On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.
Well, yeah. That’s our job.
And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?
Slapping the User in the Face
It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.
Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. And think about it: what does the average Firefox user (or Opera user, for that matter) do when confronted with a site that will only run in IE? Fire off a complaint, or move on, unless it’s something they can’t live without, like, say, their bank. Only then will they bring up the site’s preferred browser…just long enough to do their business and move on.
Plus it goes against the grain of the concept that a website should be viewable in any browser. It offends my sense of… I don’t know, egalitarianism.
Recommend vs. Demand
My current tactics: I target the latest versions of each browser (or rather, the overlap in their standards support), toss in enhancements where I think something would be nice, but not critical (off-site link icons using generated content, for instance, which works in everything except IE≤7, or rounded corners, which only work in Gecko and WebKit so far). And I take that, and make it look reasonably good in IE6. I don’t try to make it perfect anymore (case in point, the header of this blog), but I try to make sure it’s functional and doesn’t look broken.
Then I include a polite notice recommending that people upgrade to something a little more capable or modern for a better experience, but I don’t require them to do so. I don’t pop up anything that moves, or blocks content, or forces them to click through an extra page.
Now, remember what I said about banks? PayPal intends to block “unsafe” browsers from accessing their site (via Slashdot). They aren’t technically a bank, but PayPal is actually in a position where they might be able to do it: they’re the most well known online payment service where two random people can send each other money. Probably more people will switch browsers and keep PayPal than switch payment services and keep their browser.
They’ve since indicated that they don’t intend to block “current versions of any browsers,” but will focus on “obsolete browsers on outdated or unsupported operating systems.” So you IE4 users on Windows 98? Upgrade already! (And since you can’t install IE7, try Opera. It still runs on Win98!)
They’ve also cited such safety features as phishing protection (present in IE7, Firefox 2, and Opera 9) and support for Extended Validation SSL Certificates (present in IE7 and the upcoming Firefox 3 and Opera 9.5).
Hazards of Browser Sniffing
Of course, once you start actively blocking browsers, you have three choices:
- Keep track of every single browser out there, and every version.
- Let most browsers in, but only block a few problem browsers (similar to Yahoo’s Graded Browser Support)
- Unfairly block browsers that might be perfectly adequate just because you can’t be bothered to investigate them.
The last seems the most prevalent. Just ask any Opera user today, or any Firefox user of 3 years ago. (I remember using Firefox and being told to “upgrade” to Netscape 6, even though NS6 was based on an older version of the same engine. Remember: Gecko is Gecko.)
Whitelist approaches to browser detection are, by their nature, either going to require constant updating or block too much. In this case, issues would include:
- Less well-known browsers, like Flock, which uses the same anti-phishing features as Firefox
- Browsers that don’t do phishing detection themselves, using third-party plugins to do the job.
- Changes in status, when browsers add the capabilities required to get on the list.
Thankfully, it looks like PayPal is going with the most minimally-intrusive approach: blocking only the most troublesome browsers, and letting the rest connect normally.
Will it Work?
There’s still the question of whether it’ll actually make users less likely to land on a PayPal phishing site.
For one thing, it’s not clear whether they’ll block IE6. The initial report would definitely have excluded it, since it lacks both EV support and anti-phishing (without an add-on). But the follow-up statement was focused on Safari. Does PayPal consider IE6 to be a “current” version since Microsoft still supports it? Or do they consider IE7 to be current, and IE6 to be obsolete?
Certainly, if they don’t block IE6, this will really only impact the tiny fraction of users running horribly outdated software. (Well, more horribly outdated.)
The thing to remember is that the features PayPal is promoting will only help if users switch for general browsing. In fact, anti-phishing will make no difference at all on PayPal’s actual site, unless it gets hacked (at which point the user is screwed anyway.)
So let’s suppose that they do block IE6. As much as I’d like people to switch to Firefox or Opera full-time, I’m sure there will be some people who only fire up an alternative to use PayPal, and who stick with IE6 the rest of the time. They’re just as likely as before to click on a bogus “Pay with PayPal” button, or a link in a phishing email. If they weren’t going to do that in the first place, the browser requirement wasn’t needed. If they were, the browser requirement doesn’t help. The bogus sites won’t require phishing detection, or EV certs. Imagine the user saying, “Hey, PayPal fixed the problem where it wouldn’t let me use IE!”
And of course it won’t stop someone with a stolen login and password from connecting using an “approved” browser.
The ISC has also weighed in re: limitations of EV certificates. Among other things: it may be easier to get an EV cert than suggested, in which case it won’t indicate any greater degree of trust than a standard SSL certificate. And it doesn’t prevent other issues, like keyword loggers or trojans that simply hijack a user’s session.
I apologize for the rambling nature of this post (yeah, site title and all that). But I worked on it on a succession of late nights, and decided it was time to just post the thing. Also, I have a somewhat more concise post up on OperaWatch. [Edit: Well, it was on Operawatch…]