Archive for September 16th, 2009

The online world is new enough that many of us aren’t really sure how we can keep ourselves as safe as possible. In the physical world we have generations of experience about how to minimize risk (beware of dark “shortcuts” through unknown neighborhoods alone at night), and well-developed social institutions to mitigate risk (police forces, insured accounts at banks, etc.). In the online world most of us are still learning what we can do as individuals to improve our own safety. Sometimes it’s daunting.

It turns out that one important thing each of us can do is keep our software up-to-date.  By doing so we get a regular flow of security improvements. Firefox has a good update rate. But it’s easy for people to forget to update software that we don’t think about very often. One type of software that’s easy to forget about is a category known as “plugins.” Plugin software works with a browser to display additional types of content. Plugins are not created by the browser developers; they are separate teams and separate software. Because of the interaction with the browser, many people don’t know or forget about updating plugins. And a crash or security problem in a plugin often feels like a problem in the browser. So it’s easy for people to think that they’ve fixed the problem by updating the browser when in fact the plugin is still a problem.

Last week Mozilla tried something new to help people help themselves. The results so far have been encouraging. We realized that a lot of people are using old version of the “Flash” plugin. We suspected that this is because people didn’t know they should update or that updating is an important safety habit. Flash is not a Mozilla product — it’s  from Adobe — so updating the browser doesn’t update Flash. And nearly everyone uses Flash to view video. So we put a notice on the Firefox update page, letting people with old, less-secure versions of Flash know that Adobe offers an updated version with security fixes.

The response to this notice has been very high. The percentage of people viewing this (in the English language, US version) and then following the link to update flash is about 30%. This is a very high response rate. A typical response rate for this page is around 5%. A more detailed analysis can be found at our metrics blog.

We’re very careful about putting anything on the Firefox update page, so asking people to deal with a different product is new. The response suggests that people are receptive to clear information about how to keep themselves safer. That’s encouraging. It benefits the individual doing the updating, and also provides a system wide “public health”- like benefit as well.

Online security is a tough problem. It will be with us constantly, just like questions of physical security never go away. There are things each one of us can do to improve our setting. At Mozilla we’ll keep thinking about how we can help people figure out and do these things. And hopefully we’ll be part of a growing community of people doing this.

Jono recently posed the question “What is ‘The Open Web’ and why should you care“. When I’m talking with people who drive cars regularly, I sometimes describe the Open Web by saying it’s a place where there is a decentralized  “aftermarket.” “Aftermarket” is the term used to describe replacement parts or equipment that a person uses to maintain or enhance a product. It’s a well known term in the auto industry.

For example, imagine if you bought a car and were forbidden from replacing the windshield wipers or the battery or the tires unless and until the car manufacturer allowed you to do so. Imagine if you could only use a battery that the car manufacturer provided, or approved. And imagine that the only place to buy batteries or windshield wipers or new tires was from the car dealership. In this case your ability to keep yourself safe is reduced — if the manufacturer has only poor quality tires, that’s all you can get. If you want tires for snow but the manufacturer doesn’t offer them, you’re out of luck. If the tires are wildly expensive, you’re stuck. In this setting we would also say goodbye to the variety of independent developers, stores and maintenance centers; everything would be controlled by the automobile manufacturers. Innovation would also be channeled through this same small number of manufacturers. Develop an innovative tire or better stereo system and you have to get the manufacturers to adopt it; you can’t go directly to consumers.

This ability to change components, to enhance or maintain a product the way to meet individual needs is at risk in the online world. Similarly, the ability of independent creators to try new things is at risk. Technology manufacturers use both technical and legal means to restrain this freedom. Some make it difficult technically to change a component. Others try to make it illegal. Some do both.

The Open Web embodies the legal and technical flexibility so that I can decide what combination of products best suits my needs. I may be very happy to stick completely with what the manufacturer of a piece of technology gives me, just as I might be happy to have all my automotive maintenance done by the dealer using exclusively “official” products. I may want to make only a few changes and the options the manufacturer has pre-approved are fine for me. But somewhere in my life I am very likely to want something slightly different, something attuned to me and the quirks of my life. I may need to find a technical guru to help me, but fortunately there are lots of technical communities building interesting things. The Open Web makes this possibility real, a vibrant part of online life.