The security community has long had a tendency to focus on the identification and repair of vulnerabilities. There have been significant public debates about the ethics of publicly discussing unpatched vulnerabilities, and coders will happily brag about their ability to have a fix ready immediately after a vulnerability is disclosed. A new study by a pair of Swiss academics and a Googler, however, suggests that much of this focus has been misdirected. They argue that the ergonomics of the end-users' update process has a far more significant effect on the adoption of secure web browsers than any discussion of the severity of a vulnerability.

The authors reached their conclusions thanks to the presence of the Google employee on their team. That got them access to the anonymized search logs for use as their base data set. Since many of these requests come from shared IP addresses and proxies, the authors combined them with a unique ID in Google's PREF setting to distinguish individual end users. Although this ignores users of other search services, three of the four browsers sampled default to using Google. The authors also realize that this probably eliminates the most security conscious of web browsers--those searching anonymously and with cookies disabled--and those with User Agent strings that identify their browsers as something other than what they are. They suspect that this is a small minority.

Regardless of the limitations, the raw data provides not only information on security, but a glimpse into the dynamics of browser choice and use.

Major version dynamics

Their survey period ran from January of 2007 through April of 2008; for part of that period, the authors sampled only three days per week, but the rest involved daily tracking. This allowed the authors to identify what they termed the "weekend effect." People tended to use more up-to-date browsers on the weekends than they do during the week, an effect the authors ascribed to browsing at work, where departmental dictates often limit the adoption of newer software. There was also a cross-browser weekend effect, as use of Firefox went up on weekends at the expense of Internet Explorer, presumably because work policy dictates the use of IE.

They were also able to track the migration dynamics as end users switched to new major versions of the four browsers they tracked. For IE, the switch from version 6 to 7 occurred gradually, with one exception: many computers bought near the holidays included Vista, which gave IE7 a significant boost. Firefox 2 saw its biggest boost when version 1.5 was end-of-lifed, and the automatic update system switched a big chunk of its users to the 2.0 track.

Mac users seemed more willing to live on the cutting edge, as the Safari 3 beta release was accompanied by a major jump. Widespread adoption, however, didn't occur until the release of the final version, bundled in with 10.5; at that point, it shot past the 2.0 version in less than a month. In contrast, Opera saw an extremely slow, if steady, migration from the 8.0 to 9.0 branches during the entire period.

Security-driven dynamics

To explore how security warnings and patches influence end-user adoption of minor updates, the authors focused on Firefox and Opera. They argue that these browsers are the most comparable: they're both free, they aren't controlled by makers of operating systems, and they both include minor version information in their User Agent string, which makes it possible to track security patches. But they do differ in one very significant way: Firefox has an auto-update feature built in to the browser, while Opera's procedure is comparable to a manual download and install of a new browser.

In the end, they argue that this difference in ergonomics matters. Most Firefox users had minor version updates installed within three days of their release, although a weekend effect was layered on top of this, as many users didn't update until they fired up the software at home. In most cases, the newest version ramped up to over 70 percent of the browser's share. That's a big contrast with Opera. It took 11 days for a new version to surpass the market share of its predecessor, and the share of the updated software never exceeded half of the browser's total market share.

The authors note that these figures--80 percent for Firefox, 45 percent for Opera--only represent upper bounds of the users running a secure browser, as plugins create their own set of security risks. There was also at least one case where Firefox experienced a surge of an out-of-date, insecure version, which they assume occurred because a software vendor bundled it with another product.

Were the upgrades influenced by a general awareness of security problems? Not as far as the authors could tell. They rated the security flaws fixed by these minor version upgrades, and found no correlation between the relative risk and the upgrade dynamics.

The analysis clearly suggests that most users aren't driven by an awareness of security, a finding that's in keeping with other studies of end-user security practices. Instead, it's the convenience of engaging with secure practices that drives their adoption. And, since the practices of the average web browser impacts us all by influencing the rate at which we're subjected to spam and malware, developers have a vested interest in fostering better security ergonomics.

The study, along with related research on security threats, has been made available by one of its authors.