Problem: a core of 10 or 20% of people haven’t upgraded from Firefox 2 for whatever reason. And it’s coming to end of life.
Thought: perhaps those people have techno-literate friends who would nag them to do so, if it were obvious that they hadn’t upgraded. But at the moment, unless you are very familiar with theme changes, you have to remember to go into Help | About to check.
Idea: should the next 2.0.0.x update put the version number into the title bar?
I think a good chunk of these users are either using Windows 98 for which Firefox 3 won’t work, or a linux distro which does not offer Firefox 3 yet.
The eeepc with Linux comes with Firefox 2 for example and doesn’t propose an upgrade, there were millions of them sold.
Before changing our UI, I think we should first get a better understanding of who these users are and how we can reach them. If they are mostly Linux users, then we should work with distros to update their repositories.
Isn’t Firefox 2 already EOLed? i.e. Firefox 22.214.171.124, which has already shipped, is the last version.
I don’t agree. Anyone who is tech-literate can easily distinguish the FF3 theme from the FF2 theme just by looking at the back/forward buttons.
The forward and back buttons should instantly scream ‘ZOMG Firefox 2.0’.
Gerv are those 10 to 20% also doing the security updates ? didn’t they just disabled updating ?
Yeah, I recently upgraded a friends laptop from 1.5..
Of course, it did take 4 steps using the updater (=>2.0.0.x=>2.0.0.latest=>3.0.x=>3.0.latest), but that’s a separate issue (can’t remember the exact versions, but it was something like that). I kept gong out of morbid curiosity, but….
I don’t think that a version number would help, though – it’d just confuse 99% of people.
I think it’s best to look into who those 20% are. I suspect most are institutional users. Business and schools whose systems are locked down so only administrators can modify things outside of the user directory. I know my college did this. Those systems were often running 126.96.36.199 when 1.5 was out for a while. It even prompted for upgrades, but your perms never allowed it to succeed. I think these are most of it.
Gerv, showing the version number is not addressing the core problem; no matter what version number you show, they won’t understand that they’re using an outdated version. Even if they do understand that their version is not the latest, it’s probably they don’t understand the really bad implications security-wise of doing so.
How about prepending “[Outdated version, please update]” to the title instead or something to that effect?
The only reason my mother still runs Firefox 2 on her (somewhat aging) MacBook is that Firefox 3 doesn’t work on the version of MacOS X on the machine. It feels a bit silly to buy a new computer just to run a new version of a webbrowser…
Maybe use the notification bar (the one that appears when a popup is blocked) as another way of pushing the update? Have it appear when Firefox is started.
So far, I’ve never yet managed to persuade a Firefox 2 installation to upgrade to Firefox 3 by using “Check for Updates”. If it’s running 2.latest, it just says no updates are available. I’ve always had to go and fetch Firefox 3 explicitly. I suspect there’s some kind of bug there that may be affecting some subset of that 10-20%.
I concur with other posters that trying to get a sense of who these people are and why they aren’t getting the new version is part of the solution here. Can we, for example, find out how many of them have ever even been prompted about Firefox 3’s existence?
Open an extra tab after the 2.x update—or update the Firefox start page—to inform the user.
Whatever you do, don’t blindly tell people to upgrade to Firefox 3, or force them to download it—check first whether it’s even possible to run it on that machine.
There are still a number of 2.x users you will never get to upgrade:
* Win 9x users, tell them more about Win 9x being unsuported too
* eee pc users — send the Mozilla evangalism team after Asus *now*, it’s unaceptable for Asus to be shipping an insecure browser
* Upgrade mechanism is busted somehow. Like the other commenter mentioned, I have rarely seen 2.x offer 3.x from the check for updates menu
What would putting the version number in the title bar accomplish?
I’m guessing that there are three broad categories:
1) are not updating on purpose
2) do not know there is a newer version, and that they are not up-to-date
3) know there is a newer version but do not know that they are not up-to-date
Putting the version number in the title bar would only address #3, which I am going to guess further is the vast minority.
It is quite possible that many users cannot update, either because of a bug, local access permissions (non-admin account), or are manually turning it down.
Maybe use an AUS major update dialog to ask users why they aren’t updating?
> Idea: should the next 2.0.0.x update put the version number into the title bar?
Well, that’s a fairly harmless measure, and not especially difficult to do, so if it’ll make you feel like you’re doing something, sure, go ahead.
> Problem: a core of 10 or 20% of people haven’t upgraded from
> Firefox 2 for whatever reason. And it’s coming to end of life.
Honestly, if it’s EOL, it’s really no longer your problem. There are always going to be people using old versions of software. ALWAYS.
If the percentage of version-lag users on Firefox is really as high as 20%, it’s a reflection of the fact that Firefox has become mainstream software used by normal people who don’t have a burning compulsion to always have the absolute latest and greatest cutting-edge everything. Take it as a good sign. If Adobe or Apple (let alone Microsoft) could get even 50% of their users to upgrade to the new versions of their products within a year or so after the new version comes out, they’d be dancing in the streets.
> Business and schools whose systems are locked down so only
> administrators can modify things outside of the user directory.
Frankly, that’s really the only sane configuration. And yes, with Windows XP that means somebody has to go out of the way to physically go to the computer and log in as administrator in order to get updates to happen. (Annoyingly, even operating system Automatic Updates will block, because they stupidly require user interaction for no good reason. At least when apt-get requires user interaction it’s because it’s asking you semi-legitimate configuration questions; Windows does it apparently just because Microsoft likes to make people click the Next button lots and lots of times, or for completely gratuitous EULAs.)
So yeah, on those systems the user typically does not have the capability to do the upgrade.
> Firefox 3 doesn’t work on the version of MacOS X on the machine.
As best I can tell, the latest Firefox won’t run on anything more than six months old, except for Windows XP, which is probably an exception mainly because it’s still by far the most widely-used operating system in existence.
So yeah, you’re going to have people not updating because the new version is simply not available.
But also, a lot of end users don’t WANT their software to be updated on anything resembling a regular basis, because they are worried that the interface might change, and they Do Not Want that, because it would mean they’d have to completely relearn how to use it. To you and me, it may seem pretty much exactly the same, but end users don’t think the same way. If the back button is a different shape and color, you or I might not notice because we aren’t looking at those kinds of details — all we see is a back button. But an end user in many cases won’t know how to go back anymore until you show them again, no fooling, because the new button is not the same button they were looking for. More substantial changes, such as the awesomebar, can continue to produce consternation for WEEKS. Every time something like that happens, the user’s mind makes the following association: upgrade equals PAIN. Extreme cases, like the Office 2007 ribbon, or the move from Program Manager to Windows Explorer in Windows 95, can actually cause people to get so frustrated with the new computer that they go back to using the old, slow one for a while longer, because they actually sort of almost know how to use it.
So yeah, if you have normal users using your software, and not just cutting-edge tech geeks, then it follows as a corollary that not everyone is going to upgrade right away. If Firefox uptake continues, this WILL become more and more the normal state of affairs with each passing version.
Could you put the version in the title bar and a message to “Upgrade to 3.x now!” ?
Gerv, as has been said, Firefox 2 is already end-of-lifed. As Pascal said, a good number of them are either on unsupported OSes (like Windows 98 and Mac OS X versions less than 10.4) or on a Linux distribution where they have yet to be offered an upgrade… which is fine because Linux vendors are still maintaing the tree actively, as they are with 1.8.0 (Firefox 1.5.0.x).
Adding the version number to the title bar won’t help the remaining users. A look at the stats shows that many of them are on outdated versions of Firefox 2 even; like, Firefox 188.8.131.52. If they can’t make it to 184.108.40.206, there’s little hope in them making it to Firefox 3 easily.
My grandfather is still running Firefox 2, even though he would like to run Firefox 3, because his Mac is running on the OS version that it came with. He doesn’t want to spend money to upgrade the OS because he doesn’t think it provides new features that are interesting for him to spend money on. It’s not that old, less than 3 years old I think…
Err, I *like* Firefox 2.0 and don’t want 3.0 on my computer. I’m sure on a technical argument everyone would say why I have to do it now, and it’s painless, etc, etc, etc, but I didn;t like the FF3 install, I don’t like the look, and the emotional hurdle is too much. showing a big sign saying update nmow is going to entrench that view. Sorry, but I’m stubborn :-)
hwaara, rhelmer: I’m not expecting them to notice, I’m expecting their computer-literate friends to notice. I suggest this because it happened to me at a friend’s house. I bothered to check, but many technically literate people might not. But they might happen to notice the version number in the title bar and have alarm bells go off in their head.
And for everyone who says that their platform is no longer supported – install Linux. If you want to keep using old software and it still works for you, that is cool in every respect and in every instance – except one. And that instance is when you are taking your computer on to the internet. There are bad people out there attacking you, and you can’t expect to stay safe with unsupported software. Even if you are Philip’s grandmother :-)
And Ewan, the same applies to you. I’ve used this analogy before, but I like it: you have the same right to use unsupported browsers on the Internet as you do to fart in a lift. It’s not illegal, but it’s very antisocial. :-)
Hrm… thought I’d commented on this already, but I guess I didn’t post it…
I know 2 people that are still using Firefox 2… one is using some whacky hardware that only works under Windows 95/98/ME. The other has a screwed up computer and is reinstalling the whole thing from a drive image every week or two just to keep it working (many apps crash most of the time, including Windows updates and the Firefox installer).
The first one could probably be sorted out with dual-boot or vitualisation, but neither of those are trivial to set up. The second one can probably be sorted out by reinstalling Windows and all the software (or installing Linux, even) – also not trivial. In both cases you need a techie person to devote a few hours to the situation – in these cases, it will probably end up being me, for free.
I eliminated another copy of Firefox 2 a few weeks ago, but only as part of reinstalling the operating system on the computer which had got into a complete mess (Windows 2000, with a vast number of applications installed). With a computer that was barely working (8 minutes from turning on to being able to open an application), and a large number of apps popping things up to ask for updates, advertising stuff, firewall questions etc, there was no way the user was going to work out which things to click and which not to click so he was reasonably ignoring everything.
Probably an effective solution for many other home Firefox 2 users would be to offer an hour or two of free in-person technical support, but I don’t imagine even Mozilla has the resources to offer that… :)
Like older operating systems, these copies of Firefox 2 will disappear when and only when those computers get replaced. These days, it is (somewhat unfortunately) often more cost effective to replace your computer than to sort out the software on an existing computer, and of course lots of people don’t have the money to do either.
I have noticed the following problem: I did not want to upgrade while Google Browser Sync was working. After that, I did not run Firefox on my home linux computer (it is not my main browser) and now I am not offerred to upgrade any more. Only to download a new version. And even the check for new versions offers nothing. Maybe last version of a major branch should always add a menu item for upgrading to a newest release …
What if a way for the browser to declare itself out of date existed. Firefox knows its build date. Say, if Firefox checks the date every now and then, and if the date is say 1 year greater than the build date, the install considers itself out of date. Wouldn’t want to beat the user over the head with it, maybe just append to the title bar the version number and (upgrade required) or something.
This is more an idea for in the future, rather than cleaning up the installs that are currently out of date.
What about putting the version and build date in the title, like the old Suite prerelease builds? It’d give it a sense of non-supportedness if anything.
> And for everyone who says that their platform
> is no longer supported – install Linux.
nathan@groundhog:~$ uname -a
Linux groundhog 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux
As I’ve written elsewhere, the problem with new software not supporting old operating systems is worse on Linux than on any other OS of which I am aware, and MUCH worse than on Windows. The distribution I am currently using was the latest stable release when Firefox stopped supporting it, and for several months thereafter. The equivalent for Windows would be if you stopped supporting Vista, because it’s too old.
And yeah, Lenny is *ostensibly* stable now, and I should probably do the upgrade (which would provide a recent enough GTK to allow me to install Firefox 3), but I’ve had some issues when upgrading some other systems to Lenny (among other things, an IP tables firewall ruleset stopped working entirely correctly when I upgraded one of the firewalls at work to Lenny, and I don’t yet know why; a backup system is in place for now, and I intend to investigate this week), and so I’m not sure 5.0 is really fully baked yet, and I’m hesitant to risk my main workstation. There is, after all, no very easy way to revert back to etch if I run into trouble. Plus, there’s a kernel update involved, so I’d have to reboot (not just hibernate, but *actually* reboot completely), which would mean closing all my windows and everything, which would be very annoying.
After all, 5.0 *just* came out a few days ago. I’ll get to the upgrade eventually, but give me a little time here.
And I don’t think it’s at all fair to call using an old version of Firefox “antisocial”. I think *your* behavior here is a good deal more antisocial, trying to tell people what software they should be using on their computers, and what version, and by what date. The phrase “control freak” comes to mind, or perhaps “Indian giver”.
> There are bad people out there attacking you, and you
> can’t expect to stay safe with unsupported software.
Now you’re just being silly. Firefox 2 is nowhere near as unsafe as you make out. I don’t think it’s significantly more unsafe than Firefox 3, and I know for sure it’s not significantly more unsafe than the latest fully-patched IE7. With safe computing practices, the risk is very manageable.
> one is using some whacky hardware that only works under Windows 95/98/ME
That’s my mom. She invested her inheritance money in a scanner, that she believes she wants to use to scan in all ninety nine bazillion family photos (and slides) she has in her enormous collection. This is not a project that realistically she could ever actually finish, but emotionally it is VERY important to her to retain the capability.
She was raised in an era when things were expected to last. You’re far too young to remember, but when she was growing up, if you paid good money for a piece of equipment, you expected it to last quite literally for a lifetime, and if a company made something that *didn’t*, by golly you talked to the Better Business Bureau about it and made sure other people knew not to buy from that fly-by-night outfit. It would NEVER have occurred to her that she would spend several hundred dollars on a scanner from a major company and then not be able to use it any more just five or six years later. It’s not just that she would have judged such an event unlikely; the idea is just totally alien to my mom. It’s like trying to tell her that she needs a performance license to sing “Happy Birthday” at a birthday party, because the song is under copyright, or that it’s illegal to color-photocopy her own wedding photos without permission from the photographer. She doesn’t even have a mental category for that sort of idea.
Incidentally, this “stuff should last” principle also would apply to the computer hardware if she’d purchased it, but in her case I built the computer and paid for the components, so if I want to replace it that’s my business. And I will, eventually. But a lot of people her age are using ten-year-old computers and have absolutely no clue that that’s in any way unusual. To them, it’s practically brand new, probably newer than the VCR or the microwave. So yeah, they’re running operating systems that are no longer considered current.
Eventually, I will probably try to get the scanner’s proprietary software running in a VMWare environment for my mom, but that’s not going to happen without a hardware upgrade that we cannot currently afford — and even if we could, it’s a remarkably bad time to buy a Windows computer right now. You’ve got your choice between XP, which is fast entering the twilight of extended support, and Vista, which is positioned to become the next forgotten Millennium-Edition-esque release that nobody even talks about starting five minutes after Seven comes out. No, the upgrade is going to wait.
So for the time being mom’s got her choice between Firefox 2 and IE6. Which do you think is better?
> The equivalent for Windows would be if you
> stopped supporting Vista, because it’s too old.
Incidentally, I want to clarify that I don’t blame Mozilla specifically for this problem. It’s much more general than that. Almost *all* open-source software is guilty of this phenomenon of require such recent versions of various system libraries (libc, GTK, whatever) that the earliest supported version hasn’t even had a chance to make it into stable, production-ready distributions yet by the time the version of the app that requires it is released. The mindset of the whole open-source community seems to be, you have to choose between running out-of-date applications on a stable platform, or current applications on a flaky unstable operating system that’s constantly in flux (like Gentoo — which, yes, I did try to use for a while at one point, albeit not recently).
What I *want* is for the operating system and core libraries (like libc and GTK) to be stable and not change for several years at a time, while the applications are updated whenever new stable versions become available. But that’s not a choice on Linux. And no, it’s not worth enough to me to justify switching back to Windows. So I just use out-of-date applications.
But that’s not a choice on Linux.
Yes it is. Use Ubuntu LTS (Long Term Support).
I should clarify that if people are using a version of Firefox 2 supported and patched by their vendor, then they don’t fall under my “antisocial” stricture :-) The Debian project should be such a vendor, because etch is still supported. And, of course, using Mozilla-distributed Firefox 2 is currently nowhere near as dangerous as using older browsers; it’s only been unsupported for a very short time.
But the more time goes by, the more dangerous it will be. And this is not a risk you can “manage” – unless you only visit sites which are guaranteed not to get hacked, and don’t use 3rd party ad servers, and you only use connections totally under your control, and, and… In other words, you use the Net in a way no-one actually uses it in the real world. Or you develop and deploy your own patched version, which is always an option, but one most people wouldn’t want to take up.
Another important point: requiring you to upgrade Linux is not the same as requiring you to upgrade Windows, primarily because upgrading Linux a) doesn’t cost anything and b) the new version usually will run on your existing hardware. Compare Windows, which requires a new licence and usually new hardware too.
Would you still say it was antisocial of me not to tell people to use Outdated-Bit-Of-Internet-Software-X if I’d been on the receiving end of a DOS from a botnet constituted of machines which had been rooted due to a flaw in Outdated-Bit-Of-Internet-Software-X?
She was raised in an era when things were expected to last.
And if they last, I’m happy for her. If she wants to keep using Windows 98 and her scanner, I have no issues with that. Why should I? The only time I have issues is when she wants to connect that machine to a DSL line and thereby inevitably make it part of someone’s botnet. That’s antisocial by any standard.
We’ve had hundreds of years of practice at making physical goods. We can make things that last. We haven’t yet got the hang of making software that resists attack for 10 years plus. Software’s a young industry. When and if we do, then we’ll be in the position that your mom wants us to be.
> if people are using a version of Firefox 2 supported and patched
> by their vendor, then they don’t fall under my “antisocial” stricture
I did sort of figure that. But some people get warm fuzzy feelings from seeing the widely-recognized icon and branding.
> But the more time goes by, the more dangerous it will be.
Do you have data to back that up? Because, it would be news to me.
It *is* true that the more time goes by, the more websites won’t work with the old browser. You can see that now with Netscape 4, or IE5. Eventually Firefox 2 won’t be able to display the web any more, just as Netscape 4 mostly can’t already. That will be a few years, though. Mozilla 1.4 still does okay in that regard. The chrome makes you cringe, but the rendering engine handles today’s web just fine. That’ll change when CSS3 gets widely deployed, but that’s not going to start happening at *least* until IE8 hits Automatic Update.
Is using Mozilla 1.4, or Netscape 4 for that matter, dangerous, from a security perspective? If so, I’ve not seen any evidence of that. How much active malware is there out there right now that exploits known vulnerabilities in really old browsers _other_ than IE?
I’m not saying the possibility of being compromised doesn’t exist. It does, of course. I’m asking whether it is objectively _greater_, in a statistically significant way, from the comparable risk with a more recent browser.
> And this is not a risk you can “manage”
That’s a fundamentally nonsensical statement. I manage risk every day. Every time I turn on a computer, every time I connect to the internet, every time I let an end user near the keyboard, every time I open an incoming port and run a service — not to mention every time I eat food without running an NMR on it first, every time I get into a motor vehicle that’s going to drive down a public roadway, even every time I cross the street.
Everything you do has risk. You CANNOT avoid it entirely. You are *going* to do things that have some risk to them. Running the current latest fully-patched browser is still risky, because you don’t *know* that there are no vulnerabilities in it. Good security involves knowing what risks you are taking and being aware of the implications and taking reasonable precautions. Good security systems, as Schneier says in Beyond Fear, are designed in anticipation of failure.
And there are always compromises and trade-offs. I keep port 22 open on all the systems I administer, because it’s terribly convenient. Furthermore, I allow password login. I use passwords that I believe are a good deal less likely than average to be brute-forced (the weakest one, currently, is fifteen characters and not entirely alphanumeric, and that’s on a system that contains no important state and would be a matter of a couple of hours to wipe and reinstall if something did happen). Does this mean I can’t be compromised? No, there *is* a risk. But it’s manageable.
There’s also a risk with running Firefox 2, but I’m convinced it’s very manageable — much more manageable than the risk of running Sendmail, or Exchange, or BIND, or IIS, or Outlook.
> Another important point: requiring you to upgrade Linux is
> not the same as requiring you to upgrade Windows,
Okay, fair enough, but I still find it odd that new versions of applications (not just Firefox, but applications in general) don’t usually support the latest stable releases of even quite major distributions. (And yes, I’ve used Ubuntu in the past, but after being on FreeBSD for a couple of years, when I came back to Linux, I found that I wanted something a bit more conservative than Ubuntu.)
> if I’d been on the receiving end of a DOS from a botnet constituted of
> machines which had been rooted due to a flaw in
If there were a big botnet out there documented to be spreading via flaws in old versions of Firefox, I suspect I’d probably hear about it. I don’t follow security news absolutely religiously, but I do pay *some* attention.
Do you have data to back that up? Because, it would be news to me.
Well, browsers never get more secure. So your assertion would have to be that they don’t get less, just stay the same. But given that new vulnerabilities are regularly found, and even published by the Mozilla project, I think that would be hard to justify.
That’s a fundamentally nonsensical statement. I manage risk every day.
What I meant by it was, you cannot modify your behaviour to reduce the risk without it impacting your daily use of the web – because any behaviour considered particularly dangerous (e.g. visiting warez sites) is probably not something you do anyway.
If there were a big botnet out there documented to be spreading via flaws in old versions of Firefox, I suspect I’d probably hear about it.
So you’re saying that when someone does start exploiting old Firefoxes to build their botnet, then is the appropriate moment to start a campaign to get people to upgrade?
i would prefer to be using 2.0.x to anything from 3.0.x… i dislike the new bookmarks interface… some of us are not going to keep getting dragged along… just cause you guys keep begging.. in fact its turning us off…