Reality Takes A Holiday: Buying The Firefox Hype

There is a myth surrounding lemmings: Supposedly, they pick a leader every season and then follow that leader blindly off a cliff to their deaths. While this isn't true (lemmings are apparently smarter than that), humans have a nasty habit of exhibiting the same behavior on a regular basis. Pyramid schemes, the dot-com boom, client-server computing in the 1980s, and the premature move to Windows NT are all trends that sucked in people who should have known not to move with the crowd without asking whether the crowd was moving in the right direction.

The most recent example of this behavior is Firefox: the open-source Web browser which apparently picks up where Opera left off as the browser most likely to displace Internet Explorer. Why Firefox? Apparently because it exists and works on better than 80 percent of the world's Web sites.

Rushing To Adopt A 1.0 Product
Firefox is in version 1.0. Typically, if any of us suggested someone deploy a 1.0 product, even if it came from IBM or Microsoft (or particularly if it came from Microsoft), they would rightfully laugh us out of the room. 1.0 products are largely unknown when it comes to defects; most professionals won't use beta products, and most of us know that a 1.0 release typically has a lot of problems. It's generally better to wait until version 1.1 before deploying software, to insure that the early adopters--and not you--feel the pain of using a product before it is fully tested..

This is simple prudence--and in the case of a product that appears to have only two people working full-time on bug fixes, it is even more prudent. Remember: We are still operating in a largely risk-adverse world where people hold you accountable for your decisions, particularly business decisions. If a problem occurs (and there will almost always be problems with a Web product) you want your reasoning to be well founded--as opposed to offering, "Well, gee, everyone else was doing it!" as your primary defense.

Where Are The Business Requirements?
In corporations with strong internal audit functions, the Institute of Internal Auditors lays out very specific requirements for software products. These include a set of processes, dealing with threat identification and automated patch delivery, based largely on Microsoft's current practices but equally applicable to other companies.

Firefox not only lacks this capability today, it may never get it. The cost of creating and delivering an automated engine capable of matching what Microsoft provides to its business clients is far beyond the Firefox organization's scope. I can't rule out the possibility that it might someday deliver such a feature, bundled with a third-party, automated update tool--and if Firefox continues to be successful, that is probably what will happen. But I can argue that they don't have this capability right now.

A Roadmap Without Roads
With Ben Goodger, the lead architect for Firefox, moving to Google, the product's future clearly is in doubt. The Firefox team was relatively lean to begin with, and this change only makes it leaner. I understand that Google is going to let Goodger continue his work on Firefox, but his compensation will depend on what he does for Google--not what he does for Firefox. Like most people who find themselves in similar positions, Goodger will most likely spend increasing amounts of time on the work that drives his compensation package.

To avoid the same fate as Opera, Firefox must quickly reach a very high level of compatibility, even through many secure Web sites are constantly changing and adapting to the latest threats. Today, Firefox most often breaks on banking and e-commerce sites, and as the threat level increases, so will the rate of change required to address these threats. So before you can recommend Firefox, I think you have to ask yourself: Where is the product today, and more importantly, where is it going? That simply isn't happening here.

Business And Education Break Their Own Rules
Large businesses and educational institutions supposedly hold themselves to higher standards of competence. These include published guidelines specifying what can or cannot be done when deploying a product. Frankly, I'm often surprised, as are a lot of the government CIOs I talk to, that many open-source applications make it through a vetting process which was admittedly designed for traditional, proprietary products. It looks like many organizations' rules are regularly getting bent--a practice which will come back to haunt the people who bent them if something goes wrong.

Even the Gartner Group, which has a rather nasty relationship with Microsoft, recommends that clients hold off on deploying Firefox while redesigning their Web sites to be browser-agnostic. This is another suggestion most clients won't follow: For many years now, companies have designed both their internal and external sites to work only with Internet Explorer, and Firefox will probably break many of them. The cost of redesigning these sites is beyond the modest discretionary budgets of most IT departments, yet this is the funding which forms the basis for Gartner's recommendation.

Finally, you would think a browser would need to come from an enterprise-class company to pass inspection at any large business or government institution. This requirement ensures that if there is a problem (and there are always problems), a company can call upon trained support resources that are able to meet their needs and understand their unique requirements. If Firefox continues to do well, a company like IBM or HP may take the browser under its wing--so wouldn't it be wise to wait, particularly given Opera's fate, until it actually did?

The Real Browser Threat
While operating systems and email clients have a high exposure to viruses, browsers are more exposed to phishing attacks. In this regard, both Internet Explorer and Firefox do a poor job of protecting users. With Microsoft's focus and massive budget targeted at fixing this, you would think the company might get this done first. But I would also think that before you switched browsers, you'd want to make sure you switched to the platform that most effectively reduced your exposure to such risks.

There's another option to consider: Within the next few weeks, AOL will release a public beta version of a major update to the Netscape browser. The new Netscape can use both the Internet Explorer and Firefox browser engines, and it has been purposely designed to address phishing-related threats. I think the product and its approach are absolutely brilliant.

While the new Netscape browser doesn't yet address the needs of large corporations, it currently does the best job of addressing the concerns I outlined above. The Netscape update also does the best job of emulating one of Microsoft's historic strengths: It embraces and extends both Internet Explorer and Firefox, combining the core technology of both products with additional advantages neither browser currently provides.

Why waste time and energy reinventing the browser when there is no revenue associated with the job? Instead, focus on extending an existing product: Put your efforts into improving other companies' free platforms. Netscape takes just such an approach, and I'm incredibly impressed with AOL's outside-the-box thinking on this issue.

I expect we'll hear a lot about the new Netscape browser over the next several weeks. But even in this case, remember to make your own decisions and to form your own opinions. Otherwise, some future race of highly-evolved lemmings will someday tell stories about us humans--the only difference being that unlike the lemming myths, the human ones will be true.

Rob Enderle is an analyst specializing in emerging personal technologies. He heads the Enderle Group, and has been an IT analyst since 1994. He spends his free time building computers and playing with personal technology prototypes. He can be reached at [email protected].