All Things Digital

“There is of course, a corollary to safer browsers–what might be called ‘unsafe browsers.’ … Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts.” This according to PayPal (EBAY) Chief Information Security Officer Michael Barrett, who says the company plans to block browsers that lack anti-phishing features and support for EV (extended validation) certificates.

In the interest of public safety, of course. Among those browsers, older versions of Microsoft’s (MSFT) Internet Explorer and Firefox and, presumably, all versions of Apple’s (AAPL) Safari browser that PayPal recently cautioned users against. “Apple, unfortunately, is lagging behind what they need to do to protect their customers,” Barrett said this past February. “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out or Firefox 2 or Firefox 3, or indeed Opera.”

UPDATE: PayPal now says it never planned to block Safari.

PayPal is developing features to block customers from logging in to PayPal when using obsolete browsers on outdated or unsupported operating systems. An example of such a browser/OS combination might be, for example, Internet Explorer 4 running on Windows 98. In doing so, we better protect our customers from viewing a phishing site through their browser. We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our Web site.”

So to recap:

• PayPal Chief Information Security Officer Michael Barrett warns against using Safari.

• PayPal publishes a paper, authored by Barrett, saying the company will soon protect users against unsafe browsers that lack phishing protections like blacklists, anti-fraud warning pages and Extended Validation SSL Certificates.
• Safari lacks these protections.
• PayPal says: Go ahead and use Safari. We have absolutely no intention of blocking it. But God forbid, don’t use IE4 on Windows 98.

Know what IE4’s share of the browser market was in 2007?

0.01%.

I’d imagine its share of the market on Windows 98 machines in 2008 is quite a bit less than that. You might as well warn against using IE4 on MS-DOS.

Apple CEO Steve Jobs’s claim that Safari is responsible for 71% of mobile browser usage apparently echoed throughout Microsoft HQ like a hearty Nelson Mundt “Hah Hah!” since Microsoft (MSFT) has developed a more robust version of Internet Explorer Mobile with which to challenge it. At the CTIA conference in Las Vegas this morning, the company announced Windows Mobile 6.1 and along with it a new desktop-grade version of IE Mobile. With support for Adobe Flash and Silverlight, the browser should help Microsoft better compete with the full Web-browsing experience provided by Mobile Safari. Expect it at market in the third quarter of 2008.

Back in 2005, word on the street had it that the Mozilla Foundation was making as much as $30 million annually from the Google search box in its open-source Firefox Web browser.

Turns out, that number probably wasn’t too far off. According to an independent auditor’s report, Mozilla made $66.8 million in revenue in 2006, quite a bit of it from Google (GOOG). As former Mozilla Corp. CEO Mitchell Baker explained in a post to MozillaZine:

As in 2005 the vast majority of this revenue is associated with the search functionality in Mozilla Firefox, and the majority of that is from Google. The Firefox user base and search revenue have both increased from 2005. Search revenue increased at a lesser rate than Firefox usage growth as the rate of payment declines with volume. Other revenue sources were the Mozilla Store, public support and interest and other income on our assets.”

But those “other revenue sources” are piddling in comparison to Google’s contribution, which apparently accounts for a full 85% ($56 million or so) of Mozilla’s revenues.

So it’s supremely ironic then to hear Mozilla CEO John Lilly criticize Apple (AAPL) for distributing its Safari browser for Windows and OS X through its Software Update utility. “What Apple is doing now with their Apple Software Update on Windows is wrong,” Lilly said in a blog post on Friday. “It undermines the trust relationship great companies have with their customers, and that’s bad–not just for Apple, but for the security of the whole Web. … Apple has made it incredibly easy– he default, even–for users to install ride-along software that they didn’t ask for, and maybe didn’t want. This is wrong, and borders on malware distribution practices. It’s wrong because it undermines the trust that we’re all trying to build with users. Because it means that an update isn’t just an update, but is maybe something more. Because it ultimately undermines the safety of users on the Web by eroding that relationship. It’s a bad practice and should stop.”

Now, Lilly may have a point. But he’s hardly the best guy to be making it. As ZDnet’s Larry Dignan notes, Safari–like Firefox–features a Google search box, for which the search giant also presumably pays a placement fee. A sudden gain in market share for Safari at Firefox’s expense could have financial implications for Mozilla. “Let’s say Safari grabs 10% market share and Firefox falls to about 25%,” Dignan writes. “That’s fewer searches and less revenue for Mozilla. Sure, you can argue about whether Apple’s Safari move is above the board. You can also question the security implications and a bevy of other issues. But in the end, Apple’s Safari update and Mozilla’s reaction is like any other story. To truly understand it you have to follow the money.”

UPDATE: John Lilly wrote to me earlier today with a few comments about this post. Here’s what he had to say:

Hi John –

Wanted to follow up on your post just now about us and Apple and Google.

Take this for whatever it’s worth, but revenue and market share didn’t enter my mind when I posted. At Mozilla we obviously care about having enough resources to keep the lights on and pay people, and we care about having enough market share–because it means that we’ve built products that people really care about.

But competition is good and healthy, and essential. Without competition we’d all be in a pretty bad world–sort of like AT&T in the bad old days.

I’ve got zero issues with Apple using their channel to distribute other products–I think that’s a perfectly fine thing for them to do. What I worry about is that users need to trust the security updates they get from their vendors–because if they don’t–if they think there’s an ulterior motive other than keeping software up-to-date–that’s a problem for everyone.

Anyway, I respect your right to write what you think and to be skeptical of the motives of folks like me, but I do say sincerely that in this case, revenue has nothing to do with it.”

The sputtering outrage over the firmware update that disabled third-party iPhone applications and bricked iPhones uncoupled from AT&T’s network became a cry of victory yesterday when the iPhone dev community said it had found a way to again implement third-party applications on the device.

According to Engadget, the iPhone Dev Team, an unofficial group of programmers who developed the jailbreaking tools that opened up iPhone 1.0.1, have crafted a second set of tools that exploits a vulnerability in Mobile Safari to open iPhone 1.1.1. They’ve not yet released a general-use version of the tool, but one is surely on the way.

That said, there’s no telling how long it will work once it’s released. As Engadget notes, these newer jailbreaks aren’t nearly as robust as their predecessors. “… Unfortunately, it sounds like most (if not all) of these new hacks rely solely on that single TIFF exploit in Mobile Safari, meaning that everyone’s back to square one the moment Apple beams v1.1.2 to the public at large.”

Turns out “irreparable damage” was a fairly apt description for what Apple’s latest iPhone firmware update does to modified or unlocked iPhones. Issued yesterday afternoon, iPhone 1.1.1 update does indeed play havoc with modified iPhones, particularly those that have been hacked to work on non-AT&T networks. It wipes out all unsupported third-party applications and disables the Jailbreak hack used to install them. And it bricks unlocked iPhones. “The update will work OK in unlocked iPhones, but it will return your iPhone to the activation screen,” explains Gizmodo. “From there, no activation is possible. The iPhone doesn’t get bricked but, if you want to keep using it, don’t update your iPhone.”

Actually, it does get bricked out. Sources at Apple tell Ars Technica that the activation limbo into which unlocked iPhones are sent is the company’s definition of “bricking”: “Current attempts to reactivate across the Web are failing and therefore [a hacked] iPhone cannot be used to do anything–no phone calls, no Safari, no iPod, nothing. An unlocked iPhone that runs firmware update 1.1.1 is unusable no matter what SIM is in it.”

UPDATE:The Unofficial Apple Weblog (TUAW) reports that Apple Stores around the country are restoring bricked iPhones. “We’re not sure whether they’re doing a low-level reflash or just swapping units out,” TUAW explains. “We have reports of at least four customers who walked in with iBricks and walked out with iPhones. It is unclear at this time whether these customers unlocked their iPhones or not–we’re also receiving reports of iBricks from people who never unlocked or modded their units.”