Institutionalized insecurity
Thus demonstrating its brilliant grasp on technology and security, the UK government has nixed the “kill IE6” campaign that Microsoft has been working on. In case you didn’t know it, Internet Explorer 6 is almost a decade old. In the world of the Internet, that’s the equivalent of driving a car that you bought in 1971. The government claims that their motivation behind this declaration is in order to save taxpayers money. From Computerworld:
Computerworld - The British government has rejected a call to dump Microsoft's Internet Explorer 6 (IE6), saying that it is saving taxpayers' money by staying with the nine-year-old browser.
Late last week, Her Majesty's Government (HMG) officially responded to a citizen petition that urged it to "encourage government departments to upgrade away from Internet Explorer 6" because the aged browser is vulnerable to attack and requires Web developers to specially craft sites. The petition was added to the government's online petition site in February 2010 by Dan Frydman, the managing director of Inigo Media, an Edinburgh, Scotland-based Web design firm.
IE6 won't be dropped, the government said, for a variety of reasons, ranging from migration costs to its opinion that patching keeps users safe.
"Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them," the government said in its statement. "There is no evidence that upgrading away from the latest fully-patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats."
That might ruffle a few feathers at Microsoft, which as part of its own year-long campaign to drive users away from IE6 has been touting the newer IE8 as more secure because of features including anti-malware blocking and sandboxing on Vista or Windows 7.
The U.K. government also used the same defense some enterprises have rolled out to explain why they haven't dumped IE6.
"Upgrading these systems to IE8 can be a very large operation ... [and] to test all the Web applications currently used by HMG departments can take months at significant potential cost to the taxpayer," the government said. "It is therefore more cost effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware scanning software."
So let me get this straight… a clunkier, slower, less user-intuitive browser (ie, no tabbed browsing) is actually saving taxpayers money? Even though Internet browsers are free?
If I may be so bold, taking a dependency on a particular piece of computer technology is usually not a good idea. I grok that a bunch of existing applications were built on top of IE6. However, most browsers will be backwards compatible with IE8 (or IE9 when it comes out) and of the ones that are not, they should be fixed. Internet browsers are meant to evolve and be obsolete.
As to the statement that there is no evidence suggesting that upgrading is just as secure as patching the browser, that stretches credibility. One of the new features in IE8 is the Smartscreen filter which scans for malicious URLs. If a user gets a spam message, or malicious Tweet, or malicious Facebook invite, when they click on the link it is scanned and if it is found to be on a URL blocklist, a message is alerted to the user that the site is compromised and that they should click away from it. That feature is not available in IE6 (or IE7, either). Microsoft has actually made a lot of gains over the past couple of years when it comes to malicious URL detection.
The fact is that older versions of Internet Explorer are more prone to exploits than newer ones. Google this year was attacked by an exploitation of a flaw in IE6. Those flaws, of course, are still possible in newer versions of any software. But the fact is that starting in 2002, all new Microsoft products have to go through the Secure Development Life Cycle and pretty hefty security reviews. IE6 predates that, whereas IE8 would have had to have gone through it. No software can catch every flaw, but each newer release of Microsoft software has reported fewer vulnerabilities. This is a clear trend in both Windows (XP –> Vista –> 7) and Office (2000 –> 2003 –> 2007).
I said it before and I’ll say it again, the user interface in IE6 is not as nice. I like tabbed browsing. The reason I originally moved away from IE to Firefox is because of tabs. In IE, I used to have to open up new browser windows (I think that they eventually back ported this into IE6 but it definitely wasn’t native). Who wants to do something like that? Just get a new browser and it handles everything for you.
Features like In-Private browsing, a more comprehensive History tab, easier management of clearing your cache… this all makes for a better user experience. I still don’t use IE as my default browser (I absolutely *hate* how the Forward/Back buttons are on one side of the address bar, and Stop/Reload/Refresh are on the other; and how Ctrl + K doesn’t bring you to the search bar, nor does Ctrl + L bring you to the address bar but instead opens a popup window; and I can’t seem to figure out how to add a skin to it the way I can with Firefox), but I’d still use that over IE6.
I’d say that IE6 is more insecure than IE8. The British government is wrong, and they are institutionalizing insecurity in the meantime.