Slashdot Mirror
IE8 May Be End of the Line For Internet Explorer
snydeq writes "InfoWorld's Randall Kennedy reports on rumors that IE8 may be Internet Explorer's swan song: 'IE8 is the last version of the Internet Explorer Web browser,' Kennedy writes. 'It seems that Microsoft is preparing to throw in the towel on its Internet Explorer engine once and for all.' And what will replace it? Some are still claiming that Microsoft will go with WebKit, which is used by Safari and Chrome. The WebKit story, Kennedy contends, could be a feint and that Microsoft will instead adopt Gazelle, Microsoft Research's brand-new engine that thinks like an OS. 'This new engine will supposedly be more secure than Firefox or even Chrome, making copious use of sandboxing to keep its myriad plug-ins isolated and the overall browser process model protected.'" The sticking point will be what Microsoft does about compatibility for ActiveX apps.
1. Headline should read, IE8 May Be End of the Line for Internet Explorer Engine .
2. I don't see any reason why ActiveX apps couldn't be sandboxed like anything else. Granted, it has deep hooks into the OS-- but if nothing else, given how beefy computers are going to be by the time IE9 comes out, you could give each ActiveX app its own perfectly compatible virtual copy of XP+IE8 to run on, and just parse the result into IE9 format. Destroy the virtualized OS+browser when the app closes.
Moore's Law makes some problems easy, yay. :)
Oh wait...
...they're going to buy Mozilla. Mark my words. :P
It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
The sticking point will be what Microsoft does about compatibility for ActiveX apps.
KILL IT!!!
Seriously. Since IE8 does it, people will just keep using that for the next decade...
If they don't kill ActiveX after IE8, we'll be stuck with it even longer than that. Since it's going to take 10 years to actually die, please start the process now, Microsoft.
Given the compatibility issues that ActiveX has in IE8, then it probably won't matter what Microsoft will do in the future. In all reality no site should be depending on ActiveX. If it breaks without it, then fix the site.
Jumpstart the tartan drive.
Given their history, this could be pretty funny.
"Some are still claiming that Microsoft will go with WebKit"
Microsoft will never allow the browser that ships with Windows to become a commodity. They will go with Gazelle or whatever they develop that's as incompatible to official standards as possible while still being called a web browser engine.
Their goal is lock-in. A standards-based engine would negate that.
http://www.dieblinkenlights.com
The rendering engine. The browser itself will probably still be called Internet Explorer 9, no reason to throw away a strong brand. It will use a new layout engine with deep Silverlight integration.
``Funny how the vendor of one of the world's most insecure operating systems now considers that they're going to one-up the competition with the most secure browser / operating system?''
I wonder if Windows is still one of the world's most insecure operating systems. Microsoft have certainly been working hard to improve things, which is more than I can say for many other operating system vendors. Meanwhile, Linux user seem to be content pointing and laughing at Microsoft's efforts and pointing out that Linux is so much more secure.
I won't make any claims about which operating system is more secure than another operating system (because I think it is fundamentally impossible to measure, let alone to know), but if I see that Microsoft is introducing things like address space layout randomization and non-executable stacks, I have to wonder why those features aren't in other mainstream operating systems yet. OpenBSD has done a lot of pioneering work already, but when will we see the day that all of Debian is compiled with -fstack-protector and ships with PaX enabled?
Please correct me if I got my facts wrong.
http://blackfiber.wordpress.com/2008/07/06/the-web-browser-as-a-milli-application/
I am obsessed with microkernels. This idea's been in my head for years, since I looked at how KDE sandboxes Flash and thought, "Hey, this should be for every piece of the whole application!"
Support my political activism on Patreon.
I seriously doubt IE will have the majority of the market share by the time IE9 comes out. Many of the web usage reports out there are showing that Firefox is at 20% or higher and that Safari is around 5% or so.
I would also argue that a lot more 'dumb consumers' (people like my parents) are buying Macs now to be trendy which will help IEs market share drop.
Also has anyone used IE8 yet and tested sites out on it? I've used it and it rendering engine is pretty terrible, even when set in emulate IE7 mode which then introduces a complete new set of rendering bugs.
"During My Service In The United States Congress, I Took The Initiative In Creating The Internet." -Al Gore
The author states: At least, that's what I'm hearing through the grapevine ... but the fantasy woven by the author).
The author is effectively saying his story is not credible! Slashdot is supposed to run with a hypothetical situation about IE8 demise instead of commenting on real news? It should be fun scanning through these comments to find out who bites (not the big one
Meanwhile, Linux user seem to be content pointing and laughing at Microsoft's efforts and pointing out that Linux is so much more secure.
Because it is. There. I said it.
The relatively simple, understandable Unix security model has a very long history, and has grown gracefully as the strength, power, speed, and ability of the individual computers have. Everything is a file, and all files have the three permissions: Users, Groups, and Other. Each of these can have read, write, and execute permissions. Simple, understandable, easy to enforce. It's so taken for granted as such that it's routinely used in embedded devices (such as routers) where updates are few and far between, yet they are rarely, if ever, compromised.
Compare/contrast that with the Windows security model, where there are actually alternate file spaces within the existing file system. With the Windows API, it's trivial to save a file that's in an alternate namespace and thus cannot be found with *any* normal Windows system call. There are many examples of strangeness like this!
There was a recent article I read about the confessions of a grey-hat programmer... he describes Windows as incredibly complex, labyrinthine, and basically impossible to secure well. He laughed at so-called "security vendors" like anti-virus.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I worked through thick and thin with Microsoft for over twenty years and find this to be a classic example of pure insanity. My primary work load is n-tier web application development using Asp.net, VS and C#. The .Net framework is very closely tied to the IE engine and I don't even want to think of the headaches in trying to migrate all existing applications to whatever they release.
This is obviously a dream, but it would be nice to have some sort of standard system for Internet Cloud and Browser software and hardware not unlike the telco and cellular market. There would still be billions to make for all of the Tech companies.
The sticking point will be what Microsoft does about compatibility for ActiveX apps.
No sticking point... ActiveX needs to die.
The sticking point will be what Microsoft does about compatibility for ActiveX apps.
How sticky are we talking? Sticky like trying to make PlaysForSure compatible with the Zune? Sticky like ongoing support for MSN Music?
If Microsoft has taught us anything, it's that today's lockin is tomorrow's lockout. The day MS decides that ActiveX no longer serves their purposes is the day that every site requiring ActiveX is out of luck.
I am literally 3000 tokens away from the chaotic crossbow --Stephen
"This new engine will supposedly be more secure than Firefox or even Chrome, making copious use of sandboxing to keep its myriad plug-ins isolated and the overall browser process model protected.'
IE doesn't have any plugins, does it? At least, if it does, they're nagware garbage compared to the truly myriad plugins for Firefox. Really, if it wasn't for FF add-ons, I doubt it would have even a half percent share.
"And the meaning of words; when they cease to function; when will it start worrying you?"
Everything is a file, and all files have the three permissions: Users, Groups, and Other.
Don't forget the sticky bit! Much as one might like to, let's not forget that the "simple Unix permissions" included one Hell of an egregious security flaw.
there are actually alternate file spaces within the existing file system. With the Windows API, it's trivial to save a file that's in an alternate namespace and thus cannot be found with *any* normal Windows system call.
There is no alternative namespace, there are merely alternate streams in a file - named locations for storing meta data. The file is right there in the filesystem, obvious to all. The file data may be a bit hidden, requiring normal Windows system calls to read (just like one uses normal Windows system calls to create alernate data streams), instead of Notepad. Oh, wait, you can read them with Notepad too. What a bunch of FUD.
he describes Windows as incredibly complex, labyrinthine, and basically impossible to secure well.
Vista clearly lost the thread, going for security through complexity, but any OS that doesn't have a read-only kernel is impossible to secure. Any OS that does have a read-only kernel is impossible to patch. No OS can secure itself. Scanning for modifications to kernel bits from a hardware-protected hypervisor is the only way, but as long as "Trusted Computing" is used for evil, we can't get there.
Socialism: a lie told by totalitarians and believed by fools.
Intel giveth, Microsoft taketh away.
Help stamp out iliturcy.
Gazelle is from Microsoft Research, and their paper discusses the details of the security model - it's not just a marketing claim.
The idea is that every 'origin' (basically a domain name, which is used as the basis for access control in all modern browsers) is separated into its own sandboxed process. If a page on your domain embeds an iframe from an advertiser's domain, the iframe is rendered in a separate process, and all communication is handled through a Browser Kernel which enforces the security constraints (e.g. preventing the advert from touching or rendering anything outside its iframe box, even if an attacker can find a way to execute arbitrary code in it). Plugins are handled in the same way.
Chrome's security model doesn't handle that kind of separation of multiple sites within a single page. But Gazelle sacrifices some backward compatibility (e.g. it removes the document.domain attribute, and it requires all plugins to be rewritten to use the Browser Kernel instead of directly accessing the network or filesystem), which is unlikely to be acceptable in practice.
And Gazelle is certainly not a replacement for the IE engine - it's built on the existing IE7 components for parsing, rendering, scripting, etc. It's research, and the value is its ideas, some of which could perhaps be integrated into current browser engines to improve security. It's not meant to be a real browser engine, but it seems successful as a research experiment.
Do you know what hit them very seriously? I mean the coders laughing to vendors like Opera for struggling not to code CPU and speed dependent stuff?
Mobile computing. It is like ultimate punishment for them. Do you remember those fanatics calling people to ''buy more RAM'' no matter what their issue with memory is? Top of the line smart phone comes with 512MB RAM or something and 400 Mhz ARM CPU. Opera ships 9.5 beta which runs the exact same engine as Desktop version to 256MB RAM having, 200Mhz CPU UIQ3 devices with zero vendor support.
I know some professional OS X developers keeping a G4 Mac Mini no matter how many xeons they have, just to make sure their application runs on low end computers fine. So far, thanks to their wise decision, their software gets good feedback not just from low end but very high end computers too. If it works on low end, it will rock on high end. Trust me, some of the ''cool guys'' out there still couldn't figure this basic rule.
When Webkit proved to work on Nokia S60 Symbian devices and got very good feedback from users, I said Webkit is the future. What mattered was, can the code run under 128MB RAM, completely alien OS? S60 browser proved it.
Have a stupid blogger who could say things like ''This new engine will supposedly be more secure than Firefox or even Chrome''
That is 30% of entire Web browser market, you have guaranteed that they will do everything to joke about your code without being even released to public.
Also very advanced coders who are talented enough to work on Mozilla or Google will come up with real information debunking your allegations. They may ask a very basic question: ''How can people review your code?''. Mozilla, Google and even Apple has answer, you don't.
There is no alternative namespace, there are merely alternate streams in a file - named locations for storing meta data. The file is right there in the filesystem, obvious to all. The file data may be a bit hidden, requiring normal Windows system calls to read (just like one uses normal Windows system calls to create alernate data streams), instead of Notepad. Oh, wait, you can read them with Notepad too. What a bunch of FUD.
This... is actually not the whole story.
NTFS is actually a case-sensitive file system. You can illustrate this by installing Services for Unix. This is an alternative subsystem that doesn't go through the normal Windows API (or the DLLs implementing it) and collection of Unix programs that have been "ported" to it. Once you install this, programs that are part of SFU are able to create files with the same case-sensitive name but different case.
Instead, the reason you normally can't do this is because the DLLs that are part of the Windows subsystem (the one providing the normal Windows API) hides this case-sensitivity in concert with the file system driver. (IIRC, open commands in the driver get a flag saying whether to be case-sensitive or not.) Instead of making calls through the Windows API, you can either use another subsystem like SFU or make native system calls directly (though that interface isn't supported).
Finally, the implementation of the Windows API is such that if you create two files with different case but the same name, only one will be visible through the Windows API, at least with NTFS's implementation of all of this.
This means that if you want to write security software for Windows, to catch malware written by people who know about this hole, you need to make API calls to an undocumented interface if you don't want to require people to install SFU. (Of course, security software does so much other stuff that's even worse that's hardly a drop in the bucket.)
By the time IE8 is EOL'ed, I hope ActiveX will be long gone.
Just like COBOL is.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
When did OS started to think? A browser that thinks like an OS? Sounds like day after day the fallout recognized by Andressen and Gates were right. But we all know MSFT puts its IE engine in every piece of its software, so whether a separate browser client exists doesn't matter. Even if the new engine is called Gazelle it doesn't mean the browser cannot be called IE still (Gecko/Firefox, WebKit/Safari).