we're trying to analyze some attack vectors on one of our MVC apps and we are considering writing some code to prevent users from accessing our site using a browser[version] that we consider to be too insecure.
For example, anything less than IE 7 is getting banned from our site.
Any browser [+version] that doesn't implement the HttpOnly cookie or has serious known holes/scripting issues would be on our watch list.
Without the obvious sarcastic comments about all versions of IE being totally insecure(!), which browsers and/or versions would you consider to be risky? IE tends to get all the bad press, but what about version 1 of Chrome or version 3 of Safari, etc.?
Honestly I still think most unsecure browser is IE. There is a lot of crashes and a lot of code execution bugs for IE. In last days of 2012, bluehole 0-day bug discovered being exploited in wild. But I don't remember last bug I've seen which successfully executes shellcode in Windows 7 with DEP and ASLR enabled. Those days almost passed for Firefox and Chrome. Specially chrome sandbox is really secure. I've seen only Vupen found a 0-day vulerability which executed code in Chrome like 1 year ago.
You can see list of vulnerabilities per year, per product and you'll see classification of bugs also.
http://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452
Change product to Chrome, Internet Explorer and Safari.
Also IE is really vulnerable by third-party plugins, you can achieve code-execution easier on IE.
If you have more specific question, please ask.
Related
It seems every resource regarding things like CSS3 and HTML5 nag me about particular things not being implemented in older browsers, and hacky workarounds. Really who uses IE 9 or 10 anymore anyway? IE11 is out, Edge is default on W10, and I assume most / all people use it. To me it seems to make the most sense to simply make the page render properly on the latest Chrome (what I use), Firefox, Edge, and Safari..
Ughhh apple. My understanding is that the Windows version of Safari is very outdated and trying to get a (questionably obtained) image of macOS working in a VM has been unsuccessful. I'm not spending a dime for any Apple products just to test my site on their browser. So what can I do in order to test how my site will work in it?
Regarding your question...
Who uses IE 9 or 10 anymore anyway?
Typically, people with older Windows systems. This is important for your website based on whether or not IE 9/10 users will be accessing the website that is being supported. (A review of your website's web logs can shed light on this.) If your website is an internal intranet site, then an organization's IT department may dictate the browsers that users can use. However, large eCommerce websites will often support older browsers out of fear of losing customers to rivals.
Regarding your second question...
How do I go about ensuring the site is functional and looks reasonably
good on apple products conveniently, without any apple products while
on a minimal budget?
Without actual Apple products, something that emulates these displays is needed. One option is the "Inspect" option with the Chrome browser. (Display your website on Chrome, right-click, select "Inspect".) Inspect allows you to choose between a Desktop or Mobile display. With a Mobile display, you also have the option of selecting several Apple displays (e.g. iPhone, iPad, etc.). This is probably the next best thing to having the actual Apple device and its display for website testing.
I got this job which I have to create a promotional website for a prefecture and they are asking me to list the minimum system requirements a user must fulfill to access this website. I am not sure on how to make this list. The website will have two versions: one very simple for older browsers and computers, and another one responsive. The idea is to maintain everything very simple, without any animation or something that would be difficult to run on older browsers.
What do you guys think would be a safe way to describe the minimum system/browsers version for using a website like this?
Thank you very much!
Most web development companies set a minimum level of browser support, not so much system specifications. My development company specifies the most recent two versions of Internet Explorer, FireFox, Safari and Chrome. If they need to support older browsers, I would set the minimum to IE8 and maybe 10 previous versions of FireFox, Chrome and Safari.
Also, you should use something like the HTML5 boilerplate and feature detection in the site. That way you can build one website that satisfies all of the requirements. Building two separate sites becomes a nightmare when it comes to future updates.
I'm constantly running into browser bugs. So much that I spend more time on finding workarounds, than on normal work. At first, I started to ignore IE6. And then IE7, IE8, IE9, Opera Mini, then recently Opera and IE10 as well. Now all I focus on are these: Chrome, Firefox, IE11, Edge, Android Browser, iOS Safari. Much better now, but it's still a nightmare, all I see is inconsistent behaviour, small but annoying bugs etc. What's wrong with this? Simple. My customers do not pay for this, instead they blame me if something is messed up by a browser.
Is there a web developer technique that makes it easier/faster to
deal with browser bugs?
Maybe a workaround collection site, or an automatic "validator" that highlights problematic codes and suggests fixes?
Or something that I can't even think of?
What I have tried already:
Filing bugs: my customers don't wait for the fixes to come.
Work on workarounds: my customers don't pay enough for this.
Ignore even more browsers: my customers think I'm an amateur.
Find a market that is financially stronger than the poor and small Hungarian companies: in process.
As we all know that Microsoft and Mozilla had released the latest browsers IE9 and Firefox 4 recently, and I want to use them in our projects/sites, but I don't know what's the risk if I upgrade them, which means I'm not sure our sites can be shown correct or not on these latest browsers, if someone can give me some advices on this issue will be helpful, thanks.
When you say that you "want to use them in [your] projects/sites", am I correct in believing that you want your sites to test well against them?
If so, then I humbly submit that's the wrong way to look at it. The greater danger is in NOT supporting the new browsers, because your visitors will be using them, regardless of your decision. Therefore, you MUST test your sites against them, because if your site breaks, then your visitors won't return. (If these are completely internal visitors, like for an intranet, then you block your staff from being able to stay current with other current web applications.)
The real question is whether you want to keep supporting older browsers. For now, that's required, too. You must build your sites in such a way that they work correctly in ALL relevant browsers. IE7 is still used by a lot of people, so you might continue supporting it (for now). IE8 is a must, as is Firefox 3, Chrome 10.0, and Safari. (I don't know the current Safari.)
Many websites publish statistics on the commonly used browsers. It's your decision how low of a percentage you want to support. Personally, I would support any browser having market share above 10%, unless you're a VERY highly trafficked site, in which case, I MIGHT support any browser above 2%.
If you're concerned about how you can continue testing against older browsers, then Internet Explorer has a "Developer Tools (F12)" feature that allows you to change your rendering to match older versions. I don't know about other browsers, but I think you can have both Firefox 3 & Firefox 4 installed on the same machine. Until you have a way to continue testing Firefox 3, do not install Firefox 4, at least until it surpasses Firefox 3 in use.
When you are working on a new website, what combinations of browsers and operating systems do you target, and at what priorities? Do you find targeting a few specific combinations (and ignoring the rest) better than trying to strive to make them all work as intended?
Common browsers:
Firefox (1.5, 2, 3)
Internet Explorer (6, 7, 8-beta)
Opera
Chrome
Common operating systems:
Windows (XP, Vista)
Mac OSX
Linux
Unix
Mainly I just target browsers as the sites I've built don't really depend on anything OS specific. As mentioned above, YAHOO's graded browser support guide is a good starting point on determining which browsers yous should/could support. And Yahoo's User Interface library (CSS+JavaScript) helps massively in achieving this.
But when developing sites I primarily do it on Firefox2 as it has the best web developing tools (firebug + wed developer toolkit). Then I also test my sites with Opera 9.5 as it's my browser of choice for browsing. I've previously lost all hope on supporting IE6 at any reasonable level so these days I just inform my users to upgrade to IE7 which is almost capable of displaying sites similarly to FF2/3+Chrome+Opera.
FF3 and Chrome are so new at the moment that I tend to ignore them, but I must say: They're friggin fast! My javascript/css heavy sites are noticeably faster with them.
I'm doing:
Firefox 2 and up
IE 7 and up
Konquorer or Safari (or maybe now Chrome)
Yahoo's graded browser support is a good guide:
It depends on your audience. If you are heavy on tech users, you may have 50% of you users as Firefox. If you have lots of mom and dads, you will probably have 75-80% of your users being IE 6 or 7. You probably need to get a alhpa/beta out with Google analytics so you can get a measure of your audience.
Where I work, we target
Firefox 2 and 3 on Windows
Firefox 2 and 3 on Mac
Safari on Windows and Mac
IE 6 and 7
We are not specifically targeting any Linux browsers, but if they work in the list above, there's a good chance they work everywhere. We are also testing against Google's Chrome browser on Windows now.
I just figured out this week that if you bend a little and figure out how to validate your HTML you're much more likely not to have to care about cross browser stuff.
Oh yeah, except Javascript.
I get it working in Firefox first, that's what the boss uses. Opera last, that's what Bob uses. Har Har, just kidding Bob.
But even so, you can never be safe because the minutia of browser incompatibility and the fact that 90% of the people you ask can't really tell you which browser they're using.
Can you click help and about? (Pause) No? Oh, that right you're using IE7
And even that old standby doesn't work anymore.
My advice is to lock down IE, like it's a terminal server, and try navigating your website. If you can click on everything and read everything then you're in the clear.
If you use sIFR and someone calls you telling you you're logo is upside down, it's time to prioritize and worry about compatibility again, otherwise IE and FF and you're good to go.
Target none. Test against many.
Where I work, we test the following (in this order of priority, based on data from google analytics), all on Windows:
IE 7
IE 6
Firefox 3
Firefox 2
Safari 3
We don't bother with Opera or older versions of browsers since the percentage of users is very small, however we do our best to code everything to standards, so there shouldn't be any big issues.
Of course, like Milhous said, it depends on your particular audience. YMMV.
The standard suite I'm used to is:
IE6 (win)
IE7 (win)
Firefox 1.5+ (win/mac)
Safari 2+ (win/mac)
Opera 9+ (win/mac)
Chrome (so far, if it clears Safari 3.0 on win, it seems to clear Chrome, too)
You could also generically claim support for IE6/7, Gecko, and WebKit... and it covers everything listed here but Opera, plus a few not listed. It's just a lot harder to test just the rendering engine and not the specific differences in browser versions and feel comfortable with the results.
I agree you should try and make it work in all, but if it is a new site I would seriously consider dropping support for IE6. From a development perspective it will save you hours of hair pulling if you don't need to support it.
You'll have to weigh this against your intended audience and whether you are willing to lose some customers that won't be willing (or able) to upgrade their browser.