User:Mjb/Sandbox

From Wikipedia, the free encyclopedia

Contents

[edit] Sandbox

Please ignore anything you see here. It's where I copy and paste things, and try out code.

[edit] More testing

1. testing “quotes” in ‘Firefox’ result: proper Unicode quotes, UTF-8 encoded in HTML

2. testing “quotes” in ‘IE’ after pasting into and recopying from Textpad result: same

3. testing “quotes” in ‘Firefox’ after pasting into Textpad, saving as ANSI, reloading, and copying result: same

4. testing “quotes” in ‘IE’

[edit] Internet Explorer

I cut the following from the criticisms section, and am checking to see if any of it needs to be folded back into the Criticisms of Internet Explorer article.


Since version 6, there has been no major development on the browser. Critics consider it to be technically inferior in some ways to its competition. Some would even go so far as to say it hinders further standard-based development of websites. Most of the criticisms are related to the support of open standards; and also security-related issues. Internet Explorer is subject to massive media scrutiny, mainly due to its ubiquity.

[edit] Criticisms regarding support of open standards

The Internet Explorer box model bug in quirks mode
The lack of support of PNG alpha channel prior to 7.0
The lack of support of PNG alpha channel prior to 7.0

During the browser wars, modifications of Internet Explorer and Netscape Navigator were focused on the addition of non-standard features. In contrast, more recent browsers have been designed with open standards in mind. Since version 5, there have been no significant changes in IE's Trident layout engine. While Internet Explorer implemented many of the open standards, critics found that they were implemented in an incomplete or incorrect fashion. The browser fails to offer support for the latest revision of the standards, especially those finalized after 2001 (since no major development was done after version 5.0). CSS, PNG, and XHTML are some well-known examples of standards that Internet Explorer does not implement fully.

Because of its market dominance, some casual web developers only test their websites with Internet Explorer. Some developers also use non-standard extensions offered by Internet Explorer. This can cause pages to be rendered incorrectly in other browser. In the worst case, it could block users of other browsers from accessing parts of the sites. Critics feel that this is the execution of the final step of EEE: the extinguish stage.

Sometimes pages that are designed to be compliant with certain W3C standards are not rendered correctly in Internet Explorer. This is often encountered when using complex CSS models. Conversely, many other web designers build websites compliant to W3C standards, test with multiple browsers that are more compliant to W3C standards, and then implement workarounds or hacks to account for Internet Explorer's rendering model, or to hide certain advanced website features from IE. The CSS hacks are often very complicated, as they need to deal with different versions of IE on different platforms (mostly Windows and Mac). They utilize not just Internet Explorer-specific features, but also some layout engine bugs that are well known.

[edit] Criticisms regarding security

Internet Explorer comes under heavy scrutiny from the computer security research community, in part due to its sheer ubiquity.

As of April 9, 2005, security advisory site Secunia counts 19 unpatched security flaws for Internet Explorer 6, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications. See computer security for more details about the importance of unpatched known flaws.

[edit] Exploitation via COM

Over the years, numerous attacks were targeted toward Internet Explorer. The embedding of COM into the Internet Explorer created a combination of functions that provides a gateway for explosion of computer virus, trojan and spyware infections. These malware attacks mostly depend on ActiveX for their activation and propagation to other computers. Microsoft has recognized the problem with ActiveX since 1996 when Charles Fitzgerald, program manager of Microsoft's Java team said, "If you want security on the 'Net', unplug your computer. … We never made the claim up front that ActiveX is intrinsically secure.".

One of the main problems in Internet Explorer's security measure is the total reliance on human judgment. Also, ActiveX security relies solely on security zones and digital signing, which was utilized by malware multiple times. One of the common techniques is to mark malicious pages incorrectly under trusted zone, either through human judgment or exploiting the browser's bugs without user interaction. In the sandbox security model used by other browsers, there are no trusted zones as every pages that come from websites (and even local file system) are run with very limited privileges. Human judgment is not involved as pages are only semi-trusted. On another hand, digital signing is rarely used in practice as the signing process is technical and expensive.

The forth-coming Microsoft AntiSpyware, which is currently in beta, monitors BHOs in Internet Explorer on Windows 2000, XP and Server 2003, and will warn the user before a new BHO is installed.

[edit] Time for patch creation

Critics have claimed that security fixes take too long to be released after discovery of the problems, and that the problems are not always completely fixed. After Microsoft released patches to close holes in its general operating system in February 2003, 200 days after their initial report (instead of 30-60 days), Marc Maifrett, Chief Hacking Officer of eEye Digital Security, stated that "If it really took them that long technically to make (and test) the fix, then they have other problems. That's not a way to run a software company." Maifrett was criticized by The Register for publicizing a security hole leading to the creation of the Code Red worm and stated that "had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems".

Microsoft attributes the perceived delays to rigorous testing. The testing matrix for Internet Explorer demonstrates the complexity and thoroughness of corporate testing procedures. The browser is released in 26 different languages on many different Windows platforms. Therefore, it is estimated that each patch is tested on at least 237 installations.

[edit] Criticisms regarding download size

Over the versions, the download size of Internet Explorer has increased significantly. As of Internet Explorer 6 Service Pack 1 (including Outlook Express), the total download size for a typical installation was approximately 25 megabytes. The size varied between 11 (minimal install) and 75 MB (full install). This was much larger than that of other internet suites, for example (based on Windows installer): 3.6MB for Opera 8.0 and 11MB for Mozilla 1.7.8.