Web Admin Blog Real Web Admins. Real World Experience.

11Sep/090

Dang, People Still Love Them Some IE6

We get a decent bit of Web traffic here on our site.  I was looking at the browser and platform breakdowns and was surprised to see IE6 still in the lead!  I'm not sure if these stats are representative of "the Internet in general" but I am willing to bet they are representative of enterprise-type users, and we get enough traffic that most statistical noise should be filtered out.  I thought I'd share this; most of the browser market share research out there is more concerned with the IE vs Firefox (vs whoever) competition aspect and less about useful information like versions.  Heck we had to do custom work to get the Firefox version numbers; our Web analytics vendor doesn't even provide that.  In the age of more Flash and Silverlight and other fancy schmancy browser tricks, disregarding what versions and capabilites your users run is probably a bad idea.

  1. IE6 - 23.46%
  2. IE7 - 21.37%
  3. Firefox 3.5 - 17.28%
  4. IE8 - 14.62%
  5. Firefox 3 - 12.52%
  6. Chrome - 4.38%
  7. Opera 9 - 2.20%
  8. Safari - 1.95%
  9. Firefox 2 - 1.27%
  10. Mozilla - 0.48%

It's pretty interesting to see how many people are still using that old of a browser, probably the one their system came loaded with originally.  On the Firefox users, you see the opposite trend - most are using the newest and it tails off from there, probably what people "expect" to see.  The IE users start with the oldest and tail towards the newest!  You'd think that more people's IT departments would have mandated newer versions at least.  I wish we could see what percentage of our users are hitting "from work" vs. "from home" to see if this data is showing a wide disparity between business and consumer browser tech mix.

Bonus stats - Top OSes!

  1. Windows XP - 76.5%
  2. Windows Vista - 14.3%
  3. Mac - 2.7%
  4. Windows NT - 1.8%
  5. Linux - 1.8%
  6. Win2k - 1.5%
  7. Windows Server 2003 - 1.2%

Short form - "everyone uses XP."  Helps explain the IE6 popularity because that's what XP shipped with.

Edit - maybe everyone but me knew this, but there's a pretty cool "Market Share" site that lets people see in depth stats from a large body of data...  Their browser and OS numbers validate ours pretty closely.

16Feb/092

Browser Support – Just Do It

I am moved to post today by a gripe.  We have a lot of products and SaaS vendors that for some reason feel like they don't need to support browsers other than whatever it is they have in their mind as the one browser they're going to support.   I have Firefox 3, Internet Explorer 8 beta, and Chrome on my PC but still can't use many of the darn programs I needed to use today.  (Of course, you can't run different IE versions on the same box without resorting to virtualization or similar, so once I went to IE8 beta I knew I was in a world of hurt).

Let me share with you the top 10 browsers we see on our Web site.  These numbers are from the last 500k visits so they should be statistically representative.

  • IE7 - 34.9%
  • Firefox - 31.0%
  • IE6 - 25.9%
  • Safari (includes Chrome) - 4.1%
  • Opera 9 - 2.3%
  • IE8 beta - .9%
  • Mozilla - .4%
  • Charlotte - .1%
  • Yeti - .1%
  • IE5 - .1%

All you suppliers who think "I don't need to support Firefox" - think again.  And you're all doing a bad job of supporting IE8.  I know it's new - but if you've already been only supporting one browser, be advised that as soon as IE8 goes gold everyone will auto-download it from Microsoft and then you're SOL.   And there's a lot of IE6 out there still, even if you are trying to do "IE only."

To name names - Peopleclick.  IE7 support only.  Really?  You really only want 35% of users to use your product?  Or you think we're going to mandate an internal company standard for your one app?  Get real.

Sharepoint.  No editing in Firefox.  When we evaluated intranet collaboration solutions here, we got down to Atlassian Confluence and Sharepoint as finalists, but then the "no Firefox" factor got Sharepoint booted for cause.  Confluence itself doesn't support Safari until its newest version, which was annoying.  (Microsoft does promise the new version of Sharepoint out later this year will have adequate Firefox support.)

Graphs don't work right in Firefox in Panorama, otherwise a pet favorite APM tool.

So guys - I know it's a pain, but the Windows browser market is split and Macs are undergoing a renaissance.  Real companies don't tell 5 to 10 percent of their customers to screw off (let alone 65%, Peopleclick).  It's a cost of doing business.   You're getting out of a whole bunch of client side code writing by cheating and using Web browsers for it, so be grateful for that rather than ungrateful that you have to test in a couple different browsers.  Because corporate decisionmakers like myself will ask, and we will make buying decisions based on it.

Tagged as: , , 2 Comments
24Sep/0815

New 0Day Browser Exploit: Clickjacking – OWASP AppSec NYC 2008

This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway.  Here's my notes from the semi-restricted presentation.

Jeremiah started off with a brief introduction on what clickjacking is.  In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you're on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.  "A normal user wouldn't have any idea of what is going on.  People in this audience may see something a little different from what they would expect and you would definitely see the results in the page's source code."  Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  "It makes it easier in many ways, but you do not need it."  Use lynx to protect yourself and don't do dynamic anything.  You can "sort of" fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait. The issue and fix will probably be originally released on http://ihackcharities.org.

My Analysis: It sounds like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing.  The main content could be a flash game or any sort of incentive to keep a user clicking.  All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above.

24Aug/083

Two Simple Ways to Read Restricted Website Content

Have you ever had a problem that you used a search engine to try to find the solution?  Did that search bring you results from a site that then forced you to register in order to see the content?  This happened to me all of the time before I found two simple ways to display that content without me having to register at all.

Let me begin by explaining the why before I tell you the how.  In order for a search engine to index a site's content, it needs to be able to see that content.  The webmasters of that site are eager to let the search engine see the content as they know it will drive additional visitors to their site.  The end result is that they have to find a way for the search engine to see the content, while at the same time obscuring it from the view of the average user.  Most of the time they do this by keying off of the browser's USER AGENT.  This creates a loophole for us to exploit since if Google is able to see the search engine results, then so can we.  Here's my two tricks to see the restricted content: