I asked:
Why shouldn’t we intentionally disable Windows 9x support in that release [Firefox 2] as well, even if it’s not necessary for technical reasons?
And people came up with several good reasons why we shouldn’t :-) Among them:
- Windows 9x have a much smaller network attack surface due to its limited functionality
- People can run firewalls to mitigate the problem
- Windows isn’t free-as-in-beer, and some people won’t pay to upgrade
- If they can’t use Firefox 2, they’ll use Firefox 1.5 or IE and that’ll be even worse.
So… how about the Firefox start page warns them that they are using an insecure and end-of-lifed OS? Or should we adopt the attitude that it’s not our problem?
I agree, if the issue can be mitigated with a firewall outside of the OS/browser then inform them they are using a now unsupported OS and educate them as much as possible, maybe even some links to a linux distro that might work well on a legacy PC.
Gerv said:
It definitely isn’t our problem. It’s not the browser’s job to worry about system security beyond ensuring that the browser itself exposes no attack vectors. If we start warning people about other potentially bad/insecure software running on their system, where does it stop? We could warn about viruses, spyware, old firewalls… that just isn’t a browser’s job.
You make too much of what Mozilla can control and what it can’t. There are likely to be some small security improvements in ff 2.0 that apply as equally to windows 98 and other operating systems.
The vast proportion of potential internet badness can affect both windows 98 and windows XP users equally. But, say, there is a small proportion of extra badness affects windows 98 and not XP. Because you can indentify that badness, and control that small amount extra badness by not making a product for windows 98, or discouraging the use the product for windows 98, it may seem important to you to make a big deal of this. It is “a deal”, true, but not “big”. I think that is just human nature to place more emphasize upon risks we can identify and control, where, if we were a bit more agnostic about risks, it would colour our decisions differently. Would it, in end, considering all the security benefits and risks, not be better to continue with the plan to make ff 2.0 for win98, and have them stick with 1.5? Have you attempted such an analysis?
For most of those still using Windows 98, it probably is not a choice. They just can’t afford to upgrade. Yes computers are cheap, but when you are on a tight budget and your current computer does everything you need, what do you think people are going to do?
I think the Firefox start page pointing out that 98 is insecure and end-of-lifed is not a bad idea. But people will get sick of seeing it (and knowing they can’t afford to do anything about it) if it is on the every day start page. It should only come up on the after install/upgrade start page.
But it could be phrased better. We may like to knock MS for its insecurity, but rather than focusing on that, we should focus on improving the situation for these users. Something like, “We have detected you are using a version of Windows that is no longer supported by Microsoft. The next version of Firefox, version 3.0, will require Windows 2000, XP, or higher. In the mean time, we suggest you protect your computer from security vulnerabilities by installing firewall software… if you do not already have them. You can find some recommended products by clicking here.”
Of course, that might be too much text. It should be short and to the point so people actually read it.
Its not our problem. I would not want every program I ran to inform me that I was using an out of date OS.
CodeMonkey approves – it’s not even a debate, cut Win98 support for FireFox 2 for sure.
—
CodeMonkey Blog
One of the great things common to most Mozilla projects is the large number of platforms supported. Whether that platform is inherently insecure is beside the point. What is important is Firefox strives to be secure.
I definitely agree with everyone else that this is not a Mozilla problem. There are many valid reasons that someone would run 9x, such as the ones listed above or a situation where the hardware just doesn’t perform well on an NT based OS. Unless there is some tremendous drawback to including support for 9x, I would certainly vote for leaving it.
It seems that the proposition in the original post implied that cutting support for windows would cause users to be more secure because they would see the err of their ways and upgrade their operating system.
This would be nice, but I do believe it to be too optimistic. If, at this point, a person hasn’t upgraded from windows 98 (and family), I don’t think this will be the light of revelation (for most) compelling them to upgrade their operating system.
If we are going to seriously consider cutting support for these platforms, we should at least do investigation (some formal and informal surveys perhaps) to determine the potential effects (if people will upgrade or not). I fear that if we make the decision lightly to cut support that we may be doing more harm than good to the security of users, when it is not necessary.
On a different note, I’d suggest having a dramatic (attention-getting, but concise) page on only the first startup informing them about their upcoming lack of support and then every day on the default startup page starting a month before the release of 3.0. Then, of course, after its release inform them of their bemoanful situation :).
I think nothing need to be done at this point. But when Firefox 3 is out, instead of showing the software update window, just tell the Win9x users that Firefox is no longer available for their OSes.
In my opinion, after Firefox 3.0 is out, you should keep having security updates for FF2.0. Just download these instead and don’t give the user too many warnings. You may believe that after such a warning people will upgrade to Linux or XP. Well, wrong, people who don’t know too much about computers, will just be afraid of the lack of support from Firefox and start using IE again. Or just ignore the warnings and still use Firefox. Almost noone will upgrade an OS, certainly not to Linux, for a reason like this.
So if they switch to IE, we’ll leave them even more insecure. If they use an outdated version of Firefox they’re also less secure.
So just give them security updates untill Windows 98 is really not used anymore.
Hi all,
After reading all the comments, I placed myself in the shoes of the users using Windows 9x, and I have to say that I would be annoyed at reading everytime that I have an outdated and insecure OS. On the other hand, I probably would like to know about it (but not be remembered). So how to deal with this ?
Simple, the Mozilla organization should create a web pages where we could find a small table with the number of security vulnerabilities per OS version, for each OS where there ain’t any development anymore. A bit like this :
+————+—–+
| OS | Known unsolved vulnerabilities
+————+—–+
| Win ME | xxx |
+————+—–+
| Win 98 SE | xxx |
+————+—–+
| Win 98 | xxx |
+————+—–+
| Win 95 | xxx |
+————+—–+
| Mac OS X.2 | xxx |
+————+—–+
| Mac OS 9 | xxx |
+————+—–+
etc
Everytime someone downloads FF and Mozilla detects that a computer is using an unmaintained OS, it would re-direct the user to this page. ONCE, that’s enough, we can consider the user warned. If the user wants a refresher, Mozilla could also put a link on the main page of Firefox and also links to FREE FireWall, FREE Antivirus and FREE Anti-Spyware software for these OSes in order that users could protect themselves as much as possible.
Of course, the same should apply for Thunderbird, SeaMonkey and all the other software developped by Mozilla.
If you could find an organization that does this, just redirect the user to that organization (Mozilla is a development organization, not a security organization).
Cheers,
Richard
It would be great if the Mac guys agreed to drop support for Mac OS X 10.2, so that Gecko could use graphics API features that are only available from 10.3.
Gerv,
I don’t know where you got the idea that we should even consider this. It is definitely not our problem. There is no reason to drop support for anything for Firefox 2. The continuiously-shrinking number of people who use us on earlier platforms perhaps do so because we are more secure than IE and they know that. I don’t think anyone is confused and thinks that they truely _want_ earlier versions of Windows. As others here have said, I would guess the main reasons for not upgrading are financial in nature. Many people have probably upgraded to a new machine, leaving behind an old machine that they don’t use very often or they simply just can’t afford to buy a new computer and are stuck with something old. There are no technical reasons why we shouldn’t provide people stuck on crappy versions of Windows with a better option as long as we can. If we didn’t have a fairly large set of technical reasons for dropping specific these platforms for Firefox 3, we would keep on supporting them.
-stuart
It is definitely our problem. We should be concerned about the vulnerabilities that our own products expose, but we’re not here to save the world.
Ugh,
make that not our problem in the last post.
“So… how about the Firefox start page warns them that they are using an insecure and end-of-lifed OS? Or should we adopt the attitude that it’s not our problem?”
Honestly, anyone running 98/SE/ME who would go out of their way to get Firefox in the first place probably is at least vaguely aware of the security problems in their OS :) Save the warning for when FF 2 is about to reach the end of its lifecycle.
I’d like to add my 2 cents’ worth here. Currently, I have 2 computers. The desktop, which is more of a media center, runs XPSP2 and is up to date. Then, I have a notebook HP that runs WinME. That computer is useful at times when I need to be away from home, e.g. doing homework at the library or at a cafe, etc. I’ve tried to upgrade it to XP, but it felt like I was driving a worn-out Model T compared to my current Porsche of a desktop, and the furthest I could upgrade would be SP1. I’ve tried to install Linux on my notebook (Ubuntu Warty warthog), but it was just as slow. I’ve reverted it to ME, and it is going okay. There’s no point in upgrading it if I know the screen will go on it any day. And I can’t really afford shelling out 10,000+ SEK to replace my computer, or at least not right now. :( I can understand dropping support for Firefox 3 if it’s a year away, but don’t drop support for Firefox 2. At least not now.
My advice, in bullet points:
However:
Definately not warm them. By doing so you’ll only get people who don’t understand asking for support to do it in places like forums with questions like ‘Firefox told me to upgrade my OS but what does that mean, what do I do?’
You should probably stick to explaining that the OS is end-of-life and Mozilla for engineering and resource reasons are moving away from it. This is firm ground. Keep clear of discussions of security. That is quicksand.
I think it definitely is our problem. I can’t seem to find information on it right now, but surely I’m not the only one who remembers the incident early in the 1.0.x series where Firefox developers had to include a fix for a Windows bug that MS had ignored for years?
There’s going to come a point—very likely sometime during 2.0—when Firefox is going to come up against a 98/ME bug that MS won’t fix. Then developers will have to either leave the program insecure on those platforms or add extra bits just for those platforms. It won’t be pretty.
“Then developers will have to either leave the program insecure on those platforms or add extra bits just for those platforms.”
It isn’t Mozilla’s task to make patches for Microsoft’s bugs.
frankf wrote: “I’ve tried to install Linux on my notebook (Ubuntu Warty warthog), but it was just as slow [as Windows XP]. I’ve reverted it to ME, and it is going okay.”
The reason Ubuntu was slow on your laptop is because its desktop environment, Gnome, was designed with more modern computers in mind, just as XP was. There are other DEs that you can choose from however and some, like XFCE, run much faster on older hardware; Ubuntu has a sister distro named Xubuntu that uses XFCE; you might be interested in it: xubuntu.org
> If they can’t use Firefox 2, they’ll use Firefox 1.5 or IE
I can vouch for this. I know of at least one instance wherein, after MacOS 9 was end-of-lifed by Mozilla, the last released version that ran on it was used through the spring of 2005, in a multi-user office environment. After a couple of years the differences in usability with the more up-to-date versions on other systems became very noticeable, but an upgrade to OS X was entirely out of the question, for two reasons: the system didn’t have enough RAM for the OS it shipped with as it was (it was an iMac of the G3 generation), and in any event the institution in question has no budget category for upgrades, period, only for new systems. (In the budget, computers (including their software) are still classified in the same category as furniture…)
> So… how about the Firefox start page warns them that they are using
> an insecure and end-of-lifed OS?
I suppose that doesn’t hurt anything much (provided, of course, that it’s just a default and they can still change their start page if desired). I suspect at this point, however, that most folks are already aware that Windows 98 is theoretically obsolete and technically no longer current, and I doubt telling them so again is going to be of very *much* value.
> It’s not the browser’s job to worry about system security beyond ensuring
> that the browser itself exposes no attack vectors. If we start warning
> people about other potentially bad/insecure software running on their
> system, where does it stop?
Indeed, should we warn Windows XP users that their OS is not as secure as OpenBSD?
And anyway, my experience suggests Windows XP is *substantially* less secure in practice than Windows 98, particularly if you connect it directly to the internet without an external one-to-many NAT gateway, as is routinely done in home and small business scenarios.
> In my opinion, after Firefox 3.0 is out, you should keep having
> security updates for FF2.0.
That should be done anyway, just as security updates for 1.0.x continue to be released after 1.5.x is out.
> I don’t think anyone is confused and thinks that they truely _want_
> earlier versions of Windows.
I do think some people still prefer Windows 98 over Windows XP, but I don’t think what browsers are available should have to be part of that decision.
Heck, *I* think I prefer Windows 98 over XP, because things like printing and Network Neighborhood work (mostly) reliably in Windows 98 and are a continuous problem with Windows XP systems. Not that I would choose either OS for myself, mind you, and not that there aren’t trade-offs — of course there are some things better about XP than 98, not least that it doesn’t seem to need to be reinstalled as often.
Why not make Firefox 2 / 98 a community project like Seamonkey or Camino?
<blockquote>”So… how about the Firefox start page warns them that they are using an insecure and end-of-lifed OS?”</blockquote>
I’m sure there are Win9x fans here who would think like this:
“Insecure? XP is also insecure. It’s even more insecure than Win9x, so what’s the logic here?”
In the same vein, you could pop a warning for all Windows users telling them that their OS is insecure because they’re not running Linux.
<blockquote>”Or should we adopt the attitude that it’s not our problem?”</blockquote>
Mozilla supplies a browser. Whether the OS it’s run on is insecure is not is not its problem. Warning about the fact that the next version won’t be supported would be appropriate, though.
<blockquote>”I don’t think anyone is confused and thinks that they truely _want_ earlier versions of Windows.”</blockquote>
You’re wrong. :)
<blockquote>”people stuck on crappy versions of Windows”</blockquote>
You say that as if WinXP isn’t crappy. Win9x isn’t without IE integration.
<blockquote>”Why not make Firefox 2 / 98 a community project like Seamonkey or Camino?”</blockquote>
I really don’t think it’s necessary.
Yeah Gerv! way to backtrack publicly. I commend you for that.
Anyways, the start page should reflect that it is not mozilla’s problem and that Firefox 3.0 is the latest ‘SECURE’ version of Firefox.
End of discussion.
– posted on PuppyLinux using
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20060612 Minefield/3.0a1
– which also Runs Windows ME
Why not make 1.5 a long lasting branch for win9x/ME specifically (Win32S ?). Only backport any security patches to the branch, and have people on newer OSs get upgraded to Firefox 2.0.
Neil T Wrote:
My advice, in bullet points:
“* Firefox 2 – fully support Windows 9x. There’s no technical reason why we can’t, AFAIK, and there are still quite a lot of people using those OSes.
* Firefox 3 – do not support Windows 9x officially. I think there are technical issues with 9x on the trunk and if supporting 9x results in a degraded experience for the majority then there’s not much point. cf the decision to drop support for OS X 10.1 recently.”
I still use windows 98, so does that mean Firefox 3 will run on me with issues, or it wont run at all?
I have to use Window 98 on my computer because I can’t afford to upgrade.
I would prefer the Firefox 3 version to be light weight and capable of running on Window 98. If it doesn’t work on Window 98, million of members and I would be force to use other browser. Firefox 2 is slow on Window 98 so when Firefox 3 is not available for window 98, I will get rid of it.
I live in a poor rural county in central Montana. Many people here have hand-me-down and bought-used computers and enjoy using them on the ‘net. I see lots of Win98 machines, and I help upgrade, patch, and secure them for surfing – and I educate their users. I run a Win98SE myself, at least partly to stay fluent and aware of Win98SE and Win98 resources. That way I provide superior support for my neighbors. My current machine would be bogged down by WinXP anyway, and the $ to upgrade my hardware is hard to justify. I currently recommend and install Firefox 2.0 for my clients, along with Ad-Aware, Spybot, and ZoneAlarm 5.5.094. Note that recent ZoneAlarm versions “don’t support” 98, so we go with the most current of the ones that did.
There is a large marginalized population running W98 as a needed resource in rural America. Just because we’re poor doesn’t mean we’re dumb. We like Firefox.
BTW, if I didn’t have so many clients who run Windows, I’d be running Linux.
KGHN
KGH: I understand the situation you are in – but the fact is that Microsoft are no longer supporting Windows 98, and since they stopped bugs have been discovered in it which make it unsafe to take anywhere near the Internet. Doing so risks having your computer owned by malware or worms.
I would strongly encourage you to advise your clients of this problem. I would try and update them to the latest excellent versions of Ubuntu Linux but, if they don’t want to do that, they need to buy a new computer (hey, everything wears out, even proprietary software) or stay off the net, for their own safety.
I would like to add that i am inclined to concur with those that find 98se still viable, and safe, if used for the right purposes. Some geeks are even actively working on it (including FF compatiblity). http://www.msfn.org/board/?showforum=91 They say 50 million 98 machines are still being used, and i am sure many are used in 3rd world houeholds thast we know not of.
I have 3 3PC’s running 9x, and 98se is much preferred, the main one is a full case 650mhz with 320mbram, and 3 IDE HD’s, 1 Dvd burner and is faster than XP machine with higher end processors that i have tried. As for safety, while i have cleaned out XP machines, in years of extensive Internet use i myself have only gotten one virus (scans clean), very minor instances of spyware. I pray and surf for legit purposes,using FF and Opera, which helps. Maybe the safest car is the one that is driven safely, and is not much of a target for thieves. And with 98 is it very easy to see what is running, and manage. But this does not mean i would not prefer XP and a faster PC, but i and cannot justify the 600+ dollars it would need to upgrade to do all that i do now, when there are more important needs for others. and i certainly do not expect FF to in any way keep back improvent by catering to the relatively small number of 9Xers.
But the most noticeable problem with 9x is it’s loss of system resources (which FreRamXPpro alerts me to), and while I prefer FF over Opera 9 in many ways, it uses far more sys resources than Opera with many tabs open.
I do not know if this feedback helps, but may God bless.