Browser statistics...

General Topics
1

Hi malware fighters,

The situation as it is:
http://www.w3schools.com/browsers/browsers_stats.asp

pol

2

Interesting. Thank you for the link.

W3Schools is a website for people with an interest for web technologies. These people are more interested in using alternative browsers than the average user. The average user tends to use Internet Explorer, since it comes preinstalled with Windows. Most do not seek out other browsers.

These facts indicate that the browser figures above are not 100% realistic. Other web sites have statistics showing that Internet Explorer is used by at least 80% of the users.

Anyway, our data, collected from W3Schools’ log-files, over a five year period, clearly shows the long and medium-term trends.

3

Can’t believe more people use FX than IE. Go figure. Then again Microsoft doesn’t have the same share of the market as it did in the past so this is understandable. :-\

4

They don’t, read the quoted text above as the stats are for a specific web site W3Schools and by their admission those people visiting the site are more likely to be using alternative browsers.

So these start are no use as general statistics from a larger range of sites. I believe the current overall figures is IE at a little under 70% and firefox at 21-23% with the rest fighting over the crumbs.

See http://en.wikipedia.org/wiki/Usage_share_of_web_browsers or
http://www.w3counter.com/globalstats.php or
http://blog.statcounter.com/2009/03/ff3-gains-ground-on-ie/ and
http://gs.statcounter.com/#browser_version-ww-monthly-200807-200903
as these I believe give a more accurate overall picture than one single set of stats.

5

Thank you David,

Your data is more in tune with what I had in mind.

6

You’re welcome.

7

Hi folks in the thread,

How would the statistics run for the avast web forum posters, I wonder?

I am a tester of the Mozilla browser, member of the MozillaZine forum, special interests NoScript, RequestPolicy and CSP (started thread in extensions forums) - bug reporter at Mozilla’s and into Flock security from the start of that browser.

Well I for one use Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090316 Minefield/3.2a1pre ID:20090316044350 and I use that 85% of the time, indeed because of the in-browser protection: ABP, CSP, finjan, Perspectives, RequestPolicy, NoScript as my main line of security and privacy defense. With a similar configuration I have Flock 2 I use that 10% of the time (Flock browser is nice to have as an alternative as other browsers were disabled by malware to download av tools etc.!), for the rest I use SRWare’s Iron 2.0.168.0 (10702), especially for pages that does not render that good on Mozilla, and because it is fast running without any hick-up…
IE7 is just for going to MS updating and for keeping it up to date and fully patched, because there is a close relationship between Internet explorer and Windows explorer, for very special stealth things I have a special Torpark with Tor & Privoxy on a USB stick, well in a nutshell that is my browser brew,

polonus

8

Well I use Firefox for web browsing. I have IE set as my default and only use it in special cases. I do this because I feel that IE has much more of an impact on internet settings. I’m not sure but whenever setting Mozilla as my default I had issues. These are the only ones I use now.

I have used in the past Netscape and Opera as well. I found Netscape to be the better of the two although right now I don’t know where they are.

9

p.s.
Thank you polonus for the FireFox add-ons. I have added no Script and I’ll wait for RequestPolicy to be out of the experimental section.
Also, can you tell me about ABP and CSP. I can’t find them

cheers

10

Hi Confused Computer User,

Well I tell you about them. NoScript as you may have understood from my postings is the main script-blocker on demand inside Firefox or Flock browser, and it does so much more: http://forum.avast.com/index.php?topic=43432.msg363431;topicseen#msg363431 for a quick and dirty on that one. Then I have Perspectives The extension provides two primary benefits:

  1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
  2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

Then your question on the CSP, that stands for Content Security Policy:
The last 3 years have seen a dramatic increase in both awareness and exploitation of Web Application Vulnerabilities. 2008 has seen dozens of high-profile attacks against websites using Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) for the purposes of information stealing, website defacement, malware planting, etc.

It seems that while many sites are aware of these threats, and have programs in place to find and remediate the vulnerabilities, the sheer size and complexity of the websites make complete remediation of the security holes implausible. Browser vendors can do more to protect users from client-side attacks involving websites that are vulnerable to the classes of attacks mentioned above. This document proposes a mechanism that enables websites to define Content Security Policy which browsers can choose to enforce, restricting the capabilities of web content that make these attacks possible.

One might ask “if the vulnerable websites are aware of their shortcomings in Application Security, why won’t they address the root cause and fix their vulnerabilities?” It is true that the ideal solution is to develop web applications free from any exploitable vulnerabilities. Real world security, however, is usually provided in layers and Content Security Policy intends to be only one layer. Even the hypothetical vulnerability-free website can benefit from Content Security Policy. Though the site may be free of vulnerabilities today, a new vulnerability may be introduced tomorrow which could remain fully mitigated by Content Security Policy until it is detected and fixed properly. So it would help when as many users and webmasters install CSP and support this initiative. This thread was started by me on the MozillaZine forums (polonus aka luntrus) http://forums.mozillazine.org/viewtopic.php?f=48&t=1073125

ABP = easy it is short for Adware Blocker Plus - next to main ABP I run the following complementary add-ons ABP Filter Uploader, ABP Watcher, ABP Element Hiding Helper, and to remove annoying content temporarily or forever and a day I have an extension by the name of YARIP:
http://forums.mozillazine.org/viewtopic.php?f=48&t=1073125
I had this one for ages now, together with the very essential RequestPolicy where I can include and exclude requests for domains and subdomains, would not like to loose this one as well because it is complementary to NoScript against redirect to where malware may reside. Hopes this satisfied your curiosity for a bit, you are welcome with your questions, together with firekeeper with some interesting rules list (based on Snort) this completes the in-browser line of defense of

polonus

11

Thanks Polonus. Lot of reading. Will report back a bit later with my input.

Cheers