Microsoft's IE Team Leader Answers Slashdot Questions 530
We got lots and lots of questions for Dean Hachamovitch, whose formal title is "general manager Internet Explorer at Microsoft Corp." Picking a mere 10 of those questions was not easy, and I wish Dean could have answered twice as many -- and so does he, but his schedule has been tight this week. Anyway, here are his answers to the Chosen Ten.
1) How about this...by also-rr
Would you like to make available IE on other operating systems?
Dean Hachamovitch:
We did make versions of IE available on other operating system for a pretty long time, up through IE5 on Unix and the Mac. At the time we developed them, those offerings made sense. I don't see a good reason to make IE available on other operating systems at this time.
2) IE7 release time
by BeeBeard Why did IE7 take such a long time to release after IE6?
Dean Hachamovitch:
Basically because we were doing a lot of other things before we started work on IE7: a few releases of MSN Explorer, a lot of work on what turned out to be Windows Presentation Foundation, a lot of investment in what turned into IPv6 support in Windows Vista, and lot of security response, a pretty intense effort on Windows Server 2003 (and IE's "Enhanced Security Configuration"), and then a pretty intense effort on Windows XPSP2. You can read a more detailed answer here
3) Follow up
by LordEd
If you had more time, is there a new feature you would have liked to include in IE7?
Dean Hachamovitch:
Yes, several come to mind. None were more important than shipping. None were more important than the bug fix work we did in response to beta feedback.
The temptation to get "just one more feature in" is so strong... one more CSS fix, one more neat facility for developers, one more performance optimization, one more cool end-user feature. The thing that made it easier to resist the temptation and ship is the prototype and planning work we've started on the next release of IE.
4) Simple questions
by Billosaur
IE has a dominating command of the market, although Firefox is slowly making inroads, due to innovations such as tabbed browsing that IE has had to incorporate to maintain that command. But where are the IE innovations? Why can't the IE team get ahead of the curve on Firefox? Is there anything you consider an innovation that is unique to IE that would plausibly be something the browser market would have to incorporate to stay competitive?
Dean Hachamovitch:
I think IE7 is the first browser with integrated real-time anti-phishing functionality, with an RSS platform and support for Simple List Extensions (see below), with "QuickTabs," with support for OpenSearch, and with shrink-to-fit printing on by default. In Windows Vista with Protected Mode, IE7 is the first browser to "put itself into a sandbox" and run with low privileges.
I think that during the IE7 beta process, you've seen other browser vendors copy some of these features and/or deliver add-ons for others. (IE has also delivered some functionality - like spell-checking in forms or in-line find, as add-ons; you can read more here.
I want to call out the Phishing Filter and RSS in particular. I think there's a clear difference between the protection offered in IE7 and other places. I suggest readers look here and here and decide for themselves. I was surprised when I read this because I think IE7 delivers real-time protection that respects user privacy at the same time.
I think IE7's RSS is pretty deep. First, the support for the Simple List Extensions that we made available under a Creative Commons license is cool - check out the links below in IE7. Also, the platform enables developers to deliver on some great scenarios, like sharing subscription information between different applications and services easily (from the new version of Outlook 2007 I run at work to IE7 at home via Newsgator). You can read more about that here.
- Amazon Wish List as an RSS feed
- eBay Search Result as an RSS feed
- Yahoo Music Top 10 list as an RSS feed
In regards to tabs, according to http://en.wikipedia.org/wiki/Tabbed_browsing, NetCaptor (an IE-based browser) was first.
5) My shot
by Njovich
What do you consider the greatest weakness of Firefox?
Dean Hachamovitch:
Hey, I've met a bunch of the Firefox folks and respect them and am not about to say mean things about them or their product, period. I have started to see some things that even some Slashdotters find a little confusing, like the whole Iceweasel thing.
6) Security
by Seto89
One of IE7's revolutionary features was supposed to be security, although it took less than 24 hours for Secunia to post an advisory about a security hole. Moreover, the bug seemed to be carried over from as early as IE5.5. What approach did you take to improve browser's security, and how come the vulnerabilities have been carried over?
Dean Hachamovitch:
The overall approach we took is called the secure development lifecycle. You can read more about it in general at http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/sdl.asp and http://www.microsoft.com/MSPress/books/8753.asp. The very short version is that we stepped back to analyze all the ways to attack a browser and then figured out the best ways to defend in depth against attacks. We reduced attack surface area, for example, turning off several feature and protocols by default and with ActiveX opt-in. We re-wrote a lot of the URL handling code in our networking layer. We ran a lot of tools against the source code to look for vulnerabilities. We listened to feedback from lots of smart people who are skilled in the art of attack.
As anyone who reads SecurityFocus or FullDisclosure will tell you, security is an industry problem and innovation in attacks is ongoing.
The MHTML issue is pretty interesting. IE calls another Windows component to handle some MTHML functionality. That component has a vulnerability. The important things here are (1) a malicious site can steal user data and (2) of course Microsoft cares about privacy and will fix this issue promptly. Some of the blogs over at zdnet - in particular George Ou's and Ed Bott's, have had some balanced opinion pieces on this issue.
While I was writing this, someone disclosed another issue irresponsibly. On the one hand, it's minor (a malicious site can make the address bar, when it's selected and in a pop-up window, deceiving... clicking in the pop-up window addresses the issue) and our anti-phishing technology helps a lot. The MSRC blog has more detail. At the same time, an attacker could draw a fake or misleading address bar in a pop-up window in a browser that doesn't automatically show the address bar in every window. Again, I think all this shows is that innovation in attacks is ongoing.
7) How about this....
by Toreo asesino
Let's pretend for a moment that Internet Explorer isn't the default web-browser built into Windows and instead, users are presented with a choice on first login (e.g. a message asking 'How would you like to browse the internet? MSIE, Firefox, Opera').
Would you expect IE to become as dominant as it is now if users had to specifically choose it over another?
Ignoring the slight impracticalities, if so (I'm guessing you do), on what basis would this be?
Dean Hachamovitch:
OK, I'll pretend. My first question is when we ask users this question... if it's in 1995, then Opera isn't on the list (Wikipedia just told me that its first public release was in 1996) and neither is Firefox. If it's today, then, candidly, we have 10+ years of people seeing the IE icon and all that that means to them.
The funny thing about your question is that in some ways, users are about two clicks from this scenario every time they run Windows XP: from the Start menu, select Set Program Access and Defaults. And it's not limited to the browsers you list, but any browser that they can download.
To answer your core question: I don't know how people would answer that question. I think we've asked users far simpler ones (like setup programs that ask "Do you want a typical or custom software installation?") that have proven frustrating to them. I do blog searches just about every day to read what people are saying about their browser choice, the browser I work on, and the other browsers you list. While it may surprise you, for many users, the differences between today's browsers aren't as clear and obvious as they may seem to many in the Slashdot crowd. I've read a lot of posts that say, "I tried IE7, I'm pleasantly surprised, and I'm switching back." (I read a lot of others for sure.) For some folks, having professional technical support to contact makes all the difference in their browser choice. During a press interview with a technical trade journal recently I asked the reporter "So what do you browse with" and he said "Mostly IE6, sometimes Firefox 1.5." That might surprise some of you.
8) Allowing Developers to Test for Compatibility
by miyako
IE7, like IE6, renders a lot of pages significantly differently than the other main HTML rendering engines available (Geko, KHTML, and Opera). At the same time, IE7 requires WGA to run - so that applications like Wine are unable to run it. This means that web developers who are using Linux and Mac OS X will have an extremely difficult time testing their sites with IE7. Was this intentional? If so what was the reason behind it (do you want to force developers to move to Windows for web development, or simply set IE aside as something different that isn't a regular browser and must be specifically developed for), and if not how do you plan to rectify the situation?
Dean Hachamovitch:
I think the core of your question is about giving away Windows licenses for free. We love developers, period. We're also not about to give away Windows client licenses. Because we want end-users to have a great experience on the web, of course we want web developers to have an easy experience working with IE and testing their sites with IE. That's why we published tools like the web developer toolbar and the Application Compatibility Toolkit and so much documentation during the course of IE7 development. I also respect that - as hard as everyone at Microsoft works to make Windows the best operating system for developers run - some developers will choose to run others. Mac developers have a fine solution - I've talked with hardcore Mac people who bought a copy of Windows that they run on their Mac with Parallels to test their work in IE. For other developers, I've seen some very clever solutions like BrowserCam that should help.
9) I asked Hakon about CSS and now I ask you:
by Chabil Ha'
This past summer Håkon Wium Lie was interviewed on /. and my question was selected concerning IE7's glaring lack of full CSS support. Why is it that MS has avoided meeting at least the ACID2 spec for CSS in order to bring some semblance of comformity for developers?
Håkon Wium Lie's response to these questions is boiled down to the fact that you do have the talent and resources to fix these issues and he says that "the fundamental reason, I believe, is that standards don't benefit monopolists" like MS.
How do you respond to his comments (the author of the CSS spec) and does MS have any near future plans to adhere to the existing CSS standard? If not, what would it take for MS to take a more proactive role in supporting it?
Dean Hachamovitch:
During IE7's development, we prioritized the work we did based on the web development community's real-world feedback. The engineering exercise here was choosing the best work for a finite number of developers to do during a finite period of time, especially given the compatibility impact of changing how IE behaves. The work that we delivered in IE7 simply has more positive impact and makes web developers' jobs easier than making an arbitrary (if terribly clever) web page render the way its author intended.
The Acid 2 test explicitly states that it isn't part of a formal compliance suite and it is not a "spec for CSS." It's a suite of tests of HTML, CSS, PNG, and data URL features that Mr. Lie thought were important. I'm glad that Mr. Lie - who is one of the authors of the CSS specifications - acknowledges that Microsoft's developers have the talent to address these issues.
The question here isn't whether we want to support those features or if we understand that web developers want them (we do), but simply prioritization. We focused on web developers' real world problems.
The real goal here is interoperability - something that Microsoft product teams believe in (remember, Microsoft has more than one product that works with HTML, CSS, and other web standards, and they have to interoperate too) and something that benefits customers (end-users, developers, IT Pros, et al.) across the board. The work in Windows Vista around IPv6 as well as the work we've done in IE7 with OpenSearch, RSS and with Certificate Authorities and other browser vendors on Extended Validation certificates are good examples of following through on that belief in interoperability.
Your question also asks about Microsoft's plans to comply with the existing CSS standard; there are actually several CSS standards, some still under construction (CSS level 3) and some made obsolete over time (e.g. CSS 2.1 fixing errors, removing ambiguities and changing required behavior from CSS 2). Just as we did in IE7, we're going to listen to the web development community and prioritize the remaining CSS work and deliver the parts we hear are most important first. We do intend to comply with the standard; no other browser I'm aware of has complete support of every feature in CSS 2.1, so it's clear that we all have to use prioritization to know where best to place our resources.
10) Why develop IE at all
by CmdrGravy
Given that you are not planning on selling IE 7 and the fact that there are already other browsers on the market which can allow Windows users to experience the web fully why is Microsoft investing so much time and effort in continuing the development of IE?
Dean Hachamovitch:
Windows customers expect the best, safest experience with their PCs out of the box, especially around the web browser. We're investing so much time and effort in IE in order to give Windows customers a great, secure, default experience. I'm glad that users can choose other browsers as they see fit - Windows is a platform. We're working this hard on IE because so many end-users rely on it and so many developers have built on the APIs that IE exposes as a part of the Windows platform.
-------
Editor's note: Next week's Slashdot interview guest will be a FireFox person. Only fair, right? :)
Browser choice (Score:5, Informative)
Ah, but how are you supposed to download another browser on a clean install? By opening Internet Explorer. And by that time, for most users, the choice has already been made.
Re:Why didn't anyone ask about... (Score:3, Informative)
Re:Why didn't anyone ask about... (Score:2, Informative)
Tabbed browsing? (Score:3, Informative)
protected mode browsers .. (Score:5, Informative)
I do recall hearing of RSS previously. Of these, which have been copied by the Firefox team and what are they called. Were such feetures around in similar form before IE7 or does the Firefox team posess a time machine. I do recall hearing of RSS previously.
"In Windows Vista with Protected Mode, IE7 is the first browser to "put itself into a sandbox" and run with low privileges."
It may be the first browser in Windows land but Browsers have been running in protected mode on Linux for years.
"during the IE7 beta process, you've seen other browser vendors copy some of these features"
Like who and when specifically? In the same interview he mentions an address bar spoof, so I guess the real-time anti-phishing functionality is still a little buggy.
What Wikipedia article did HE read? (Score:5, Informative)
From the Wikipedia article:
"BookLink Technologies pioneered this interface design in its InternetWorks browser in 1994. Independently, the founders of Opera built an MDI-based browser in the same year (via a technical preview not available publicly; a public release was made in 1996). The tabbed interface approach was then followed by the Internet Explorer shell NetCaptor in 1997."
So the guys that did Opera did the tabbed thing first; they released the Opera browser later. The public release of the tabbed browser was still done months before the IE shell modification.
Re:protected mode browsers .. (Score:3, Informative)
Re:protected mode browsers .. (Score:5, Informative)
No, they haven't. There is a big difference between running a browser with fewer privileges and IE7 on Vista's "Protected Mode".
This has been explained here in the forums on Slashdot countless times, not to mention the fact that 10 minutes of research [msdn.com] would make the differences clear.
Protected Mode IE uses what they call a "service broker" while simultaneously running IE as a user with virtually no rights. Protected Mode IE doesn't even have the right to save a file to the user's desktop. The service broker handles all actions that would normally require those higher privileges. If IE needs to save a file to the user's desktop it "asks" the service broker to ask the user if that's OK. If the user says it's OK it then accepts a stream of data from IE and performs the file save operation itself. Since the service broker runs with the privileges of the currently logged in user, it is able to complete the requested operation.
The principle here is that while IE is hundreds of thousands of lines of code, the service broker is perhaps 5000. This means that it is MUCH easier to audit the service broker for security issues than it is to do the same for the entire IE code base.
But please, find me an example of any other browser on any platform that does this.
Re:RSS, huh? (Score:5, Informative)
Concise translation (Score:5, Informative)
Nope, and there are reasons, but I'm not telling you what they are.
The entire IE team was busy with much more important things, like the MSN Toolbar, and specialized changes for individual customers with deep pockets.
None. We just wanted to ship in time.
A better phishing filter, RSS, Expose-like tab view, and a better security model.
I wrote a cheap insult about Iceweasel, but then decided to just shut up and not say anything, but apparently my text editor bugged up or something and didn't erase the insult.
All the usual methods. It's hard work though, since all those attackers innovate so much -- it's an industry-wide problem, not just with us! -- and people keep irresponsibly making vulnerabilities public.
Customers love IE so much after 10 years of using it that I'm sure it would.
I will completely ignore your mention of WGA, treating it as self-evident that IE should require this. Therefore, it is impossible to address your concern because we won't give away Windows licenses.
We don't care about standards. We care about the real world!
The security holes and lack of features in IE were starting to reflect badly on our claims of having the most secure and innovative products.
Re:Tabbed browsing? (Score:4, Informative)
Yes, Opera released an MDI-based browser in 1996, a year before NetCaptor released the first tabbed MDI (or 'TDI') browser. MDI doesn't mean 'tabbed interface'. TDIs are a particular implementation/representation of the Multiple Document Interface (or MDI) paradigm: all TDIs are MDIs, but not all MDIs are TDIs.
Re:What Wikipedia article did HE read? (Score:3, Informative)
Your quoting strategy seems somewhat over-selective. Scan down another line, and you'll see this:
Re:too late to ask a question? (Score:5, Informative)
Re:Missing from the answers (Score:5, Informative)
Re:Oops, wrong question... (Score:4, Informative)
Well question 1 (could IE run on other browsers) was mine. I deliberatly asked it that way because it wasn't hostile but neatly brought up all the points about Microsoft (Application div) being constrained by Microsoft (Operating System Monopoly div).
There could have been a whole host of interesting answers - no for technical reasons, no for legal reasons, no for idelogical reasons. Instead we got a crappy answer from a manager not a human