Simply switching to another browser isn't a panacea; Chrome, Firefox, and Opera all have the benefit (currently) of not commanding the same market share as IE except for recently. If IE stays behind Chrome for a while (and if other browsers' share keeps increasing), these other browsers will be targeted more, as it would be more economically worthwhile. While they are an improvement over IE in the security department, it will nevertheless be interesting to see if malware authors can have success against Chrome, Firefox, and company.
Actually, there are now more Chrome users than IE users (depending on which country you are dealing with). German users have been huge Firefox users since 2005. And the Webkit supergroup (add all the Safari, iOS, and Android browsers to Chrome) means even more of the market than you might think are using essentially “the same” browser engine.
(Quotes because, as PPK always reminds us, there is no monolithic WebKit in actuality.)
Edit in reply: Hmm, “currently… except for recently.” Then let my comment be in reply to “currently” and not “recently,” I suppose. Not sure if my parent was edited after my reply, or if I was really that bad a reader.
Also with things like WebGL security is only going to become a bigger problem.
Yes, they fix and push fixes out faster, but that doesn't inherently mean your browser is more secure, only that there are less people out there with browsers that are publicly known to be exploitable, but is safe to assume that all browsers are exploitable, and that there are people that knows the holes but doesn't make them public because their value (either to governments or criminals) is way too great to even compete in the same league as the rewards offered by browser makers.
It seems the web people have deluded themselves into thinking they really understand the implications of letting webpages interact with video drivers, and some of the graphics industry were just to happy to help along.
This doesn't change the fact that WebGL exposes graphics drivers in ways that they were never meant to, and that there is no real way for third parties to verify how safe it is to turn on WebGL for a given driver.
The whitelists and blacklists of drivers currently used do little more than to fragment the web and frustrate users.
I'm a big fan of how Google introduced much needed decent sandboxing to web browsers, but what they are doing with WebGL is both scary from a security point of view and depressing from the point of view of fragmenting the web, now to access certain websites not only you need the right browser, you also need the right video card and video drivers, is worse than the "best viewed with" nightmare of the 90's.
> It seems the web people have deluded themselves into thinking they really understand the implications of letting webpages interact with video drivers
By "the web people" you mean Google, Microsoft (yes, Microsoft, because it is ok with letting webpages interact with video drivers through Silverlight), Apple, Mozilla, Opera, and Adobe (yes, Adobe, because it is ok with letting webpages interact with video drivers through Stage3D in Flash)?
> not only you need the right browser, you also need the right video card and video drivers, is worse than the "best viewed with" nightmare of the 90's.
First, Chrome will fall back to a software emulation that actually works very well. So even if your video driver is blacklisted, you can still see the content.
Second, I'm not sure Carmack has made an effort to really look at the differences between WebGL and OpenGL. Features are limited and the browsers are required to parse and verify input, so that only correct code is sent to the graphics drivers.
(edit:) Let me add some more information here: Array bounds are checked; Array indexes must be constant expressions ; and, most importantly, while-loops are forbidden. If you've taken a course in theoretical CS, you may recall the difference between for and while loops and why applications using only the former can be verified (if there is not recursion - OpenGL shaders also don't support that anyway).
Third, access to WebGL could be easily limited in the future: For example allow access by default for browser extensions and require user confirmation for the rest of the web. Should be fine for games.
> First, Chrome will fall back to a software emulation that actually works very well. So even if your video driver is blacklisted, you can still see the content.
1. Only on Windows, not anywhere else
2. It will be very slow. For this reason, I think this might be almost pointless, and worse than showing nothing in some cases.
> it will nevertheless be interesting to see if malware authors can have success against Chrome, Firefox, and company.
We already know the answer to that - when attackers try to target any browser, they in many cases succeed. All major browsers get hacked at the relevant competitions, and those are just the public hacks we hear about, the private ones are likely far worse.
Mitigation measures do matter though. Adding security makes it harder, and pushing out patches quickly reduces the window of vulnerability. Microsoft has improved in the former but not in the latter.
I find it amusing that geeks worry so much about browsers and the security of them at a software level, when every computer I've repaired in recent memory was owned by user stupidity (I would call it social engineering, but smiley packs and .jpg.exe's are hardly advanced trickery). All browsers, IE included, are pretty damn secure these days. People's brains? Not so much.
