Haavard

Why monoculture on the Web is bad

Thursday, 23. July 2009, 10:02:22

ec, web, plugins, browsers, antitrust, eu, flash, adobe, vulnerabilities, monoculture, microsoft, security

One of the comments on the antitrust complaint against Microsoft I see a lot is: "So what if most people are using IE and aren't aware that there are choices? I'm using Opera/Firefox/Chrome just fine."

Sometimes we may feel that something doesn't really affect us. But does IE's dominance on the Web affect us even though it might not feel that way?

The answer is: Yes, definitely. But the problems with a monoculture on the Web extends beyond browsers! A single point of failure is a bad thing no matter what.

Browser monoculture

The recent ActiveX security flaws in IE once again show us that a browser monoculture is a bad thing because those looking to infect people's computers will have a single target with a very nice return of investment. And those millions of compromised computers can be used for things like sending spam to the rest of us.

But it goes much further than just IE. One could argue that just about any kind of dominance of the Web is a bad thing.

Plugin monoculture

Yesterday's news that a vulnerability in the Flash plugin is being actively exploited, to me at least, raises concerns about relying on a single plugin by a single vendor on the Web. Flash is installed on 99% of the world's desktop computers according to Adobe. I can't vouch for the validity of that claim, but there is little doubt that Flash is installed on probably a majority of desktop computers.

I'm sure you're seeing what I'm seeing right now. The majority of (if not almost all) desktop computers are currently widely open to attacks from malware which none of the major antivirus solutions are able to prevent! And this is all because we are relying on a single implementation from a single vendor.

In light of this, Google's push to use their plugins in all browsers instead of open standards for things we do on the Web is worrying. To be fair, their long-term goal seems to be standardizing the technologies behind these plugins, but what happens in the meantime? What happens if all browsers come to rely on this plugin? What happens if a Flash-like security flaw appears and the story is repeated?

Monoculture harms the Web

Monoculture on the Web, whether through browsers or browser plugins, is a bad idea. In a perfect world, we would not have to rely on proprietary technologies for something as basic as video on the Web. In a perfect world, there would be a number of different browsers, and none of them would be in a completely dominant position. If malware authors had to target 10 different browsers instead of just 1 or 2, or a single plugin, they would have a much harder time than today.

Don't listen to people who think it would be a good idea with just "one target browser". The problems open Web standards are facing today are not solved by promoting a browser monoculture. The problems are solved by even more browsers (with even more browser engines) entering the market and forcing Web authors to write standards compliant code.

Yes, I want more browsers (browser engines) on the market. And I want the standards compliant ones to gain ground, and to implement technologies that make browser plugins superfluous for Web content.

Pushing towards the end of Web monoculture

Sorry Adobe, but your time should have been up by now. You may be proud of the Flash's penetration on the Web, but as it turns out, this is also a weakness. Do you remember how Firefox was released at just the right time to capitalize on the increased focus on security flaws in IE, and how they gained a lot from that?

Hopefully the security shortcomings of plugins like Flash will receive a similar treatment, and people will flock to open Web standards in order to support one specification rather than one common implementation (and common weak link).

The effort needed to replace these proprietary technologies with open standards should not be underestimated, though.

Google Chrome OS: The Web is the new "operating system"Net Applications retroactively changes stats, moves Opera to 2%

Comments

danaleks # 23. July 2009, 10:30

Kudos for wanting to kill off browser plugins!

I have disabled plugins and Java by default. They slow down any browser and makes page loading take longer than they need to. I do, however, allow plugins for a few selected sites were it is required. I don’t expect the Average Joes of the world to want to manage that whitelist themselves, though.

Since there is no ‘standard codec’ for video on the Web… how do you expect content providers to go for anything but the implementation most likely to work for the end user? Or something as simple as placing something in the user’s clipboard for copy-paste? At this point, the standards are not good enough for what authors want their applications to do. I think that is the bigger issue.

Pundamentalist # 23. July 2009, 11:02

Originally posted by danaleks:

point, the standards are not good enough for what authors want their applications to do. I think that is the bigger issue.

I couldn't agree more! Admittedly, I once wasn't sufficiently aware of the difference between Open Standards vs. Implementation's, like most End-Users are.
The frustration however has been the differing views regarding agreement on what should be included in the W3C-ARIA and HTML5 "Standard"..."There be Dragon's here mate!"

We can only hope that support for ARIA is enhanced by adoption of the UN Convention on the Rights of Persons with Disabilities (CRPD) by the US.

In closing, we need a common Standard with as many innovative implementations as are truly OPEN, as much as Baskin-Robbins has flavors of Ice Cream.

Maranatha,
"PUN"

haavard # 23. July 2009, 11:51

danaleks: Perhaps you didn't read the last paragraph:

"The effort needed to replace these proprietary technologies with open standards should not be underestimated, though."

rafaelluik # 23. July 2009, 19:37

REALLY GREAT POST!

AsaDotzler # 23. July 2009, 23:03

"Since there is no ‘standard codec’ for video on the Web… how do you expect content providers to go for anything but the implementation most likely to work for the end user?"

There isn't a "standard codec" for video on the Web today. Flash has two or three video codecs that are all in active use. Windows Media and QuickTime have a couple more each.

Even if you just look at Flash video, there is no codec winner. There's Sorenson Spark and H.264 and, as it happens, there's more of the older Flash Sorenson Spark video on the Web than the Flash h.264.

But that hasn't stopped Flash video on the Web

We do need a baseline codec, I think, if we're going to see the video tag become successful sooner rather than later.

But maybe it won't be successful sooner rather than later. Maybe it's a few years before we see it start to displace Flash. Maybe it fails and never displaces Flash. But we're gonna try and it's worth trying because the danger of software monoculture is very real and not just in terms of security, but in terms of innovation and moving the Web platform forward.

dantesoft # 24. July 2009, 10:49

Right now Secunia reports that none of my browsers are safe to use because of 3 vulnerabilities in Adobe's Flash, Adobe's Reader and Sun's JRE. The only fix is to uninstall/disable those plugins.

As a bonus, there's one more unpatchable vulnerability in IE.

xErath # 24. July 2009, 12:40

Originally posted by dantesoft:

Adobe's Reader

Please uninstall that piece of bloatware ! Try Foxit reader instead or any other of the lightweight pdf readers.
Why should a pdf reader take up 150mb of disk and take 30 seconds to boot ?

dantesoft # 24. July 2009, 17:35

Originally posted by xErath:

Try Foxit reader instead or any other of the lightweight pdf readers.

Nah, they don't load Flash inside the PDF like Reader.

Khaled-Khalil # 25. July 2009, 01:29

for instance i thought the post is about a whole different mean of "monoculture"! anyway, it is a great post.

Originally posted by haavard:

In a perfect world, we would not have to rely on proprietary technologies for something as basic as video on the Web

you can't imagine how unique is my use of opera, that much that i can't replace it!

Originally posted by haavard:

And this is all because we are relying on a single implementation from a single vendor.

so, could opera (and/or firefox, Asa) just give hand to free alternative projects like gnash ?

Originally posted by danaleks:

Since there is no ‘standard codec’ for video on the Web… how do you expect content providers to go for anything but the implementation most likely to work for the end user?

you are right, but i think the point is that the web "needs" to standardize at least one existent codec, then haavard (and me too) thinks that the one to be standardized should not be proprietary, so that it would be implemented freely for any platform.

off-topic: for any one who don't want to load flash (for security fear or any other reason) but need it from time to time, i suggest him to use a flash blocker.

Anonymous # 26. July 2009, 02:43

Asa Dotzler writes:

Khaled-Khalil, flash blockers, most of them anyway, don't protect users from this latest vulnerability. You need to actually remove or disable the flash plug-in completely to be protected.

Chas4 # 30. July 2009, 20:27

haavard's right
http://weblogs.mozillazine.org/asa/archives/2009/07/haavards_right.html

A link on there lead me to http://blog.mozilla.com/gen/2007/02/27/the-cost-of-monoculture/ Which if it is so then that could me one massive IE security hole, as hackers would have an easy decision as to which browser to attack in a country

53north # 31. July 2009, 01:58

It's symptomatic of society that some people want to spoil and go against other people's enjoyment. Like a perverse evil. I always remember the Aztecs and Oceanics, Javanese and Polynesians, Eskimo and Innuit never found a need to invent the lock and key. (They did have blowpipes though)..
=o}