (For example, the dialog box could pop up like a balloon message, pointing to the web page's tab and saying "This web page at www.domain.com wants to load the file C:\path\to\file.txt. This will give www.domain.com access to the contents of the file. Is this okay?" or something like that.)
I also wish they would stop with the EXE-blocking stuff. Frankly, a browser shouldn't offer crackers or spyware peddlers any vulnerabilities to exploit, but it shouldn't make the assumption that all content is bad. If a user opens, or is redirected to, an executable file, it is their responsibility to make sure it is valid. Use code signing or something, if you want. But don't just block all programs.
ttuttle is a rankmaniac
IE6's security woes have more to do with hooks into the OS, being based on code to support the incredibly badly architected ActiveX, and just plain bad coding than market share.
Heck someone wrote a virus or two for OS X, which supposedly holds somewhere between 2% and 4% of the market. Firefox has almost 10%, yet I don't recall it having the kind of security exploits that seem to plague every version of IE, including IE7. Recall the EI7 zero day exploit? What's funny was, that was a zero day exploit for the beta, which probably had all of 0.0001% of the market - yes, that's pulled out of the air, but it certainly wasn't large.
And to discount your "IE6 has just been around too long" argument, there's fewer and fewer holes in products like OpenBSD, which have been around far longer than all versions of IE combined. Oh, and OpenBSD and its *nix kindred tend to run the things hackers are truly interested in. But because it's "hard", many just grab a few tens of thousands of windows boxes (easy!) and then try to take down those *nix sites via DDOS attacks.
The cesspool just got a check and balance.
As I always have to point out in these discussions, when you have around 90% of the market share, you define the standard. Anything with less than 10% support in the market isn't a standard, it's just a formal specification, no matter who writes it. This may not be ideal, but it is the way this sort of market works.
If you think you can do better than CSS, and you're in business, and you have 90% market share, then you probably just go ahead and do your own thing. It doesn't matter if other browsers don't support it, because 90% of users will be fine, and of the other 10%, the vast majority will just think those other browsers are broken and load up yours instead. This is why the stubborn insistence of certain other browser development groups that they will only support W3C specs is the biggest own goal since the last World Cup.
Yes, I know, this sucks for the consumer. Yes, I know, most of us here in a geeky community would agree that the W3C specs are far more useful than IE. I'm not disputing any of this. I'm simply giving a straightforward business case, from MS' perspective, for doing their own thing regardless of what the W3C say. This is why unregulated monopolies, or near-monopolies, suck.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Sadly - I think someone previously hit the nail right on the head, and the guy is partially right about drawing the line between outrageous functionality and security. I know for a proven fact that users, when given the option of a 'secure' browser or one that lets them send web pages to buddies on their Yahoo! messenger... well you know which one they'll pick. The problem is maintaining functionality that allows the user experience to be rich and meaningful without being able to hook into the operating system... this still leaves the browser exposed! BHOs are an atrocity which we in the security world have had to live with for some time - I cringe every time my wife says "my browser is so slow" and I look into her "Manage Add-Ons" menu - there's always crap in there! See... browser security is a constant battle between user experience and what security features we want. I don't see IE7 being any better at it... and I think FireFox had the right approach... build a base browser and force the users to add-in plugins they want to use. Microsoft's bloated IE comes with everything they think you'll ever want, toaster included, so there's just so much to exploit. Anyway - I could rant but I'll stick to the hard truth... when presented with an option, users always choose the more functional, easier to use, more colorful version - and they don't care if it's more 'secure' ... all the education in the world isn't going to change human nature folks.
Is there a message here perhaps?
Yes. That the time and effort required to rewrite a large, complex codebase in a new language/platform for arguably little benefit is better spent elsewhere
Having to spoof MSIE's user agent because they sniff your agent and display "This site is designed for Microsoft Internet Explorer" if you're using anything but would not have anything to do with that now, would it?
I can imagine the IT discussions there:
CFO: "Hey, let's get online banking done. What do your guys need from us?"
CIO: "Okay, we have internet explorer, frontpage, and dev studio here. Check. We'll get right on it."
(weeks/months later)
CFO: "Hey it doesn't work in Netscape 4.0"
IT: "Nothing works in Netscape 4.0. It's a steaming cowpie."
CFO: "OK, good show then, let's just display a message for folks running other browsers, and recommend that people use MSIE instead. Can you do that?"
CIO: "Yeah, all we need to do is check for something called the user agent."
(a couple of years later, conduct online banking using Safari, Konqueror, Mozilla, Firefox, Opera, etc. by spoofing user agent)
CFO: "Hey Chuck, I just got a call from the chairmain of the board. He said the directors think our website is outdated and also we need to get all of our services online. What will it take?"
CIO: "Oh we have MSIE, Frontpage, Visual Studio.Net, and IIS, I don't think it will be any problem."
CFO: "By the way one board member remarked his mac doesn't work with our site. In fact he said that he had to buy a PC just to do online banking. Do you think we should fix this?"
CIO: "Let's check the web logs, shall we? OK, it looks like 99.999% of visitors use MSIE. I don't think we have to worry about it."
CFO: "Great, so we can reallocate the budget we had slated and send executives to Hawaii for er, team building instead."
CIO: "Sounds great to me."
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50