Darwin in full effect

Peter Torr did spend a lot of time to tell the world why he doesn't trust Firefox as a browser.

Is this really important? No, it's not. I always call these kind of things: "Darwin in full effect". You see, the more people deny that another thing is better than what they're using now, the more they'll lose to the people who do use that other thing. If Peter Torr and friends don't want to use Firefox because of some cooked up reason, that's fine. By all means, go ahead and use IE instead of Firefox. The people who will suffer from that decision aren't the ones who chose to go for Firefox because enough is enough, dear IE. No, the ones who will suffer from that decision are Peter Torr, the people who have to manage his computers and the people who use his computer also (for example wife, kids).

However, on the other hand, Peter Torr works for Microsoft and apparently Microsoft's Marketing department isn't able to tell the customers what's best for them so other employees are rallied up in arms to get the word out. To them I'd like to say: please realize that you and you alone are responsible for informing your readers that IE is better over Firefox. So, for example, if some ad-company again makes a mistake in the (near) future and by accident spreads a virus/malware via an ad on a lot of websites, think about what you've said why IE is so much better over Firefox and what you can trust more. The people who trusted you on your judgement and trusted Microsoft to be a better, more trustful partner, will be very happy that they have to call friends and family to clean up the PC because it stopped functioning 'for some unknown reason'.

If Darwin was right, this will solve itself in the long run. For Microsoft it's time to realize that too. Not by shouting as hard as it can to others that they're still on the right track and what they're doing is the right thing to do, but by realizing that denial is futile and that the only solution is to adapt to the changed environment that we call the Internet. However as long as Microsoft is in a state of denial, the group who has adapted to that changed environment will have an advantage.

So, are you too in a state of denial or are you ready to make the change and take advantage over the rest? It's up to you.


  • As usual great points Frans. Defending IE right now is like the Netscape 4 folks trying to defend that POS. Why don't MS just accept that IE has exceeded it's life expectancy, it's little palm-crystal has turned red and it's time to fry that thing. Can anyone think of a single MS product that old which hasn't been radically overhauled (I don't count bug fixes - which I'm sure have replaced every part of IE over the years). .NET 2.0 / Longhorn would seem to be a great opportunity to destroy the most hated MS technology since clippy, wipe the slate clean and start again (and unless IE 6.5/7.0 which is in the current Longhorn builds is radically different under the skin they haven't)

  • There is no more to say ;)

  • Most of Peters points were valid though and the FireFox devs I'm sure are listening and giving the post some thought at least. I don't think he was defending IE so much as implying that people shouldn't be lulled into a false sense of security by FireFox.

  • Hi Frans,

    Don't you accept his points though? The changes he suggests are about improving the first experience of Firefox for *average* users.

    Just because he works for Microsoft doesn't mean he can't make some important points.

    Is it really that difficult to sign the code (an instantSSL code signing certificate is about $120)?

    Is it really a problem to create a DNS entry to the FTP servers?

    Remember it's not just the code that's important it's the whole delivery package.

    What are your thoughts on the issues he raises? That is surely the important part...

    Best regards


  • most of the points Peter made which are considered 'Good' relate to code signing. I don't have to mention that a lot of the spyware out there is signed, precisely to trick the IE browser to accept the active-x control.

    Also, Firefox binaries ARE signed, (GPG) just not using Microsoft technology.

    So, it's an issue you download the binary from a random mirror? Only if you make it one. So if it's NOT an issue, you go ahead (as the same people will also go ahead and accept popups that ask them to install a given active-x control or install an unsafe driver (which is not signed but comes with their <insert multinational here>-hardware.)) If it's not ok for you you have 3 options:

    1) download the sourcecode and compile it yourself

    2) download the binary and verify the GPG signature

    3) download the binary and verify the MD5 hash with ANOTHER mirror or the official site.

    What's forgotten is that MS downloads are on akamai servers in some of the cases (unix boxes), to have enough bandwidth. That's a 3rd party too. Why should I trust Akamai's sysadmins but I don't trust the sysadmins of my own ISP who mirrors firefox too? Why should I trust the file which is signed by a certificate issued by Microsoft themselves?

    Besides that, what REALLY annoys me is that Peter mentions trust all over the place, but at the same time tries to make clear that it's GOOD to trust IE and Microsoft in this.

    My example of the virus spread (which was a reality here in the Netherlands, thousands of people got the virus) was a good example that IE can't be trusted and THEREFORE the people who tell you otherwise can't be trusted either for their judgement if something is secure or not.

    But, feel free to use IE, spread the word that IE is more secure and that you can trust IE more than you can trust Firefox. The one you limit is yourself (oh and the ones you can convince of course ;)) The longer MS stays in denial, the more ground Firefox will be able to conquer. The more ground it gets, the harder it will be for Microsoft to make it dissapear in the future. And this is a good thing. For too long Microsoft has simply ignored everything related to IE except teh most severe security flaws.

    It's time they get serious about this and start doing something about it instead of reventing hot air and useless marketing rhetoric.

  • @Senkwe:

    True. Maybe FireFox developpers are listening. But at least they listen and improve their product. How long did it take for Microsoft to come up with a pop-up blocker. Before the firefox-threat it stopped developping IE at all! And now they are talking about implementing a lot of standard FireFox features.

    I LOVE the mozilla products. I am using FireFox since 0.4, Thunderbird from 0.2 and Sunbird form alpha.

    Good post Frans.

  • "However, on the other hand, Peter Torr works for Microsoft and apparently Microsoft's Marketing department isn't able to tell the customers what's best for them so other employees are rallied up in arms to get the word out."

    Well, considering that all people have their own opinion and it is usually not formed based on whether or not their company is marketing appropriately. I'd say your assumption above is wrong. It is pretty presumptious of you to assume that Microsoft employees are up in arms to defend IE or defeat Firefox based on a single blog entry of one Microsoft employee. Get some perspective Frans.

  • Hi Frans,

    To clarify the code signing a little...it doesn't matter in practice if IE can be trusted or not, or even whose signing technology it is, or how good it is, the issue is that if a download is not signed the browser implies (indeed it warns you) that the download may not be trustworthy.

    Ill-named download links can only add to a user's anxiety.

    It's all about reducing drop-out...at every click you risk losing another customer before they even get to install the application.

    Best regards


  • Frans, or Otis :),

    Aren't you doing the same thing as Peter Torr with this post ? Although your text is different, clearly you think Firefox is the way to go and IE is not. Although I absolutely agree with you, and myself use Firefox aswell, all those people "defending" Firefox seems rather sad aswell.

    It kind of reminds me of those old "Amiga vs. PC" wars :)


  • Frans, you missed the signing point. It wasn't about who's technology. It wasn't about the *possibility* to verify. It was that for a general user, it's not *easy* to see who the publisher of the software is. IE/Windows make it easy, regardless of the actual technology uses. Firefox does not. It's as simple as that.

  • Signing activeX objects is bogus. A lot of the spyware controls installed silently into IE are signed, to avoid having a pop up that warns the user. Everyone with a certificate (a couple of hunderd $$) can sign his malware and it looks trustable code. That's not the case. Signing code only makes sure the code installed/run is written by the creator of the executable as you can see that on the signature.

    I can check my firefox install as well if I want to.

    So I have 2 different check mechanisms, both work. However in IE the signed malware and spyware is not causing warnings as runnign signed activex objects is enabled by default. In Firefox I don't have that problem, as activeX stuff isn't ran anyway and plugins/extensions are easily disabled. How many people know how to remove an IE object? (Tools -> Internet Options -> temporary Internet Files -> View objects -> remove the object you don't need/want)

    Not a lot, I can tell you.

  • IE in XP SP2 contains enhancements to control plugins and extensions too (Tools, Manage Add-ons). And settings are now set to a much more secure default level. Arguments about Pop-up blocking etc don't hold anymore as well. And what about Windows authentication on an intranet, can't live without it to have better security using plain HTTP (no clear text password sent over the wire and single-sign on experience on the LAN)? What about deployment, centralized configuration, updating the software inside a company (e.g. no ADM files for GPOs, non-MSI installer)?

  • Frans, again, I think you are purposefully overlooking the signing issues. No one mentioned signing ActiveX. I'm referring to ANY download. Signing allows you to verify the publisher, plain and simple. Thus, I can download an EXE and verify it's signed by MS Corp, since IE will tell me. FireFox does not. ActiveX happens to do the same: It'll tell me who the publisher is.

  • Michael: I'm not talking about MS' activex objects, I'm talking about spyware brought to you in ActiveX objects, signed. Nothing is stopping these objects, and they are for real.

Comments have been disabled for this content.