Tag Archives: ie

No plugins in Metro-style IE, and here is why

This evening was Ask the Experts time at Microsoft’s BUILD conference in Anaheim, California, so I took the opportunity to ask the Internet Explorer (IE) team why the Metro-style IE does not support plugins such as Adobe Flash and even Microsoft’s own Silverlight.

I find it puzzling since the desktop IE in Windows 8 does support plugins, and when a page is open in Metro-style IE there is an option to open it in desktop Windows, in which case all the ActiveX controls start working.

The reason I was given is that Microsoft cannot control or predict the user experience if these plugins are running. For example, a Silverlight applet might have a user interface designed for mouse and keyboard. Microsoft has built in touch gestures that work for HTML in IE but cannot do so for plugins.

Once a user takes the decision to open in desktop Windows, these considerations change since desktop Windows is a mouse and keyboard environment.

I expect performance was also a consideration.

I was also told that Apple has made the no-plugins option viable by taking the same line in the iPad. Sites have been forced to offer iPad-friendly versions of their sites, which will also work in Windows 8 Metro.

Hands on debugging an Azure application – what to do when it works locally but not in the cloud

I have been writing a Facebook application hosted on Microsoft Azure. I hit a problem where my application worked fine on the local development fabric, but failed when deployed to Azure. The application was not actually crashing; it just did not work as expected. Specifically, either the Facebook authentication or the ASP.NET Forms Authentication was failing; when I tried to log on, the log on failed.

This scenario, where the app works locally but not on Azure, is potentially a bad one because you do not have the luxury of breakpoints and variable inspection. There are several approaches. You can have the application write a log, which you could download or view by using Remote Desktop to the Azure instance. You can have the application output debug messages to HTML. Or you can use IntelliTrace.

I tried IntelliTrace. It is easy to set up, just check the box when deploying.

image

Once deployed, I tried the application. Clicked the Log On button, after which the screen flashed but still asked me to Log On. The log on had failed.

image

I closed the app, opened Server Explorer in Visual Studio, drilled down into the Windows Azure Compute node and selected View IntelliTrace Logs.

image

The logs took a few minutes to download. Then you can view is the IntelliTrace log summary, which includes a list of exceptions. You can double-click an exception to start an IntelliTrace debug session.

image

Useful, but I still could not figure out what was wrong. I also found that IntelliTrace did not show the values for local variables in its debug sessions, though it does show exceptions in detail.

Now, if you really want to debug and trace an Azure application you had better read this MSDN article which explains how to create custom debugging and trace agents and write logs to Azure storage. That seems like a lot of work, so I resorted to the old technique of writing messages to HTML.

At this point I should mention something you must do in order to debug on Azure and remain sane.  This is to enable WebDeploy:

image

It is not that hard to set up, though you do need to enable Remote Desktop which means a trip to the Azure management portal. In my case I am behind a firewall so I needed to configure Web Deploy to use the standard SSL port. All is explained here.

Why use Web Deploy? Well, normally when you deploy to Azure the service actually builds, copies and spins up a new virtual machine image for your app. That process is fundamental to Azure’s design and means there are always at least two copies of the VM in existence. It is also slow, so if you are making changes to an app, deploying, and then testing, you will spend most of your time waiting for Azure.

Web Deploy, by contrast, writes to your existing instance, so it is many times quicker. Note that once you have your app working, it is essential to deploy it properly, since Azure might revert your app to the last VM you created.

With Web Deploy enabled I got back to work. I discovered that FormsAuthentication.SetAuthCookie was not working. The odd thing being, it worked locally, and it had worked in a previous version deployed to Azure.

Then I began to figure it out. My app runs in a Facebook canvas. Since the app is served from a different site than Facebook, cookies may be rejected. When I ran the app locally, the app was in a different IE security zone, so different rules applied.

But why had it worked before? I realised that when it worked before I had used Google Chrome. That was it. IE worked locally; but only Chrome worked when deployed.

I have given up trying to fix the specific problem for the moment. I have dug into it a little, and discovered that cookie handling in a Facebook canvas with IE is a long-standing problem, and that the Facebook C# SDK may have bugs in this area. It is not essential for my sample; I have found I can get by with the Facebook session. To get the user ID, for example:

FacebookWebContext.Current.Session.UserId

The time has not been wasted though as I have learned a bit about Azure debugging. I was also amused to discover that my Azure VM has activation problems:

image

Google Chrome Mac and Linux arrives – may hurt Firefox more than Safari

Today Google announced that Chrome for Mac and Linux is now fully released:

Since last December, we’ve been chipping away at bugs and building in new features to get the Mac and Linux versions caught up with the Windows version, and now we can finally announce that the Mac and Linux versions are ready for prime time.

The two big stories in the browser world right now are the decline of Microsoft Internet Explorer (though it still commands more than half the market  in most stats that I see) and the rise of Google Chrome. Why do users like it? From what I’ve seen, they like the performance and the usability. In fact, Chrome would make a great case study on why these factors count for more than features in user satisfaction. That said, I’ve been using Chrome on the Mac today and while it starts up more quickly than Safari, performance overall seems similar and I doubt there will be a huge rush to switch.

In the stats for ITWriting.com, I’ve seen steadily increasing Chrome usage:

  • July 2009: 4.2%
  • October 2009: 4.6%
  • January 2010: 9.6%
  • May 2010: 13.7%

So far this month, IE is down to 35.3% in the stats here, behind Firefox at 35.9%.

These figures are not representative of the internet as a whole, though I’d argue that it does represent a technical readership which may well be a leading indicator.

Chrome seems to be gradually taking market share from all the major browsers, though IE is doing so badly that any defections from Firefox to Chrome are more then made up by IE defectors to Firefox, if I’m interpreting the stats correctly. This won’t always be the case though, and Mozilla is vulnerable because unlike Microsoft or Apple the browser is the core of its business.

There is also a sense in which Chrome competes with Firefox for the user who has decided not to use the browser that comes with the operating system.

Chrome is strategically important to Google, not just as a browser, but as a platform for applications. It hooks into the Web Store announced at the recent Google I/O conference, and it will soon be easy to create browser applications that run offline. Google has the financial muscle to market Chrome. I’d also suggest that the momentum behind other projects, especially Android but also Google Apps, will indirectly benefit the browser.

On the Mac, it is worth noting that both Safari and Chrome use the same open source WebKit project, sponsored by Apple, which I guess is more interesting now that Google and Apple are competing fiercely in mobile.

Google Chrome usage growing fast; Apple ahead on mobile web

Looking at my browser stats for February one thing stands out: Google Chrome. The top five browsers are these:

  1. Internet Explorer 40.5%
  2. Firefox 34.1%
  3. Chrome 10.5%
  4. Safari 4.3%
  5. Opera 2.9%

Chrome usage has more than doubled in six months, on this site.

I don’t pretend this is representative of the web as a whole, though I suspect it is a good leading indicator because of the relatively technical readership. Note that although I post a lot about Microsoft, IE usage here is below that on the web as a whole. Here are the figures from NetMarketShare for February:

  1. Internet Explorer 61.58%
  2. Firefox 24.23%
  3. Chrome 5.61%
  4. Safari 4.45%
  5. Opera 2.35%

and from  statcounter:

  1. Internet Explorer 54.81%
  2. Firefox 31.29%
  3. Chrome 6.88%
  4. Safari 4.16%
  5. Opera 1.94%

There are sizeable variations (so distrust both), but similar trends: gradual decline for IE, Firefox growing slightly, Chrome growing dramatically. Safari I suspect tracks Mac usage closely, a little below because some Mac users use Firefox. Mobile is interesting too, here’s StatCounter:

  1. Opera 24.26
  2. iPhone 22.5
  3. Nokia 16.8
  4. Blackberry 11.29
  5. Android 6.27
  6. iTouch 10.87

Note that iPhone/iTouch would be top if combined. Note also the complete absence of IE: either Windows Mobile users don’t browse the web, or they use Opera to do so.

I’m most interested in how Chrome usage is gathering pace. There are implications for web applications, since Chrome has an exceptionally fast JavaScript engine. Firefox is fast too, but on my latest quick Sunspider test, Firefox 3.6 scored 998.2ms vs Chrome 4.0’s 588.4ms (lower is better). IE 8.0 is miserably slow on this of course; just for the record, 5075.2ms.

Why are people switching to Chrome? I’d suggest the following. First, it is quick and easy to install, and installs into the user’s home directory on Windows so does not require local administrative rights. Second, it starts in a blink, contributing to a positive impression. Third, Google is now promoting it vigorously – I frequently see it advertised. Finally, users just like it; it works as advertised, and generally does so quickly.

Adobe Flash getting faster on the Mac

According to Adobe CTO Kevin Lynch:

Flash Player on Windows has historically been faster than the Mac, and it is for the most part the same code running in Flash for each operating system. We have and continue to invest significant effort to make Mac OS optimizations to close this gap, and Apple has been helpful in working with us on this. Vector graphics rendering in Flash Player 10 now runs almost exactly the same in terms of CPU usage across Mac and Windows, which is due to this work. In Flash Player 10.1 we are moving to CoreAnimation, which will further reduce CPU usage and we believe will get us to the point where Mac will be faster than Windows for graphics rendering.

Video rendering is an area we are focusing more attention on — for example, today a 480p video on a 1.8 Ghz Mac Mini in Safari uses about 34% of CPU on Mac versus 16% on Windows (running in BootCamp on same hardware). With Flash Player 10.1, we are optimizing video rendering further on the Mac and expect to reduce CPU usage by half, bringing Mac and Windows closer to parity for video.

Also, there are variations depending on the browser as well as the OS — for example, on Windows, IE8 is able to run Flash about 20% faster than Firefox.

Many of us are not aware of these kinds of differences, because we live in one browser on one operating system, but the non-uniform performance of Flash helps to explain divergent opinions of its merits.

I would be interested to see a similar comparison for Linux, which I suspect would show significantly worse performance than on Windows or Mac.

Government security advice is misguided; switching browsers will not make you safe

I have mixed feelings about the recent government recommendations from France and Germany to switch from Internet Explorer for security reasons.

Although raising security awareness seems on the face of it to be a good thing, this is naïve advice and may do more harm than good. Security is a complex and multi-faceted problem, and it does people no service if they believe it can be fixed by switching browsers. Another common illusion is that running anti-virus software, or even up-to-date anti-virus software, makes you safe. It does not. Anti-virus software does not detect all viruses, and in particular it frequently fails on those that are most dangerous, in other words, those which are newest.

Another factor is that many of the most successful malware attacks come via social engineering. That’s not browser-specific, though there are attempts to maintain bad site lists, which don’t in my experience work very well.

The danger is that people think they are safe, and take fewer other precautions, ending up less safe than before.

Is FireFox, Chrome or Opera safer than IE? I’m not even sure about that. The latest versions of each are massively safer than IE6, for sure. But how does a fully-patched IE8 compare to the latest fully-patched versions of the other browsers? At least one test [pdf] says that IE8 is actually safer, though unfortunately it dates from March last year and does not cover drive-by downloads:

Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.

Know a better one? I’d be interested in more recent tests.

Microsoft is not always competent; read this blog for evidence. But it has made genuine efforts to improve security and has a comprehensive update mechanism that mostly works. IE now has protected mode on Vista or Windows 7, which is no panacea but helps a little.

But what about the known zero-day vulnerability in IE? Isn’t that enough to make switching browsers necessary, if only temporarily?

I’m not so sure. Frankly, it would surprise me if there are not known multiple vulnerabilities in all the major browsers, if you move in the right (or wrong) circles.

How then do you do secure computing? Don’t connect to the internet. OK, how else? The risk cannot be eliminated but it can be reduced … don’t run with local admin rights, don’t run unknown executables, only enable plug-ins and scripting for web sites you know to be safe, keep your operating system patched and up-to-date, and so on.

Another thing you can do is to browse the web in a virtual machine – a sort of super protected mode – not perfect, but would prevent some attacks at the expense of convenience.

If you are really serious you can use AppLocker, or another whitelisting technique, to control what can run on your box.

And passwords … one thing I do hold against Microsoft is that the company has a brilliant authentication mechanism called InfoCard that is almost never used, even by Microsoft. Unfortunately that’s not something any individual can change; but it is possible at least to use more complex passwords and not to pass them over the internet in plain text.

I’m not sure, even today, that many people realise that when they use Twitter on an airport or hotel or conference wi-fi, or collect email via POP3, that they are likely passing their credentials in plain text over the internet for any smart hacker to read.

I am also depressed how often I see “security questions” on registration forms, asking for things like mother’s maiden name to be used in case of lost password. It is obvious that these are actually insecurity questions; they lower security while easing the burden on support desks. All too often, these organisations then lower it further by emailing your password back to you in plain text. It also sometimes turns out that the password itself is stored in plain text on their web-connected databases, accessible to hackers.

Overall the IT industry is desperately bad at security, and by and large convenience has won. Yes, I think that should change. No, after years of reporting on IT I am not optimistic that it will, certainly not soon. And knee-jerk instructions to switch browsers may please Mozilla and Google, and web developers for whom Internet Explorer is a constant irritation especially in old versions, but will do little else to improve the situation.