Peter Coffee, at eWeek, has given a well reasoned series of arguments as to why to not only switch from IE but also cease and desist from using Microsofts vulnerable Activescript and ActiveX technology. For the record here is the key argument:
No one should get away with saying that the risks of IE, and specifically of ActiveX, caught them by surprise. In 1997, Microsofts Charles Fitzgerald told a group of Web application developers that if they wanted security on the Internet, they could unplug their computers. “We never made the claim up front that ActiveX is intrinsically secure,” said Fitzgerald, then program manager of Microsofts Java team.
Lest anyone think that Fitzgerald was stating a rogue position, it was in that same year that Cornelius Willis, Microsoft group product manager for Internet platforms, gave the justly infamous warning, “We are concerned that users understand that all executable content on the Internet is potentially dangerous … The basic message here is: dont take candy from strangers.” I suppose that “potentially dangerous” is sort of an average between “conceivably dangerous”—for example, an obscure implementation flaw in Java—and “intrinsically dangerous,” the label that I unhesitatingly apply to ActiveX.
If 1997 seems too much like ancient history, we can always take a shorter trip in the Wayback Machine to this past September, when we learned that ActiveX controls with known security problems could readily be reinstalled on a users machine if that user was rash enough to trust content signed by Microsoft Corporation. As I added upon learning of this problem, “the system not only comes out of the box unsafe, it almost appears designed to ensure that it stays that way.”
With all of this as background, pardon me if Im more exasperated than sympathetic with anyone whos finding it inconvenient to eschew all use of ActiveX. Im not completely lacking in sympathy: I know that I have to fight a constant battle for design and delivery of Web content based on standards, preferably on the common subsets of standards that are well supported by all reputable browsers.
Peter is really getting at the crux of the problem. Microsoft wants to continue to control the browser interface with 95% market share. This gives it veto power over any innovations on the Web browser. And since August 2001 it has been vetoing everything: no updates to features and functionality of IE. Thus it is issuing an indefinite raincheck to new web technologies such as JPEG2000, PNG, XForms, SVG, SMIL, CSS2, XHTML, etc, etc. Make no mistake – Microsoft is no friend to the browser and Web interface. Only a Tolkeinish WormTongue would dare to make that case.
At the same time Redmond is able to poison Web development in a manner similar to what it is doing in the Java world. After kissing and making up with Sun, Microsoft was able to buy at $1.6B the privilege of poisoning the deployment process for Java until 2007 by geting Sun to accede to allow Redmond to distribute a woefully obsolete version of the JVM for 3 more years. In a similar fashion, by stalling on meeting its committments to upgrade the IE browser to full HTML, CSS, and DOM standards (let alone rationalizing the CSS and DOM function calls); Microsoft is able to poison web development until 2006 or whenever Longhorn is released.
But on the browser side, Redmond is adding a double dose of poison – what Peter points out is the proprietary and security vulnerable extensions using not just ActiveScripting and ActiveX but also proprietary CSS, JavaScripot and DOM extensions. This proprietary code is often auto-generated by Front Page, Visual Studio, Word and other Redmond development tools. None of the Microsoft tools have a toggle which allows developers to insist that W3C and other Web standards are strictly adhered to. So out of ignorance or time-limited desperation or deliberate choice (we cannot fathom to guess the proportions) – end users bind themselves to IE a second time by developing websites that “work best if not only in IE”.
And so the world unfolds acording to a Garpish Gatesian ZeitGeist.