Dear all, with research colleague Thomas Duebendorfer from Google in Zurich I've finally had a chance to look deeper into the performance of Web browser update mechanisms. The analysis of anonymized Google Web server logs allowed us to compare and rank the update strategies deployed by Google Chrome, Mozilla Firefox, Apple Safari, and Opera. We found considerable differences in the performance of the update techniques deployed by each browser by measuring the share of the latest minor version within the same major version during the first 21 days after its release. Chrome topped with 97% share after 21 days, followed by Firefox 85%, Safari 53%, and Opera 24%. However, during the first 5 days after a new release Firefox outperformed all the others. The paper discusses the findings and provides empirical data to evaluate different update strategies. Paper: Why Silent Updates Boost Security Abstract: In this paper we analyze the effectiveness of different Web browsers update mechanisms; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation. We use anonymized logs from Google's world wide distributed Web servers. An analysis of the logged HTTP user-agent strings that Web browsers report when requesting any Web page is used to measure the daily browser version shares in active use. Our measurements prove that silent updates and little dependency on the underlying operating system are most effective to get users of Web browsers to surf the Web with the latest browser version. However, there is still room for improvement as we found. Google Chrome's advantageous silent update mechanism has been open sourced in April 2009. We recommend any software vendor to seriously consider deploying silent updates as this benefits both the vendor and the user, especially for widely used attack-exposed applications like Web browsers and browser plug-ins. Authors: - Thomas Duebendorfer, Google Switzerland GmbH - Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland Paper Download: http://www.techzoom.net/silent-updates Paper Blog http://blog.techzoom.net/2009/05/silent-updates-vs-loss-of-control.html Cheers Stefan Frei & Thomas Duebendorfer
