Firefox approaches one year shipping; Firefox 1.5 is in late beta and expected within weeks; IE 7 is in beta with Microsoft committing to substantial security improvements. The browser landscape has shifted substantively through 2005. A status note.
This is a longer post because the trajectory is structurally important and several moving parts deserve coherent treatment.
Where Firefox is
Firefox 1.0 shipped 9 November 2004; Firefox 1.5 will ship within the next few weeks (the late-beta builds are stable enough that the final is imminent).
Specific developments through 2005:
Market share has grown substantially. Various measurements suggest Firefox now has 8-12% of the desktop browser market (estimates vary by methodology and geography). The growth is rapid by browser-market standards; specific corporate adoption is slow but consumer adoption is meaningful.
The extension ecosystem has matured. Specific extensions (Adblock, NoScript, Web Developer, GreaseMonkey, others) have substantial user bases. The cumulative effect is that Firefox users have access to capabilities that IE does not provide.
Security advisories have been frequent but generally well-handled. Multiple Firefox advisories shipped through 2005; the patches have been timely; the cumulative discipline of the Mozilla security team is operationally credible.
Specific incidents have driven adoption. Each major IE security incident through 2005 has produced a Firefox-adoption spike. The cumulative effect over multiple incidents is meaningful.
The trajectory is positive. Firefox is now a credible mainstream browser; the cumulative deployment is meaningful.
Where IE is
Microsoft has committed to significant changes in IE 7. Specific properties of the beta:
Tabbed browsing. The most-requested user-interface feature in IE; arriving via a substantial UI change.
Phishing-detection integration. Built-in checking of visited URLs against a phishing-pattern database; warnings for suspected phishing pages.
Improved certificate handling. More conservative response to certificate problems; clearer warnings for self-signed or expired certificates.
ActiveX restrictions. Tighter defaults around when ActiveX content runs; specific user-prompts for unsafe operations.
Improved cross-zone navigation restrictions. Specific scenarios that previously allowed cross-zone leakage are addressed.
Better default privacy controls. More conservative cookie defaults; better tracking-prevention infrastructure.
The release is targeted for late 2006; Vista's IE 7 ships first; the Windows XP IE 7 follows. The cumulative deployment will produce a meaningfully different IE security posture than IE 6's.
Why this trajectory matters
Three observations.
Browser diversity is now an operational property. Operators planning web-application deployments must consider both major browsers. The single-browser assumptions that dominated previous years are no longer rational. The cumulative discipline of cross-browser testing produces better outcomes.
Specific security competitions are healthy. Each browser is responding to the other's security improvements. Microsoft's IE 7 is partly a response to Firefox; Mozilla's Firefox 1.5 is partly a response to IE 7's announced improvements. The competition produces better outcomes for users.
The threat landscape has adjusted. Cross-browser exploitation is harder than single-browser; specific exploitation work increasingly targets both engines or specific feature sets in either. The cumulative effort required for broad exploitation has grown.
What this means for operators
For organisations running web-facing applications:
Cross-browser testing is now standard practice. Specific application breakages under either Firefox or IE produce user-experience problems and security exposure. The investment in cross-browser testing is bounded; the avoided problems are real.
Sender-authenticated email and HTTPS-with-strong-certificates matter more. Both Firefox and IE 7 have stronger checks on sender authentication for security-relevant communications. Specific organisations that have not invested in proper certificate management surface user-facing warnings.
Security awareness training should reflect the diversity. Users are increasingly running multiple browsers across multiple devices; specific guidance should not assume IE-specific behaviours.
For organisations running internal web applications:
The IE-only assumption is increasingly costly. Specific internal applications that target only IE produce friction as users adopt Firefox for general use. Migration to cross-browser-compatible designs is bounded in cost; the avoided friction is meaningful.
Group-policy infrastructure for browser configuration matters. Specific organisations need to deploy browser-configuration policies; the infrastructure for both browsers is now sufficiently mature that deployment is achievable.
For end users:
Running both browsers continues to be operationally rational. Most users do not need to commit fully to one or the other; specific use cases are best served by specific browsers.
Updating both regularly matters. Browser updates address security issues; lagging on either browser increases exposure.
What I am paying attention to
Three things over the next 12 months.
Firefox 1.5 reception. 85% probability of continued growth. The release is well-tested; the adoption trajectory will continue.
IE 7 deployment timing and quality. 70% probability of meeting commitments. Microsoft has been credible in delivery; specific Vista-related complications could delay.
Specific cross-browser exploitation incidents. 80% probability of significant incident. Specific researchers will demonstrate cross-browser exploitation techniques; specific malware will use them.
What I am doing
For my own use: Firefox primary; IE secondary for IE-specific sites. The Firefox 1.5 beta has been running well on the test machine; the upgrade to the final release will be uneventful.
For client work: cross-browser compatibility as standard. Specific clients have surfaced IE-only assumptions in their applications; the corrections are bounded; the trajectory is positive.
For my structured-log analysis: tracking browser-related exploitation patterns. Specific exploit attempts are visible in the captures; the patterns inform broader thinking.
A small reflection on the year
The browser-diversity trajectory has been one of the more positive structural shifts of 2005. The dominance of a single browser has been a structural problem for years; the cumulative diversification is producing measurable improvement in the overall threat landscape.
For my own writing: more on the browser landscape as the trajectory develops. The cumulative archive of browser-security writing will inform future structural assessments.
More in time.