I think it is safe to say that the browser wars are back. According to eweek, the global web browser usage numbers, released by OneStat.com shows Mozilla based browsers increasing to 7.4% of the market, comapred to 2.1% in May of this year. Microsoft’s Internet Explorer dropped 5% to 88.9%.
According to Internet World Stats, there are currently 813 millions Internet users. This 5.3% increase in Mozilla browser usage equates up to 43 million new users since May.
The Mozilla Foundation has a goal of 10% market share for its Firefox browser in 2005. Microsoft plans to add features in the form of add-ons to Internet Explorer in an effort to minimize the number of advantages Firefox has on IE (tab browsing, pop-up blocker, etc.)
According to Asa Dotzler, Mozilla’s release manager, Firefox 1.0 has reached 5 million downloads since its launch just two weeks ago. Of course, the number of downloads does not equate to number of users as many companies and organizations will download one copy but deploy it to tens, hundreds or even thousands of desktops. An example of this is the Linux distributions such as SuSE and RedHat which provide software via their own distribution networks.
I hope this new competition will force Microsoft to make Internet Explorer standards compliant. Web developers are required to develop either to the standards (my preference) or Internet Explorer (market share leader) and then either create a separate site or modify the layout so its “good enough” for the other. Unfortunately, because of Internet Explorer, many features of the W3C standard (alpha transparency, layers, etc..) are curently not used because of IE’s poor standards support.
Apparently even Microsoft is transitioning to Firefox.. (even though they deny it..) 
With the proliferation of adware, spyware, viruses and other malicious programs along with globally dispersed distrubtion of files (peer 2 peer networks, bittorrent, akamai cached networks, email, etc..), how can you validate the file you received has not been compromised?
How can you validate the files on your own computer have not been infested? Unfortunately virus scanners, and spyware scanners do not detect and remove *ALL* of these malicious programs. As a result, you can be running applications and relying on data that has been compromised.
There are two FOSS tools that can help manage these issues: GnuPG and md5sum.
The md5sum utility will calculate the MD5 message digest of a particular input (in this case, files). This algorithm, outlined in RFC 1321, produces a 128-bit unique “fingerprint” of the input. It is theoretically computationally infeasible that two different inputs would have the same fingerprint.
For example, I took a 20MB log file from my system and computed the md5 fingerprint:
$ md5 log.txt
MD5 (log.txt) = 2d8a4c69f029113c7cf6e9ea065f2e04
As you can see, it output a md5 fingerprint of 2d8a4c69f029113c7cf6e9ea065f2e04 compared to the 20MB of data of the original file. So lets try changing exactly one byte of data in this log and see what happens. I opened the log, went to line 23,000 and replaced an ’s’ on the line with a ‘t’. All other data in the file remained the same.
$ md5 log.txt
MD5 (log.txt) = c533b5d80fbaf69fb1323b1ecd24dea7
As you can see, even though the file size, file name, timestamp, attributes, etc stayed the same, the md5 algorithm recognized the byte change and produced a completely different fingerprint of the file.
What does this mean in “the real world”? For one thing, it is possible to configure a system, create a script to run MD5 against all files on that system and produce a list all the MD5 sums. Using this data, it could be possible to run this check occasionally to locate files that changed on the system. To test the speed, on a Athlon 2.1Ghz machine, I was able to compute the MD5 values of 1,191 files (123MB) in 1.32 seconds. For completeness, I used the following command from the folder I wanted to compute values.
$ time find . -print0 | xargs -0 md5 > 041118.md5
While you know you created the md5 fingerprints and can be fairly confident in your assessment (installed from trusted media, careful to inspect changes to files before blindly accepting a new md5 fingerprint, etc..) it doesn’t help when accessing files from the Internet. As mentioned earlier, many files are distributed on global distribution networks consisting of many mirror nodes, different transport methods (p2p, ftp, http, rsync, etc..) and across connections that may not be 100% (ie a bad bit here or there gets transmitted).
There are a lot of chances for data to get compromised either intentional or unintentional. While the MD5 fingerprint would validate correct transmission of a file from one location to another, what happens if someone hacks into a distribution node and modifies the file and associated md5?
While it would be possible to download the md5 fingerprint from another server and assume that if one server was compromised, the other may not be, it is not verifiable (ie the root server could be compromised and all mirrors have a compromised version). GnuPG to the rescue!
GnuPG is a public/private key encryption tool based on the OpenPGP standard (RFC2440). With GnuPG, it is possible to digitally sign a file with the private key and distribute the public key so others can verify who originally signed the file. As the signer will *usually* have a passphrase (password) on their private key and the key is private (not distributed), it is significantly less likely to be compromised. For file distribution, the signature is *usually* in a separate file with a .ASC extension.
After loading gnupg on your system, it is a simple matter of downloading the public key from a keyserver and importing it into GnuPG for use. For example, lets say I wanted to get the public key used with the Knoppix distribution. I go to keyserver.net, type in “knoppix” and it brings up the public key. By clicking on the key id, it will display the public key block. I can then copy and paste this to a file and import it into GnuPG:
$ gpg --import knoppix.key
gpg: key 57E37087: public key "Klaus Knopper ” imported
gpg: Total number processed: 1
gpg: imported: 1
After this, I can download the file, signed md5 fingerprint (.md5.asc file) from a server. For example, I downloaded the recent Knoppix distribution via Bittorrent and have the following files:
V3.6-2004-08-16-EN.iso
KNOPPIX_V3.6-2004-08-16-EN.iso.md5.asc
After downloading the files, I can use the signed md5 to verify the contents of the CD image (.iso):
$ gpg --decrypt KNOPPIX_V3.6-2004-08-16-EN.iso.md5.asc | md5sum -c -
gpg: Signature made Sun Aug 22 14:05:47 2004 MST using RSA key ID BA8F038D
gpg: Good signature from "Klaus Knopper ”
gpg: aka “Klaus Knopper ”
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2B 01 12 1B 55 5B 31 58 47 F4 C3 4B 7B DC 2E 6B
KNOPPIX_V3.6-2004-08-16-EN.iso: OK
As you can see, we have lots of information output. First, it shows that the .asc was signed by Klaus Knopper (Knoppix developer, RSA key ID BA8F038D) on Sun Aug 22 14:05:47 2004 MST. It notes that we did not go through the verification process (this involves contacting the private key holder directly and answer questions over another verified medium (phone, etc..)) which does leave a possibility the private key is not held by Klaus Knopper (though I did verify the key ID on the official Knoppix site). The most important line: KNOPPIX_V3.6-2004-08-16-EN.iso: OK. This shows that the signature matches the public key we imported and the md5 fingerprint in the signed message matches the calculated md5 that we created of the file.
Whats nice about this method is it provides a end to end solution to verifying files. I took you through using the core applications to show how everything fits together, however, there are many tools that build upon md5sum and gnupg to make it more automated (for example, the kgpg interface in KDE that can auto-import keys from a key server, integrate seamlessly with other applications, etc.. or for example, the package management tools utilized by FreeBSD, Linux distributions, etc..).
In addition to verifying files on your personal computer, I can see this type of setup being useful for public terminals or computer labs. A signed md5 list could be held on a central server and the computers on the network could check their files against the master list. If a file was altered, the administrator could be notified, or perhaps the computer could auto-reload the system off a network image file. By providing a centrally control method of verifying files, the security of the distribution nodes is less critical. Of course, verify the requirements as a md5/gnupg combination may not be the best solution.
Novell earlier this week settled a suit regarding Netware with Microsoft resulting in Microsoft paying Novell $500 million. Now Novell has formally sued Microsoft with regards to Wordperfect and Quattro Pro, two products Novell claims Microsoft withheld information that caused these applications to fade into oblivion.
Just a recap, Wordperfect was the dominate word processor on PCs back in the late 80’s/early 90’s. Wordperfect Corp sold the product to Novell in the early 90’s .. after having Wordperfect for three years, Novell sold it to Corel at a significant loss.
Novell believes that with the findings from the DOJ case and other anti-trust cases, it has the evidence necessary to show that during the time period that Novell owned Wordperfect, Microsoft illegally made bundling arrangements with OEMs and withheld critical information regarding Windows 95 (not to mention perhaps some direct attacks against WordPerfect in the source code) that put Wordperfect at a significant competitive disadvantage and as a result, fail in the marketplace.
While I don’t question WordPerfects domainace in the market as a DOS based application, it WAS a DOS based application. It flourished by being competely controlled by the keyboard, using a wide array of macros and shortcuts, use of “reveal codes” and other methods that don’t translate very well in the mouse/icon centric GUI world. When Novell acquired WordPerfect, it was in a rocky transition from DOS to Windows, which to put it mildly, was a very tough transition. Infact, it wasn’t until 1995 (4 years after the original Windows release) that WordPerfect for Windows was “good enough” to use.
But does this matter? When the DOJ had its case against Microsoft, where was Novell? Why didn’t Novell bring up this issue to show a consistent behavior by Microsoft? Instead they wait until 4+ years AFTER that case was finished and 8+ years since they SOLD WordPerfect to Corel. While I have been generally happy with the decisions Novell has made lately with regards to Linux and FOSS (not to mention the significant contributions they have made) and I would love to see more money from Microsoft paid to Novell, I feel that an 8+ year span is too long to be bringing up these legal issues. I really hope this isn’t the start of the “massive litigation era” of Novell. No need to see significant amount of money being given to legal council that could be invested into marketing, support and development of OSS.
For all of you who were wondering, Firefox is NOT A THREAT to Microsoft’s Internet Explorer. Well, atleast this according to Steve Vamos, a Microsoft managing director.
This guy absolutely cracks me up. Check out these notable quotes:
With regards to Firefox being a competitive threat … “I’m not sure that that is the reality. I have seen comments around that, but there is nothing I can refer to that really supports that,” Apparently this micro-softie has not read reports from WebSideStory, Geek.com, Blackplanet.com, Tavis Smiley Show (npr) among other sources (perhaps the millions of web server logs?) stating Firefox’s continued marketshare increase.
“We probably need to do a bit of work to communicate the features that are in IE,” .. like what exactly? Partially implimented PNG, CSS1, CSS2, XHTML, XML and other standards? No tab browsing? No mouse gestures? No built-in pop-up blocking? No extensions manager? No download manager? Vendor lock-in? Good luck.
“I don’t agree that just because a (competing) product has a feature that we don’t have, that feature is important,” .. true .. “It is not. It is only important if it is a feature the customer wants. There are plenty of products out there with features we don’t have. We have plenty of features that our customers don’t use.” — Umm.. *stratching head*.. So they have lots of features their customers don’t use but yet the only features important enough to develop are ones the customer wants? Somethings wrong — either customers don’t know what they want or Microsoft develops whatever they *think* customers want, apparently getting it wrong. Needless to say, the fact that Firefox is taking ANY marketshare from Internet Explorer should be a HUGE wake-up call that there are features missing .. kinda like umm.. security, standards compliance, etc..
But yet this guy goes on and on.. “If there are features in our products that are subpar or need to be added, then I have great confidence that we are an organization that responds pretty quickly and effectively to that.” — “We take user feedback very seriously. If you have that feedback, then you should feed it back to us because we will feed it to the product team.” (yes, he poorly defined feedback.. heh..). Millions of web developers have been requesting standards compliance for CSS/XHTML for YEARS .. users have been requesting higher security and protection from spyware/adware for YEARS. Apparently Microsoft doesn’t listen (surprise).
But of course, this wouldn’t be complete without knowing the following:
Vamos, who admitted he has never used Firefox, said there is a lot of hype surrounding the open-source movement and that if Microsoft’s customers wanted new features, they would have told the company about it. — Perhaps the cost was prohibitive (free) or he was unable to acquire a copy to size up the competition.
Yippie.
Mozilla Firefox 1.0 was released today! While Firefox has been very usable for the past year, the v1.0 release brings with it the first major advertising push for a FOSS project. Included is regional promotion parties and advertisements in newspapers such as the New York Times. It has truly been interesting — when I started to promote Mozilla/Firefox, I had around a 40-50% success rate (people I showed it to using it as their primary browser). Within the last month, that has risen to close to 100% with many people who are not “computer savvy” already using Firefox on their computers. Firefox has already been chipping away at Microsoft’s Internet Explorer marketshare at a current rate of around 500,000 users per week. With more people using Firefox, more people are promoting Firefox and I would not be surprised to see use grow to 15-20% of total market share within the next year.
Here are some direct links to Firefox 1.0 US English version:
Linux (tar.gz)
Linux (bittorrent)
Mac OS X (dmg.gz)
Windows (exe)
Windows (bittorrent)
Source Code (tar.bz2)