Mozilla Firefox 1.0 shipped on 9 November. The browser landscape has been dominated by Internet Explorer since the late 1990s; Firefox's arrival is the first credible alternative for mainstream users in some years. The structural implications are larger than the specific release.
This is going to be a longer post because the browser-diversity question is structurally important and I want to think it through.
What Firefox is
Firefox is a stand-alone web browser derived from the Mozilla Application Suite. The 1.0 release is the result of several years of progressive development:
- The Mozilla project itself began as the open-source release of Netscape's source code in 1998.
- The Mozilla browser shipped as part of the Mozilla Suite for years; Firefox is the spun-off stand-alone browser.
- Firefox 1.0 represents the first stable, mainstream-targeted release of the stand-alone browser.
The technical foundation is the Gecko rendering engine — substantially different from IE's Trident engine. The user-interface is XUL-based — substantially different from Windows-native widgets. The codebase is open-source.
What Firefox does that IE does not
Several substantive differences.
Tabbed browsing. Multiple pages within a single browser window. Mozilla has had this for years; IE does not. The user-experience improvement is meaningful.
Pop-up blocking by default. Built into the browser; on by default; specific sites can be added to an allow-list. IE has added pop-up blocking in Windows XP SP2; Firefox has had it longer and includes it cross-platform.
An extensions ecosystem. Third-party developers can write small applications that run within Firefox; the user installs them per-browser. The ecosystem is small in November 2004 but growing rapidly. Specific extensions for ad-blocking, web-development tools, password management, and various other purposes are available.
Cross-platform availability. Windows, macOS, Linux, BSD. IE is Windows-only. For users on non-Windows platforms, Firefox represents the first credible mainstream-quality browser option.
Why this matters structurally
Three observations.
Browser-engine diversity is now a security property. When IE was the only mainstream browser, vulnerabilities in IE affected essentially everyone. As Firefox gains share, vulnerabilities in either engine affect a fraction of users; an attacker who wants broad reach must develop exploits against multiple engines.
The cumulative effect on the threat landscape is positive. The economic incentive for mass IE exploitation drops as the IE share drops; cross-engine exploitation is harder than single-engine.
The IE security model is being meaningfully challenged. IE's history has included substantial security-architecture choices (ActiveX, deep operating-system integration, the Local Intranet Zone) that make security difficult. Firefox's architecture starts cleaner. The security competition between the two products is healthy for both.
Microsoft has been forced to respond. XP SP2's IE hardening is at least partially a response to the Firefox emergence. Without a credible competitor, Microsoft would have less reason to invest in IE security improvements. The competition produces better outcomes for users.
What Firefox does about security
Several specific security properties worth noting.
A different default trust model. Firefox does not have IE's "trusted sites" zone concept; all web content is treated as untrusted by default. The model is simpler and produces fewer surprises.
No ActiveX support. ActiveX has been a substantial source of IE vulnerabilities. Firefox cannot run ActiveX; the entire category of attack does not apply.
Cross-platform consistency. A vulnerability in Firefox is a vulnerability across all platforms; a fix is a fix across all platforms. The patching cadence is uniform; the deployment is straightforward.
Open-source code review. The codebase is publicly reviewable. This is not a security guarantee — most security bugs are not found by casual code review — but it does enable specific security researchers to engage with the code in ways that closed-source IE does not allow.
Active security response. The Mozilla security team responds to vulnerability reports; patches ship; the cadence is consistent. The response is not perfect but is substantively engaged.
Operational considerations
For UK organisations considering Firefox deployment:
Compatibility with specific applications. Some web applications target IE specifically (using IE-specific behaviours, ActiveX, or layout assumptions). Firefox compatibility for these applications is variable. Audit before deploying broadly.
Manageability infrastructure. Group Policy deployment for Firefox is less mature than for IE. The infrastructure is improving but is not yet at parity.
Update mechanisms. Firefox has its own update mechanism; IE updates through Windows Update. The update cadences are different; the operational discipline differs.
User training. Users familiar with IE will need brief training on Firefox specifics. The learning curve is small; the friction is bounded.
For home users:
Worth trying alongside IE. Most users do not need to abandon IE entirely. Running Firefox alongside IE for general browsing while using IE for specific IE-required sites is a reasonable approach.
The pop-up blocking and tab features are immediately valuable. These alone make Firefox worth using for typical browsing.
Security improvements are worth choosing into. The default is more conservative; the cumulative protection is meaningful.
What I expect for the browser landscape over the next two years
Three predictions:
Firefox share grows to 10-15% of the desktop browser market by end of 2005. 60%. The current trajectory is rapid; specific corporate adoption may be slow.
Microsoft accelerates IE 7 development. 85%. The competitive pressure produces structural response.
Specific security incidents in IE drive Firefox adoption. 75%. Each major IE incident (and there will be major incidents) produces a Firefox-adoption spike.
The cumulative trajectory is positive. Browser diversity returns to the web. Security competition improves both products. Users benefit.
What I am doing personally
Firefox is now my primary browser. I have used various Mozilla-family browsers for years; the dedicated Firefox is a meaningful improvement. The performance is good; the extensions are valuable; the security defaults are sensible.
For sites that require IE (specific banking sites, occasionally government sites, occasionally legacy enterprise applications), I keep IE available. The dual-browser pattern works.
For my Snort sensor: rules for the small set of Firefox-specific exploitation patterns I have seen reported. The rules are bounded in scope; the alerts will be informative as Firefox-targeted exploitation matures.
A small note on the broader trajectory
Browser-engine diversity is one specific property of a healthy web. Other properties — protocol diversity, server-software diversity, content-format diversity — are also worth attending to. The cumulative effect of diversity across multiple dimensions is structural resilience.
The concentration of the web on a single browser engine (IE) for most of the past decade has been a structural problem. Firefox's emergence is the first sustained challenge. The challenge is healthy; the trajectory is positive.
For anyone in the field: the browser-diversity story is worth tracking. Specific developments will be visible across many subsequent posts.
More in time.