Business Internet Community

Google has begun to phase out support for Internet Explorer 6, the browser identified as the weak link in a cyber attack on the search engine. The firm said from 1 March some of its services, such as Google Docs, would not work “properly” with the browser. It recommended individuals and firms upgrade “as soon as possible”.

Google threatened to withdraw from the Chinese market following the “sophisticated and targeted” attacks, which it said originated in China. Hackers used a flaw in Microsoft’s Internet Explorer (IE) browser to target the Gmail accounts of Chinese human rights activists.

Following Google’s revelations, the French and German governments advised their citizens to switch to a different browser until the hole had been closed. Microsoft reacted by quickly updating the browser, nearly three weeks ahead of its regular security update. However, Google has now said it is going to phase out support for the browser “starting with Google Docs and Google Sites”.

It said that as a result, some “key functionality” of the applications would not work when used with IE6. Google Docs is the firm’s answer to products such as Microsoft Office, whilst Google Sites allows people to create web pages.

Google’s Rajen Sheth wrote in an official blog post:

“The web has evolved in the last ten years, from simple text pages to rich, interactive applications including video and voice. Unfortunately, very old browsers cannot run many of these new features effectively.”

Threat downplayed

Around 20% of web users still use the nine-year old browser, including many UK government departments. But many developers want to see the browser phased out as soon as possible. The online campaign ie6nomore, supported by more than 70 web firms, says that because the browser does not support modern web standards it restricts what developers can do and is “holding the web back”.

Microsoft has said that it will support the browser until 2014. Microsoft has released a fix for Internet Explorer and recommended that customers install the update as soon as possible or update to the latest version of the web browser for “improved security”. Microsoft normally issues patches monthly but the high-profile nature of the attacks led it to act more quickly.

Market share

The UK government played down the threat and said there was “no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure”.

However, Microsoft took the unusual step of patching the hole nearly three weeks ahead of its regular security update. The new patch is available via the Microsoft Update site and will also be fed out to those who have their machines set to update automatically. All versions of Internet Explorer will receive the update.

Microsoft has admitted that it has known about the vulnerability “since early September” 2009 and had planned to patch it in February. The bad publicity has allowed rivals such as Firefox to gain market share.

According to web analytics company StatCounter, Firefox is now a close second to Internet Explorer (IE) in Europe, with 40% of the market compared to Microsoft’s 45% share. In some markets, including Germany and Austria, Firefox has overtaken IE, the firm said. Mozilla, the foundation behind Firefox, has just released the latest version (3.6) of the open-source browser.

France and Germany have already told their citizens to avoid Microsoft’s Internet Explorer because of a critical hole in the browser, so what does the British government think? The problem emerged late last week and both governments reacted with a simple warning – use another browser until this is fixed.

Three days later and still no response from the British government. We’re still waiting to hear back from the Department for Business, Innovation and Skills.

The weakness is in older versions of Internet Explorer like 6 and 7 which were running Windows XP SP3. The code has now been released making it fairly simple for an attacker to exploit the hole. Microsoft confirmed that the hole was used in the attacks against Google and 33 other companies believed to come from China. At its most extreme it would let an attacker run code on your machine.

If you don’t want to ditch IE altogether then at least running it in safe mode, with ActiveX and JavaScript turned off, will reduce the dangers.

Internet Explorer is the default browser on government computers. It would be a big job for them to all be changed overnight, but surely the government could offer some advice on keeping the rest of us safe?

The gaping hole might seem like bad news for Microsoft, but most IE users will probably remain unaware of the problem. If enough of them do notice then it might provide a bit of a boost for Firefox and Google’s Chrome – currently being heavily advertised in the UK. Microsoft is still working on plugging the hole which, so far at least, has been used to target corporations rather than individuals

UPDATE (19-Jan):

Microsoft’s Head of Security and Privacy in the UK, Cliff Evans, is now saying that people who jump ship from Internet Explorer after the recent spate of bad headlines risk ending up on a less secure browser.

With France and Germany both advising a move away from Internet Explorer, things are far from rosy for Microsoft’s browser, and although the vulnerability has only been used against IE6, the company has not ruled out that something similar could be used against the later versions. With Microsoft not prepared to give details of how soon a fix will be released, and advising people to leave the appalling IE6 and its successor for the latest version – IE8 – Microsoft’s UK security chief insists that a non-Microsoft browser is the worse option.

The whole Google IE flaw issue is clearly a PR disaster for Microsoft, with Evans conceding that this particular problem is not likely to afflict IE’s rivals. Asked when a fix would be ready, Evans states that the rollout might or might not be before the normal upgrade cycle, but has no further details. In the meantime, the company will be hoping that the knee-jerk reaction of France and Germany is not mirrored elsewhere.

UPDATE no.2 (27-Jan):

Lord Avebury has since tabled a parliamentary question regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that’s unlikely to please most readers. The UK government contends that ‘there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.

When it comes to top level domain names, some countries are luckier than others. Take the Pacific Ocean island of Tuvalu, for instance, which offers the attractive .tv for the broadcast media. Or Tonga, whose .to domain has spawned sites such as go.to and how.to.

However, the most fortunate of all in the name game is Montenegro. After separating from Serbia in 2006, the country gained .me – the perfect domain for the social media generation.

Predrag Lesic, executive director of the .me registry in Montenegro says:

“From the beginning it was clear that .me would have its share in the market.”

That share is now huge. Since going live in 2008, more than 320,000 names have been registered, making it the fastest selling debut top level domain ever.

“It’s short, personal and popular – with names like youand.me and whatabout.me. It’s being used more than ever as a call-to-action domain, for example notify.me.”

The domain’s popularity is partly down to its versatility across different languages, as the word “me” has a similar meaning in a number of languages. Even before the domain’s launch, Montenegro’s registrars were inundated with requests for names.

The landrush phase allowed people to register an interest in a domain, while the go-live phase – which started on 17 July 2008 – opened up the registry to customers worldwide.

“On the first day of the go-live period, we had 50,000 registrations. Companies like Microsoft and Samsung rushed to register their .me name.”

Some .me names are now being found on post-purchase auction sites for up to £10,000 each.

• Gravity Internet can provide your business with a .ME domain name for only £20 per year.

Google has created a new system to resolve DNS (domain name system) queries that the company claims will speed up Web browsing for end users, as well as make it more secure.

Google Public DNS, announced today, is still in an experimental phase.

It attempts to improve on existing DNS resolver technology with faster, more efficient caching and additional security safeguards against spoofing attacks that try to dupe users into visiting malicious Web sites.

The DNS lets people type Web site URLs in their browsers and translates them into the appropriate IP (Internet Protocol) numerical addresses, acting as a sort of phone book and switchboard.

To use Google Public DNS, users will have to change network settings so that their Web site requests go to the Google service instead of to their ISP. Google has set up a Web page with detailed instructions on how to do this.

“We believe that a faster DNS infrastructure could significantly improve the browsing experience for all web users. To enhance DNS speed but to also improve security and validity of results, Google Public DNS is trying a few different approaches,” wrote Prem Ramaswami, from Google’s Public DNS Team, in an official blog posting.

Ofcom has warned that fraudsters are currently phoning consumers claiming to be from BT or the regulator itself. The caller will claim that the consumer’s telephone line needs digital upgrade work costing £6 and if it isn’t paid within 10 days then the phone line will be cut off. This is a scam and the police have been called in to investigate.

Ofcom added:

“In some cases, the fraudster will claim that the line needs testing and they will temporarily disconnect it. When the consumer tries to make an outgoing call they are unable to do so. This is simply because the fraudster is still on the line meaning no outbound calls can be made.”

What to do if fraudsters call:

• Do not give out any personal or bank details
• Call your service provider’s nuisance call bureau to see if the call can be traced
• If it can, pass on details to Ofcom or Consumer Direct (details below)

What to do if you have given out personal details:

• Call your bank immediately to let them know about the scam and to cancel your credit card or change your bank details
• Ask your bank to try and trace the payment
• And if you get any details, let Ofcom or Consumer Direct know

To contact Ofcom’s Advisory Team call 0300 123 4000.
http://www.ofcom.org.uk

To contact Consumer Direct call 08454 04 05 06.

After a long gestation period, Opera has released version 10 of their browser, which comes packed with a whole lot of improvements and new features. It has a completely new interface, a turbo mode for those days of bandwith drought, automatic updates (finally!), and lots more.

Opera Turbo is the feature most prominently listed in promotional materials. Turned on with the flick of a switch, it will compress websites to maintain browsing speeds even in bandwith constrained situations like a slow WiFi connection or a choppy 3G connection. According to Opera’s own tests, Opera Turbo can speed up the web up to about 8 times.

The interface has also been completely redesigned, and is now “streamlined and elegant” according to Opera. Tabs are on top, but in true Opera fashion, can be placed anywhere else too. Tabs can now also be displayed as website thumbnails, which could be useful on widescreen configurations.

One feature which should have been included a long time ago, has now also finally arrived to Opera: automatic updates. No longer will an update require a re-installation, which should bring Opera up to par with the rest of the pack when it comes to up-to-date installations.

Communications and Media regulator Ofcom UK has just published a new guide called ‘Keeping Consumers Connected‘ (PDF), which offers advice for consumers who suddenly get trapped when their broadband ISP or telephone operator goes bust. The information is very spares and ultimately amounts to little more than Ofcom telling people to switch ISP; though in fairness there is often a limit to what you can do.

Still we must credit Ofcom for at least trying to engage with consumers, even though their included link to the Consumer Advice section on their site and the Advisory Team phone number are really the most useful bits of information to be had:

Ofcom Consumer Advice:
http://www.ofcom.org.uk/consumeradvice

Ofcom Advisory Team:
0300 123 3333

We also have an ‘ISP Complaints and Advice’ section for helping consumers tackle and hopefully resolve some of the more serious problems, such as when ISPs refuse to release a migration code or start sending in the debt collectors. Take note that Ofcom itself does not handle individual complaints.

* Gravity Internet, a UK business ISP, can migrate your existing Broadband service for free.

Microsoft has underlined support for its Internet Explorer 6 web browser, despite acknowledging its flaws. The software giant said it would support IE6 until 2014 – fours years beyond the original deadline.

Critics – some of which have started an online campaign – want the eight-year-old browser mothballed because they claim it slows the online experience.

Web monitoring firms estimate that 15-20% of people still use IE6 to browse the web. The most immediate threat to Microsoft’s 68% market share comes in the shape of Mozilla’s Firefox – used by 22% of browsers.

Ronald Gruia, a principal analyst with Gartner:

“The competition Microsoft has to worry about right now is Firefox. Not just from a market share perspective but from an innovation perspective because their plug-ins work really well. In the future they have to look out for Google with its Chrome browser. The main concern there for Microsoft is the rise in cloud computing and software as a service. Google is becoming very effective at delivering applications in the cloud and therefore poses a huge threat to Microsoft.”

On April 14, 2009, Microsoft retired Mainstream Support for Windows XP, and thus for Internet Explorer 6. That said, Microsoft is not planning to retire Extended Support for the operating system until April 8, 2014. If Redmond ends up releasing a fourth service pack for XP, it will retire support for SP3 (released in April 2008) two years after SP4 is released, or in April 2014, whichever comes first. In short, IE6 will continue to be supported by Microsoft for at least four more years.

The London Internet Exchange (LINX), which represents over 330 ISPs – including many UK broadband providers, has made its response to the governments consultation on controversial Internet snooping plans public. The group warned that many important questions remained unanswered, such as precisely what data should be stored, costs of such storage, the impact upon a law abiding citizens right to privacy and many other legally grey areas.

As a reminder, the governments Interception Modernisation Programme (IMP), which is part of the wider Communications Data Bill, will see all YOUR email accesses and website visits (not content) monitored and stored for a period of one year. Many organisations, such as the NHS and Royal Mail could then be granted access to this data, not just the police.

The LINX Response – Selective Quotes:

“We do not believe sufficient information has been given to say with confidence whether we will support or oppose the Government approach. Following discussions with officials, we do not even have confidence that “a Government approach” even exists – it appears that even the basic conceptualisation of the Interception Modernisation Programme is in flux. We can identify numerous areas where important questions remain unanswered.”

…

“Firstly, the government has not been clear about the range of communications data it proposes should be collected. The existing data retention regime is narrow, and at least attempts to be closely specified. These new proposals suggest an intention to capture anything and everything, regardless of the communications protocol used, or other aspects of the communication inhibiting this approach (the case study reference to a user chatting in a computer game certainly carries such an implication).”

…

“Fourthly, as we have outlined above and discuss more fully below, we are not satisfied that the existing safeguards adequately protect the public, our members’ customers and end users, even with regard to the current regime let alone as they relate to the far more intrusive proposals under discussion. We would need to be satisfied that the safeguards proposed to be relied upon were adequate before we could support the government’s approach.”

…

“Fifthly, we are concerned for the security of customer data collected once it is no longer under the exclusive control of the CSP. More particularly, we are concerned that the public have confidence in its security. It should go without saying that this is sensitive and valuable data that could do a great deal of harm in the wrong hands.”

Click here to download full response (MS Word .doc)

LINX concludes by saying that it cannot have confidence that any forthcoming legislation will support the public interest until the outlined issues have been satisfactorily resolved. In short, LINX appears to be in stiff opposition to the government’s plans; though whether the government will care enough to adjust its proposal is another matter.

ISPs, technologists, law enforcers and governments are wrangling over how the Internet should be regulated, but it is obvious what is the best way forward, says Axel Pawlik of RIPE.

The Digital Britain report proposed that ISPs should adopt a more active regulatory role to help curb piracy and the distribution of illegal content. Yet it is debatable whether ISPs are best placed to act as the gatekeepers of the Internet, because the control they have over the networks is limited.

The main function of ISPs as regulators is to help law-enforcement agencies determine the source of illegal content more easily by monitoring connectivity data. In theory, ISPs could inspect every packet of data, but cybercriminals can conceal illegal content inside inconspicuous data packets. Monitoring content also raises obvious privacy issues.

Role of ISPs

ISPs should not police the content of Internet traffic. They could act in a similar fashion to telephone companies, which keep track of dialled numbers without listening in on calls. Ultimately, it is technically impossible for ISPs to moderate and monitor everything that goes on in their networks.

It has also been proposed that national governments and the European Union take responsibility for Internet regulation. But government-led processes can be inflexible, and traditional routes of legislation often take long to become law.

As a result, legislation cannot possibly hope to keep pace with innovation in the Internet industry. Additionally, while national governments are able to restrict Internet traffic to tackle criminal activities, such restrictions can easily be seen as an attack on civil rights. Because of the limitations of ISP and government-led Internet governance, an open, bottom-up regulatory model is the only feasible way forward.

Open Policy Development

Industry-wide collaboration between ISPs, the technical community, supporting organisations, national governments and law-enforcement agencies helps ensure open and transparent policy development and regulation.

Governments should look after the interests of the public by taking an active role in the debates and policy-making processes of the Internet community. They also need to work closely with the community to ensure an appropriate, flexible, regulatory framework is in place to help stimulate innovation and growth.

There are already examples in the Internet industry of the problems over-regulation can produce. Afnic, the French registry for the .fr country code top-level domains, is a classic illustration of how regulation can impede growth.

At a time when the market for domain names around the world was growing strongly, registrations for .fr domain names were hampered by strict eligibility rules. A process of deregulation, started in 2004, saw a sharp and immediate increase in the market for .fr domain names.

Another example of how regulations can stand in the way of innovation is the failed rollout of the Open Systems Interconnection (OSI) protocol suite in 1977. Developed by international standards body the ISO and telecoms standardisation agency the ITU-T to standardise networking, OSI followed government-led predecessors such as Arpanet.

Its aim was to enable vendors with different proprietary network protocol suites to collaborate on common network standards, facilitating interoperability. However, OSI was never widely adopted because the ISO and ITU-T attempted to impose it on the Internet community, who deemed it too costly and complicated to implement. Instead they opted for TCP and IP, on which the Internet operates to this day.

Community and Public Benefit

An inherently open system such as the Internet does not fit into a closed, heavily certified and regulated mould. As with open-source systems, both the community and the general public benefit from the openness of the Internet, which stimulates innovation, access and diversity, as people are encouraged to experiment with different technologies.

This bottom-up, multi-stakeholder and self-regulatory approach will ultimately help safeguard the dynamic and responsible development of the Internet.