Inspired by something Asa said, I think we really need a website which clearly explains to people why using unsupported browsers or OSes on the Internet is a bad idea, and why they should fix it (even if it costs money). If we can find the best and most convincing words to do this, everyone else can point people with old software at the site.
Does anyone know of anything like this which exists already? I know we did “Internet Health Check“, but that was only about browsers, and seems to be dormant now. Still, we could reuse the name.
Here’s some wordsmith brainstorming; further contributions welcomed:
Using old software is normally fine – if it works for you, that’s great. No-one should be able to tell you what to do in the privacy of your home. But when you take that software onto the Internet, your choices start to affect other people. If you use insecure software, your computer is at much greater risk from Internet attackers who are trying to recruit it as a “zombie” or “bot” and use it to send spam or attack other sites. These attackers know about security problems with old software that they can use to take control of your computer, if you accidentally visit a malicious website, or even visit a website you trust that itself has had a security problem.
Upgrading can be expensive – we know that. Consider it a cost of being a good net citizen. Just as maintaining a car or house costs money, maintaining a computer can do as well. Having said that, there are some ways to make it less expensive. …
The site would read your User Agent and then provide appropriate custom text for your out-of-date OS, or browser, or both. (It would need a database of which versions were out of date and which were not.) For old OSes it would suggest:
- Buy a new computer (the easiest option, but the most expensive)
- Upgrade your OS (get upgrade disks on eBay?)
- Install Linux (links to useful resources)
For old browsers, it would suggest upgrading to the most recent version of your existing browser – except that the IE section would have a note about the importance of web standards, and a suggestion to switch. If the OS was so old that no supported browsers run on it, it would say that.
If their browser and OS were fine, we could move on to plugins, using the great work done by the Plugin Check people. (Although after several months, their database still doesn’t seem to handle Totem…)
There are also some people who are convinced that the old version “works much better” (see https://adblockplus.org/blog/how-are-supported-applications-chosen-for-adblock-plus#c003110 for an example). It would be nice to provide some arguments to convince them otherwise.
Would this be a “light” but cross-platform version of F-Secure Health Check?
\David
Hm, my UA string, currently “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9pre) Gecko/20100226 SeaMonkey/2.0.4pre”, says damn little about how up-to-date my OS is (or isn’t). When I report a crash, there is more, but I suppose that’s because the Breakpad client, running on my computer, can still invoke uname -rv which’ll answer with “2.6.31.12-0.1-desktop #1 SMP PREEMPT 2010-01-27 08:20:11 +0100”.
Or http://secunia.com/vulnerability_scanning/online/
As far as I’m aware, you can’t make judgements about IE based on the user agent. IE 6 is still supported and can be secure enough, but any of IE 6, 7 or 8 need the security updates installed, and to find out whether they have or not, I think you need to actually run code (Secunia and F-Secure both use Java) to check whether patches are installed.
Same goes for OS – you can tell if the OS is recent enough to be supported (although trying to figure out from Apple and Microsoft what is an what isn’t supported is pretty complicated…), but you can’t tell if the user has actually been updating it.
I think the original discussion was about OSes which are too old to run a version of Firefox which is still getting security fixes – limiting the scope to that seems more feasible.
There’s http://browsehappy.com/ – but it’s more focused on getting people away from Internet Explorer (“Internet Explorer can make your computer unsafe. Why not switch to a browser that’s more secure?”).
I’d prefer to focus on the danger to the user rather than the spam-related externalities. Stolen credit cards, stolen WoW gear, data held for ransom, etc.
I believe your major version of windows, and 10.X version of Mac OS X, is exposed in the UA string. Isn’t that right? So we could detect use of Windows 95, 98 or 2000, or MacOS X 10.3 or 10.4.
It is true that we could not determine the patch level of supported operating systems. That leaves the options of a) a Java or Flash or Silverlight app (like the products referenced above), or b) asking questions (with instructions about how to find the answers).
Richard: BrowseHappy seems to have been abandoned; it still recommends The Mozilla Application Suite.
Jesse: Good point.
Gerv
my thoughts are on the language. Right now it sounds a bit judgemental to me — when you go online you should do these things for the benefit of others, you lose the sense of being yourself you enjoy in your own home, etc. Some of these folks may already be concerned about security, but initial language is framed more as obligations they should take on.
How about a focus more like: there are ways each of us can make ourselves more safe online. Just as in the physical world we can make choices that increase our safety and decrease the chances of something bad happening. Online, one of the most important things one can do is keep one’s software up to date. This takes a bit of time; just as it does in the physical world. But it makes a big difference.
[then some text re why]