Standards and Policies

This the place for policy and procedure creation, standards formation, that the AWG is asked to participate in. None of these policies are final or authoritative, but works in progress.

Self-Service Password Reset

Background

The IMT Cabinet, has requested a change in the way that users reset their passwords. The [current password reset policy], requires heavy interaction with the IMT Support Desk, and is inconvenient for our users. The IMT Cabinet is committed to short term improvements that will enable our long term strategy of Self-Service.

Goal: By Spring II (April) 2004, securely enable a user to self reset their password via üdeupa, after providing sufficient identification credentials electronically.

Password Reset Recomendation Requirements

Best Practices - found within the Industry, High Ed, and specifically CCCU schools
Convenience - simple and efficient process for users
Security - must mitigate risk to an acceptable level
Privacy - must ensure privacy in accordance with FERPA and other laws
Simplicity - a simple solution that can be implemented in a short timeframe without infrastructure changes

Password Reset Recommendation

Overview

In order to provide self-service, and to reduce the volume of support calls to reset forgotted passwords, the Architecture Working Group recommends the following new Password Reset Policy.

Password Reset Steps

User selects "I forgot my password" link on udeupa login page.
User prompted for for:

UID (Username)
APU ID Number
Last 4 Digits of SSN
Correct answer to 2 Challenge Questions*

Submitted data is verified against LDAP and IFAS Database
If verification succeeds, user may reset password in accordance with the password strength policy.
If verification fails, the user is told "one or more of your responses were incorrect", please try again.
After X number of failed attempts the password reset mechanism is disabled for that account, and information is logged.

Challenge Question Initiation

This process change assumes that we re-engineer the challenge question mechanism. Current free-form nature of the challenge question and answer, limits automation. Instead user would need to re-establish answers to a set of fixed challenge questions. This would need to be updated in the registration process. Already registered users will need to be force-prompted to establish answers to the questions one time upon entrance to udeupa. When prompted for a challenge question response, user will be presented with their pre-established questions.

* The user will be able to choose a minimum of two challenge questions, but can optionally choose additional for greater security. All questions chosen will be presented to the user when reseting the password, along with Username, APU ID Number, and last 4 digits of SSN.

Sample Challenge Questions

What city was I born in?
What is my mother's maiden name?
What was my favorite stuffed animal's name?
What was my favorite elementary school teacher's last name?
What was my first pet's name?

For further considerations, best practices, and details to be implemented with this new policy, see Security Concepts and the Appendix.

Security Concepts

With this project, we are primarily discussing Authentication of Identity. The primary means of verification is through the use of identifiers and shared secrets. A password is really the primary shared secret. So we are really asking for a secondary form of shared secret in case the primary is forgotten and needs to be re-established, or some other identifier.

Two forms fo secondary authentication tokens.

A unique identifier already known to the system and attached to the users identity profile.

APU ID Number
Social Security Number
Phone number or street address (weak)

A shared secret established for the purpose of establishing identity.

A fixed question, such as your mother's maiden name (overused)
A question and answer pair (like our current challenge question)
A set of fixed questions, user supplies answers

It was decided in the first AWG meeting on this topic, that the scope would not include a review of the existing password strength policy. It should be noted, however, that the development of a new shared secret (#2 above) for the purpose of establishing identity, is in essence, no different than a password. To compromise one is to compromise both.

Mitigating Risk

Identifiers

Different identifiers have different levels of inherant risk.

A social security number has quickly become the primary unique identifier for most of the worlds criminal and financial databases. It is the primary target for identity fraud, and is very hard to effectively change. However, as awareness of its importance increases, consumers generally know to protect it. Social Security Numbers are not stored in our LDAP directories making them less accessable to applications for authentication.

An APU ID Number is a university generated unique 9 digit number, similar to a social security number, for the purpose of identifying a person at APU. As its primary purpose is to be a replacement for social security numbers for privacy reasons. Recent government regulations such as FERPA, prevent the use or display of social security numbers in certain contexts. Because it is widely used on campus, printed out on paper on class rosters etc, id cards etc., is somewhat limited as a secure identifier. Psychologically, it is not as protected as a social security number. The ApuIdNumber attribute is stored in our LDAP directory and therefore accessable for wide use in identity and authentication systems.

There are other attributes in our LDAP directory that could be considered identifiers. Multiple phone numbers and addresses associated with a person are stored, and updated via udeupa. These are considered rather weak forms of identifiers, because they are often published in various circles and handed out at the discrimination of the person.

There is a lot of other information stored in our ERP system (IFAS), that could be used to confirm identity. Things such courses taken or previous grades recieved could theoretically be used to verify identity.

One way to mitigate risk with weaker identifiers, would be to ask for several, requiring a user to answer all or some percentage of them correct.

Shared Secrets

Shared secrets are generally established at point of account creation or password reset. They can take the form of fixed questions or free form question and answers.

Generally free form question and answer pairs, such as we currently employed with the Challenge Question & Answer system, are more difficult to automate the verification of because they are more difficult to remember and answer in exactly the same way at a string level.

Predefined questions, while easier to automate, are inherantly less secure because they preset a fixed set of variables. If an attacker knows which question is asked, they can seek out the answer in relation to the target. However, our experience is that persons who develop free form question and answer pairs choose questions and answers that are generally knowable. They will often use things that persons who know them, or can perform research, can determine. In these cases, a fixed set of better questions would be more secure.

Ways to mitigate risk with predefined questions is to establsh several, and then present them to the user randomly. This way the attacker doesn't know which one will be asked. With several questions some level of verification failure needs to be established. More questions means that it is less likely a user will remember every answer. With more questions however, and some level of allowed failure increases the chance of automation succeeding as the user is given a few chances with different questions.

General Considerations

Brute Force Precautions

A time pause betweeen retries should be established to prevent or at least frustrate direct crack attempts.
A lock out should occur if too many attempts fail.

User Notification

It is generally good practice to notify the user that their password has been reset. There is some question about how to notify them, because if their account is compromised such electronic messages would be intercepted. The exception is those with email that forwards to another account, or physical mail.

Auditing

Security should not just be evaluated in terms of preventing breaches, but also in how quickly and intelligently you can respond to incidents. This requires good logging and auditing mechanisms. Whatever solution is developed should log this type of password reset, differently than a normal user or administrative password change. It should include a separate time stamp for this catagory of resets as well. Since the reset will be browser based, the client IP address or other such information would be easy to implement and increase investigative capabilities.

Fall Back

It should be noted, that even though the goal of this process improvement, is to allow for self-service password resets, it is impossible to provide a system that would work 100% of the time for 100% of our users. There will be those, because of technical or other constraints who will still need to contact the support desk. Reasons besides technical scenarios, such as not having access to the internet or an already authenticated workstation, are listed below.

If a user so chooses, he or she should be able to opt out of the password reset option. Challenge questions in particular could infringe on privacy or security desires of users. If they so choose, they should be able to fall back to contacting the support desk, and providing physical or faxed ID.

Certain high level University Administrators, Staff or Faculty, whose accounts pose a greater risk if compromised, could if so desired by policy, be excluded from the password reset mechanism. The same technical mechanism created for the opt out solution previously stated, could be used to handle this feature.

Appendix

Previous Policies and Other Background information.

Current Password Reset Policy

This document lives at https://udeupa.apu.edu/about/standards/password_reset_policy/index.php

The following defines the policy relating to the process of having your password reset in the event that it is forgotten, or expired.

üdeupa password reset order of operations:

Summary:

Challenge Question

Call-Back Method

Visit Support Desk

Details:

Via üdeupa, users will create a Challenge Question and Answer. This is a free-form question and answer which the user can remember but is secret. If a user needs their password reset, they will call the IMT Support Desk who will ask them their Challenge Question along with other personal information. If the user answers the Challenge Question correctly, with the answer that they set up previously, then their password will be reset to a temporary password.

If a user does not remember the answer to their Challenge Question, a call-back method will be used to verify identity. Without the user telling the IMT staff the phone number for their current location, IMT staff will ask which of the previously entered personal contact locations the user would like to be called back at to verify identity. IMT staff will then call the person at the phone number listed in üdeupa with that location label.

If a user does not correctly answer the Challenge Question, and fails the call-back verification process, they will be required to come to the IMT Support Desk and show their APU Identification in order to reset their password to a temporary one.

Also see the Password Strength/Expiration Policy

Password Reset Best Practices

Higher Education

Internet2

Internet2 Middleware Initiative's MACE Directory Working Group produced Identifiers, Authentication, and Directories: Best Practices for Higher Education.

Some Highlights from the Authentication section

Use shared secrets or a positive photo ID to reset forgotten passwords.

Shared secrets are pieces of information that users provide when getting their initial passwords. The traditional shared secret is the user's mother's maiden name. Another approach is to have the user provide several pieces of information when first given a password, and then to require the user to provide some subset of this information (say, two items out of five) in order to change the password. Question-and-answer pairs also make good shared secrets.

Non CCCU Universities

Self Service Reset

Saginaw Valley State University - Successful usage of this screen requires the student to know their Login ID, the last four digits of their Social Security Number, the last seven digits of their Student ID (identified on "TheCard" as id #), and their date of birth.
The University of North Carolina at Greensboro offers a Self Service Password Reset, only asking for University ID, username, first, last, and birthdate.
The University of Tennessee has an interesting default password standard which includes some private info. If a password is forgotten it can be reset in some cases back to the default, or web forms are available which ask for University ID and a University Pin. Note, the password reset page is not ssl enabled.
University of Denver offers a Security Question for password resets.

Assisted Reset

Georgetown has a nice print and fax form as the only method for reset.
University of Tulsa requires physical presence with id.
University of Pittsburg requires < href="http://technology.pitt.edu/accounts/">physical presence with id.

Industry

Information Security Mag

An article Password Pain Relief in Information Security Mag, though a bit dated, discusses how several commercial Identity Management products help to establish self-service password resets.

Password-related help desk calls may cost as much as $30 a call, according to a Meta Group study.

PasswordCourier is typical of self-service reset products in enforcing an organization's strong password requirements while obligating the user to authenticate by answering customized challenge questions.

Password reset software generally lets users reset and change passwords from a browser, Windows client or telephone.

In addition to supporting authentication tools, such as tokens and biometrics-either out of the box or through an SDK-self-service reset solutions typically authenticate users through a series of challenge-response questions. These should be questions only the user is likely to answer correctly, such as the name of a childhood pet.

To ensure that challenge questions provide strong user authentication-especially if the questions are the only authentication to the reset tool-reset solutions typically allow admins to define the number and type of questions that must be answered.

Sun One Identity Management

The Sun One Identity Management Administrator Guide explains the Password Reset Service. The service uses challenge questions to authenticate users who have forgotten their password. The only intresting implementation was that the user can select which of the challenge questions to answer when setting them up the first time. This perhaps is an effective way of preventing bad answers, such as "I don't know" etc. Also, there is a feature that can be enabled to write the question as well as the answer. Lastly, they implement good security measures such as lockout.

Sample Questions listed are:

What is your pet’s name?
What is your favorite TV show?
What is your mother’s maiden name?
What is your favorite restaurant?

Web Browser Standards

Supported Browser Evaluation (Fall 2005)

Introduction

APU’s strategy of web based education relies on using a web browser as the primary delivery mechanism to access information. IMT is responsible to support applications and services that rely on web technology for faculty, students, staff and computer labs. IMT’s current web browser standards do not reflect recent industry changes, especially concerning security and platform support.

Netscape - Netscape's market share continues to decline and previously supported features – built-in email and Mac platform support – are no longer part of Netscape’s strategy and product development.
Internet Explorer on the Mac platform – Microsoft is discontinuing support of this product as of December 31, 2005, thus placing Apple Mac users as risk concerning security and support. The software will no longer be available for download, and no updates will be made available.

Two newer browsers, not currently on our supported list, represent an opportunity:

Mozilla Firefox - has become one of the most innovative browsers; its speed, features, and security have allowed it to reach 14% US market share in a short amount of time. Running the same way on both Windows and Mac OS X, it provides an excellent replacement for Netscape on both platforms.
Apple Safari - the most used browser on the Mac platform ships with every computer. It is fast, behaves in a way mac users expect, and supports web standards. It will be quite natural to formalize our support for this product.

Browser Evaluation Criteria

conducted reviews and testing

Recommendation

Based on our evaluation, we have made the following recommendations:

Replace Netscape with Mozilla Firefox on the Windows and Mac Platforms

Netscape no longer carries the benefits which made it a good browser in the past. Since outsourcing the creation of Netscape 8, AOL has dropped support for the Mac platform, dropped the messenger e-mail component that many liked, and has turned the product into a hybrid between Mozilla and IE. The idea behind the latest version was novel, to have the browser automatically choose the layout engine from Mozilla or IE depending on which web site you were visiting. However, the implementation leaves the user with a very inconsistent and confusing experience, and worse performance than using IE or Mozilla independently.

Mozilla Firefox has become an innovative and efficient browser. Firefox is written by many of the same minds behind the original Netscape and those responsible for open standards on the Internet. Its simplicity, lightweight design, and security have caused its adoption among advanced users. The rate at which it is able to patch security concerns, fix bugs, and offer new features while maintaining stability is sign of a mature product built on a flexible base. While not expected to dominate the market any time soon, it has been the only browser to make a small dent in Internet Explorer's market share since replacing Netscape. We believe Firefox will make a fine secondary browser to the default on both Windows and Mac.

Replace Internet Explorer with Safari on the Mac Platform

Internet Explorer on the Macintosh. Microsoft is completely dropping support for this product on Dec 31, 2005, and hasn't released an upgrade in two years. IE on the Mac was a completely different product from the Windows version and uses a different layout engine. Due to the tight integration of IE with Windows, proprietary extensions such as Active X were not available on the Mac version, and therefore the benefits of cross-platform were not experienced. The brand compatibility decreased further when IE on the Mac never advanced beyond IE version 5. IE 5.5 was a significant release for Windows and of course many sites now require version 6. It is not feasible nor responsible for IMT to continue supporting this product beyond the life of Microsoft's support commitment.

Safari is the current default browser shipping with Mac OS X. Apple has produced a native browser with speed as a primary goal, and natural integration with the operating system. It has improved with each release and updates are available through the operating system update feature. It has been known to set an example for adopting web standards, which is important for pages to display properly on all compliant browsers. However, some web sites have been slow to adopt these standards and don't test their pages against Safari. Firefox will serve as a more up-to-date alternative to IE for Mac users in these cases. Safari is the most used browser on the Mac platform, and it will be quite natural to formalize our support for this product.

Table 1: If approved, this would change IMT's Tier 1
supported browser application list as follows:

Current	Proposed
Windows XP:	Windows XP:
Internet Explorer	Internet Explorer
Netscape	Mozilla Firefox
Mac OS X:	Mac OS X:
Internet Explorer*	Apple Safari
Netscape*	Mozilla Firefox

* Microsoft and AOL, which owns Netscape, have both
dropped support for their products on the Mac.

Frequently Asked Questions

1. Why support two browsers on each platform?

Standards & Portfolio Approach

Though most of our research targets an objective comparison between browsers, it is also important to consider the strategic mix of supported browsers as a whole.

Embracing a mix of browsers which implement open standards, allows us a means to ensure access to the widest range of web sites and applications into the future. However, the practical truth is that many applications and web sites are currently written for specific browsers. Therefore our collective list of supported browsers strategically needs to consider our most important current applications.

Internet Explorer on Windows is essential for accessing some sites and applications. This means we need to inform users of such applications, and continue to work with application providers and web sites to move toward open standards ensuring that their applications will work on several browsers and with the Mac platform.

Some sites are not tested against Safari because of the relative market share or perhaps Mac platform availability in their organization. This makes the inclusion of Mozilla Firefox support on the Mac platform strategic, as it has now the second largest market share and runs on Windows the same way it does on the Mac platform.

By including Mozilla Firefox, we have a total supported browser count of 3, across both Mac and Windows platforms, and a fall back since we have no control over what is shipped with the platform operating system. If we were to adopt a non-cross platform alternate for the Windows or Mac platform, we would then need to support 4 different browsers, increasing the costs and knowledge needed to provide support.

2. What criteria did IMT use to perform the evaluation?

IMT's Architecture Working Group has established the following criteria deemed important going forward:

Adoption – support those browsers which are widely used, and those with a significantly increasing adoption rate
Application Future – application roadmap and health of the software company or developer community to achieve continued success
Security - browser security is a result of excellent design, quick response, and user communication
Standards Compliance - how well a web browser implements the World Wide Web Consortium (W3C) published standards and guidelines is directly related to its ability to access current and future web resources
Supportability – applications which score well in these categories are easier to support: ease of installation, ease of use, documentation availability, frequent bug fixes, support options, stability, performance, and extensibility

To see the full browser evaluation criteria visit:

http://groups.apu.edu/awg/node/148

To see the results of individual browser reviews visit:

http://groups.apu.edu/awg/node/194

3. What about major web-based applications which APU uses?

SunGard Bi-Tech IFAS Browser Support

By continuing to support Internet Explorer on Windows, and Safari on the Macintosh, we can maintain official supportability with IFAS IE-Based applications and Web-Based applications. We have tested Firefox to work with IFAS broad access true web-based solutions, such as campus online.

IFAS Applications	Windows XP SBI Official Support	Windows XP Also Works With	Mac OS X SBI Official Support	Mac OS X Also Works With
Web-Based Applications:
Campus Online (APU Online)	IE, Netscape	Firefox	Safari, Netscape	Firefox
Degree Works	IE, Netscape	Firefox	Safari, Netscape	Firefox
IE-Based Applications:*
7i Administrative	IE	*	*	*
EDI Link	IE	*	*	*

* IFAS Internet Explorer Based Applications - Because these web-delivered applications are based on Microsoft Windows proprietary technology, these will continue to only be usable with Internet Explorer on Windows. Mac users will continue to need to access these Windows applications using Citrix remote application display software.

Online APU (eCollege) - Learning Management System

IE, Netscape, Firefox, and Safari are supported. See http://online.apu.edu/index.real?action=Technical

Apolis2 Library System – III Millennium and related services

Innovative Information Systems is committed to supporting all browsers compliant with web standards. Our internally written “Offcampus Online Library Resources” service, may have one reported bug with Safari. This service will be transitioning to a new product from our vendor which should behave properly in all browsers.

Web Based Email

Outlook Web Access, is an example of an application which works with all proposed browsers included in this report, but which has greater functionality when used with Internet Explorer. When used with Internet Explorer, non w3c standard windows-based controls are used to provide richer functionality. It is hoped that future versions of Outlook Web Access will provide the same functionality in all standard browsers.

Recent advances in “Rich Internet Applications”[1], which use open standards to achieve similar results may be a target for Microsoft. AJAX (Asynchonous JavaScript and XML) behind google's mail and maps services, have caused many to reconsider the possibilities of lightweight applications that are still easy to use via a web browser. Microsoft has released a “Windows Live” service based on this technology, including a new email service with outlook type functionality.[2] Perhaps, they will do something similar for Outlook Web Access.

Other Applications

An informal survey of IMT Support Desk, Student Services, and other IMT staff was taken to determine whether there are any other broadly used web applications which are limited to a particular browser. We did not determine any major applications which would not support our proposed list of browsers. If there are any reported, IMT should produce a list to inform users of which browsers to use, as well as request that vendors adopt web standards.

1. http://en.wikipedia.org/wiki/Rich_Internet_Application

2. http://www.forbes.com/2005/11/04/microsoft-google-yahoo-mr_1104bow.xml.html

Browser Evaluation Criteria

These are the browser evaluation criteria to be used for current and future analysis. Criteria are arranged in broad categories, based on principles. Within each group is a definition of the category, and a measurable or qualitative evaluation method. These are in no particular order.

Adoption – support those browsers which are widely used, and those with a significantly increasing adoption rate
Application Future – application roadmap and health of the software company or developer community to achieve continued success
Security - browser security is a result of excellent design, quick response, and user communication
Standards Compliance - how well a web browser implements the World Wide Web Consortium (W3C) published standards and guidelines is directly related to its ability to access current and future web resources
Supportability – applications which score well in these categories are easier to support: ease of installation, ease of use, documentation availability, frequent bug fixes, support options, stability, performance, and extensibility

Adoption

Definition: Adoption is an attempt to use access log statistics to determine adopted use of a particular browser. Some refer to this as market share.

Measurable Evaluation Criteria: It is important not only to measure the current percentage use of a particular browser, as compared to others, but also the rate of change over time to determine trends. Furthermore it is necessary to attempt to find or collect statistics for different segments.

APU Users - Cougars Den Browser Stats
By generating some statistics on http access logs on APU only services such as Cougars' Den we should get a great sample for which browsers our constituents are using.

APU Employees - Outlook Web Access Browser Stats
Access log statistics for Outlook Web Access to determine which browsers are most used by faculty/staff etc.

APU Extended Community - www.apu.edu Browser Stats
Statistics on our outward facing website demonstrates browser usage by the broader APU community.

General Internet Trends - General Browser Stats
This is good to determine the market share held by each browser in general, and trends over time.

Mac Platform Specific - Mac Platform Browser Breakdown
Narrowing down browser stats on this platform is significant.

Resources:

User Agent String List - Identifying which browser has accessed a web server.

Application Future

Definition: Application roadmap and health of the software company or developer community to achieve success.

Measurable Evaluation Criteria: Relative strength of the application lifecycle, and the organization or community behind it.

Application Lifecycle - What is the application roadmap? Can the application continue to add innovative features without re-architecting it? If it needs to be re-architected, are there enough resources and interest to achieve the next leap in web standards?
Organizational Strength - While the other criteria cover current state and perhaps some trends, the overall direction and strength of the software development company or community should be a considerable factor when choosing a standard browser.
- Corporate Health - Software companies can be measured by their financial standing, and stated commitment to a product line. Their performance can also be measured by timely product releases, and the quality of their support channels.
- Open Source Health - For Open Source applications, health can be measured primariliy by its maturity. Areas of investigation include the amount of participants in the developer community, the ability of developers to organize effectively around the project, and clear leadership by the project "maintainer". Often, there is also a non-profit organization providing direction and resources. Clearly performance is best measured by the quality and timeliness of code releases, and the ability of the community to support both users and developers who would like to contribute. Some immature Open Source applications loose interest before they ever release solid, supportable code. It should be clearly noted that Open Source is not a panacea for great software applications, and each product needs to be evaluated on its own merits over time.

Security

Definition: Browser security is a result of excellent design, quick response, and user communication.

Measurable Evaluation Criteria: A browsers track record is not based on the number of exploitable bugs found, but really how quickly the vendor or support community responds with fixes. It is also important that users are informed of the need to update, and the ease of which they are able to do so. Certainly, secure design plays a part. Some browser vendors have decided to add functionality beyond published web standards for ease of use that violates secure design concepts.

Considerations:

There has been much confusion regarding browser security lately. The press seems to pounce on any announcement regarding a security flaw found in particular browsers, often blowing the risk way out of proportion. However, this is natural in a world where ecommerce flourishes. The key factor in browser security is in actually finding security flaws and then correcting them in a quick and proper manner. Excluding design considerations, each bug found and fixed, in theory, should make that browser more secure.

Obviously, if users don't actually apply security updates to their browsers, then their security is compromised. This is why its important that users are notified of security updates, and that the security updates are easy to install.

Design issues are a bit difficult to evaluate. However, there is an overriding security concept: Security will always be at odds with convenience. The key is to strike a balance between usability and lockdown. Clearly, the most dangerous browser security exploits have been caused by browsers with close ties to the operating system, because they have greater priviledges to execute code on the host.

Standards Compliance

Definition: How well a web browser implements the World Wide Web Consortium (W3C) published standards and guidelines is directly related to its ability to access current and future web resources.

Measurable Evaluation Criteria: The W3C publishes all recommendations (standards) on its web site. There are also test tools and conformance information available in a quality assurance matrix. It should also be noted that many Internet Standards published by the IETF also apply. Even with all of these validators and test suites available, it may be hard to produce overall summaries for each browser. Also a consideration is how quickly a browser is able to adopt standards as they are formalized.

Supportability

Definition: Supportability is a broad category rooted in the following philosphy: the same qualities which cause a good user experience with using and maintaining an application themselves, enable IT to provide excellent support.

Measurable Evaluation Criteria: In light of our definition, these are perhaps the qualities of any great application.

Ease of Installation - How easy is the application to download and install?
Ease of Use - Is the application intuitive adopting computer human user interface best practices?
Documentation Availability - Is their meaningful built in documentation and extended documentation available?
Frequent Bug Fixes - How quickly are annoying bugs fixed?
Support - Can advanced users and or IT receive support from the vendor or community?
Stability - How frequent do browser crashes occur on properly maintained systems?
Performance - How fast can the browser render w3c standard content pages?
Extensibility - Are commonly used plugins or add-ons available and are they easy to install?

Individual Browser Reviews

Browser Evaluation Criteria

browser usage statistics

Apple Safari

Analysis and Evaluation

Adoption

According to our Mac Platform Browser Usage statistics, Safari is the most used browser on the platform. Safari is the default browser shipped with Mac OS X (since v10.3), and the only browser bundled with Mac OS v10.4.

Application Future

Safari was released in 2003, presumably as a strategic maneuver by Apple, who had previously been shipping with a Mac version of Internet Explorer. Safari is based on the linux konqueror KHTML layout engine, and the rendering portions continue to be released by apple under open source licenses. The elements other than the rendering engine remain in a proprietary license.

The latest version, 2.0, released on April 29th, 2005, has a built in RSS and Atom reader, and reported speed improvements. It is clear that Apple is comitted to the continuing development of the browser.

Safari is currently competing with Firefox in popularity for Mac users. A poll done in February indicated that 65% of Mac users preferred Safari, but nearly a quarter used Firefox.[1]

Security

As with all other browsers, safari has had security exploits which require patching. As an apple product, security updates are released through the normal system update utility included with Mac OS X. Users with administrative priviledges on the host are notified on login when there are new updates to install. There aren't any apparent design decisions in safari that would cause it to be liable to exploit, such as direct links into the operating system or other non-standard extensions.

Safari has some privacy related features, such as "private browsing" which hides cookies and history from other users. Additionally, private browsing does not cache any of the information that is sent or received. This is especially useful for users of publicly accessible machines, or other shared-user environments. Pop up blocking is also built into safari.

Standards Compliance

Safari's layout engine Webcore, and its heritage KHTML, were designed with w3c standards compliance as a goal. The current development version of Safari at Apple is the first browser to pass the Acid2 test, which tests some of the CSS2 features, especially in the area of error handling.

However, because many web sites are not based strictly on w3c standards, users have had some trouble with certain web sites. Many sights implement javascript without testing on the safari browser. Some sites who don't test on all popular browsers, include code on their sites that prevent users from using their site if not using a short list of acceptable browsers. This recently became a problem for macintosh users attempting to access the FEMA Aid Site.[2] It is hoped that with the increase of the use of alternate browsers and platforms, that large sites would lead the way in understanding the importance of internet web standards for universal access to the information they publish.

Supportability

As safari is already installed in Mac OS X, and is updated via its general system update tool, it should be easy to support from an administrative perspective. As far as usability, it complies with the graphical interface conventions of the Mac platform and includes advanced features such a tabbed browsing. Performance was a primary design goal for safari, rendering even graphics heavy sites quickly.

Apple offers a FAQ site for safari for further support. Discussion boards are also available. Technical support via phone or email is not available at this time.

1. http://www.pcworld.com/news/article/0,aid,119832,00.asp

2. http://www.informationweek.com/story/showArticle.jhtml;?articleID=170701321

Mozilla Firefox

Analysis and Evaluation

Adoption

Our May 2005 snapshot of browser access logs for cougars' den and webmail, show that between 8-9% of our constituents use Firefox to access these services. Our extended community, accessing www.apu.edu with firefox was a bit lower at 5%.

The industry is showing a steady increase in marketshare from Firefox. WebSideStory's report through April shows firefox going from 4% to 7% in the last year, while IE, Netscape & original Mozilla decreased. [1] A report in June showed that Firefox increased its market share to 8.71%, up from 8% in May, while Internet Explorer's share shrank to 86.56% from 87.23%, according to NetApplications.com. Since the beginning of the year, Firefox has increased its market share every month between 0.5% and 1% [2]. It is expected to hit 10% marketshare soon. In certain segments such as computer professionals the usage rate is higher. A recent study published that Firefox Used By 1 Out 10 Business Professionals, and it was reported that IBM is pushing firefox in house.

Application Future

Firefox has been growing in popularity. Innovative features such as tabbed browsing, lean design, and the promise of increased security are perhaps the cause of those switching from Internet Explorer. Firefox represents a complete re-write of the historical mozilla/netscape browser, and comes 5 years after Netscape open sourced its Netscape Navigator product.

The Mozilla Foundation "exists to provide organizational, legal, and financial support for the Mozilla open-source software project. The Foundation has been incorporated as a California not-for-profit corporation to ensure that the Mozilla project continues to exist beyond the participation of individual volunteers, to enable contributions of intellectual property and funds and to provide a vehicle for limiting legal exposure while participating in open-source software projects."

Mozilla, maintains a roadmap for Firefox, with the goal of continuing to build a "best of breed" browser product for Windows, Linux and Mac OS X. Firefox's next major release, Firefox 1.5, is currently in beta, and scheduled for release in very soon. Significant improvements include: automated updates, faster browser navigation, drag and drop re-ordering of tabs, improved pop up blocking, the ability to easily clear private data, and most importantly new support for Web Standards.

Security

Firefox perhaps has not been a large target for hackers because of its low marketshare. This may be changing, since 21 vulnerabilities were noted on the last Symantic report. However, the mozilla community has been able to respond very quickly to issues as they are found, which according to our criteria, is the most important factor besides design. Architecturally, Firefox does not use VBScript, ActiveX controls or other extensions granting greater access to the host operating system.

From a user security perspective, Firefox was one of the first to have built in pop-up blocking. Another helpful awareness feature, is that when you visit a secure (SSL) site with Firefox, the URL is high-lighted in yellow to help prevent phishing attacks. Users are notified when updates are available, but the messages can easily be ignored. In the next release of Firefox (1.5), these will be much more prevalent, and allow for incremental patching. This will make it easier to release security patches without requiring full downloads of new releases.

Some security experts have noted that user-added firefox extensions could expose security problems if they are written poorly.

Standards Compliance

Firefox holds a high commitment to W3C standards, with a proven track record toward early adoption of emerging standards. It is arguably the most standards compliant browser available.[3] Firefox 1.5 will support an impressive list of open standards including SVG, CSS 2 and CSS 3(partial), and JavaScript 1.6.[4]

Also of note, are the tools available for firefox which assist with standards-based web development including: DOM Inspector, a tool which allows inspection and modification of document without having to edit the document directly; JavaScript console, a tool to write and test JavaScript code as well as view JavaScript and CSS errors on a page; View page source, with syntax highlighting and find features; Browser extensions including the Web Developer toolbar, Live HTTP Headers, HTML Validator and many more. These tools not only help with the development of web pages for rendering in firefox, but in any current or future standards compliant web browser. Perhaps this is partially why it has found such success among IT professionals.

Supportability

Firefox is easy to download and install (its under 5 Megabytes). A multitude of extensions (currently close to 700) are available, and the most commonly used plug-ins such as Macromedia Flash are available. Extensions are small add-ons that add new functionality to Firefox. They can add anything from a toolbar button to a completely new feature. The user is able to easily check for new versions of the browser and installed extensions.

In areas of performance, firefox renders pages faster than most browsers, and its load time is drastically increased from the mozilla suite and netscape products. The browser is stable, probably a result of bugs being fixed with frequent releases. In theory, some poorly written extensions not officially supported by mozilla could raise stability concerns.

Firefox is quite easy to use, and its simple uncluttered interface has caused other browsers to follow suit. Usability features such as tabbed browsing are often noted as one of the primary reasons to switch. With the 1.5 release, Firefox will have improved compliance to Human Interface Guidlines.[5] Firefox has built in illustrated help with topics such as: nagivation, searching, efficiency, preferences, controlling popups, keyboard & mouse shortcuts, a menu reference and help for Internet Explorer users.

Further support can be received from the mozilla.org community forums, knowledge base, or internet relay chat. The published frequently asked questions are geared for average users and are easy to understand. Convenient links are also available for plugins as well. Telephone support is available from a third party (InfoSpan), for $39.95 per incident. The wealth of information provided by the community, and opportunites to interact at the developer, administrator or user level, would provide more than adequate assistance should any problems arise.

It should also be noted, that because Firefox runs the same on both Windows and Mac OS X (and Linux), it is improves the supportability of the application. The support desk does not need to have a macintosh computer in front of them in order to walk someone through a step over the phone. This is a great advantage of any cross-platform application.

1. http://www.websidestory.com/products/web-analytics/datainsights/spotlight/05-10-2005.html

2. http://www.computerworld.com/softwaretopics/software/story/0,10801,103212,00.html

3. http://en.wikipedia.org/wiki/Comparison_of_web_browsers#Web_technology_support

4. http://developer.mozilla.org/en/docs/Firefox_1.5_Beta_for_Developers#Support_for_open_Web_standards

5. http://www.hcibib.org/hci-sites/GUIDELINES.html

MS IE 5 on Mac OS X

Analysis and Evaluation

Adoption

Analysis of Mac Platform Browser Usage statistics

Safari is the most used browser on the Mac platform. However, many Mac users are still using MSIE as it was installed by default. Presumably, they would not know that Microsoft had dropped support, and that security updates and such are not available. Perhaps others are using MSIE because of familiarity after making the platform switch, or because early on many sites would not render well with Safari. As MSIE is no longer included in Mac OS X releases, we can presume that the trend away from IE will continue. Those seeking alternates from Safari, would probably tend toward Firefox in the future, with the availability of MSIE going away. If anything, these results should encourage us to communicate with our community about which browsers they should be using from a security standpoint.

Application Future

Microsoft is completely dropping support for Internet Explorer on the Macintosh on Dec 31, 2005. However, as you can see from the Microsoft lifecycle chart below, they haven't released a service pack in two years.

Product Name	General Availability Date	Service Pack Support Retired
Internet Explorer 5.1 for Macintosh 5.1.7	10-Jul-2003	31-Dec-2005 See Note 13
Internet Explorer 5.2 for Macintosh	17-Sep-2002	Not Applicable
Internet Explorer 5.2 for Macintosh 5.2.3	16-Jul-2003	31-Dec-2005 See Note 13

Note 13.  Hotfix support is not available.

Source: http://support.microsoft.com/gp/lifesupsps#Macintosh_Products

You can see that the browser never made it to the 5.5 release, let alone version 6 which many websites now require.

Security

As you can see above, there have not been any new releases of IE for the Mac in 2 years. Nor have their been any security updates, as no hot fixes are being released. This factor alone should be cause for us to abandon its use.

Standards Compliance

For its time, IE 5 on the Macintosh was compliant with most of the widely used standards at that time. In fact, its is said that IE was not simply a port of the Windows version but a complete re-write, contracted to an outside company. However, it now lags quite far behind because it was abandoned by Microsoft.

One other item of note is that IE for Macintosh did not support many of the Microsoft proprietary standards which are supported on the Windows platform. Users often expected to be able to make use Active X or other Visual Basic driven applications specified to work with Internet Explorer. However, as most of these features are tied into Windows itself, they were never available on the Mac platform. This greatly reduces any benefit of using Internet Explorer for "cross-platform" compatibility reasons. It may as well have been re-branded, as it did not meet the same standards as the Windows product.

Supportability

Areas of concern here are the results of the lifecycle concern above. With no bug fixes, or new releases, there is no guarantee it will even continue to run on newer versions of Mac OS. New advances in ease of use, or even the ability to render many modern web pages will be severely lacking, if that is not already the case. Extensibility will become a problem as well, perhaps with commonly used plugins no longer being available. Ultimately, supporting this browser will be completely outside of any help from Microsoft after Dec 31, 2005.

Ultimately, IE on the Macintosh is no longer supportable.

MS IE on Windows XP

Analysis and Evaluation

Adoption

Internet Explorer (IE) has by far the largest marketshare both oncampus and off. IE makes up 80% of Cougars' Den usage, and 73% of APU Employees use IE to access Outlook Web Access. Statistics for browsers accessing www.apu.edu, show that 89.4% of of campus users use IE, and 95.5% off campus.

General browser statistics from Web Side Story, are the only marketshare stats for which we can perform a trend analysis. They show that from 6/4/04 to 4/29/05 Internet Explorer has dropped from 95.48% to 88.86%. During this same period, Mozilla Firefox has increased marketshare. However, IE will clearly remain the dominant browser for the forseable future.

Application Future

Internet Explorer is a Core of Microsoft platform strategy, and represents a significant investment. Recent changes in direction to release an update (version 7) sooner than bundled with the next version of the Windows operating system, demonstrate that Microsoft is responding to the changing market.

Internet Explorer 7 is currently available in a beta version for testing. Internet Explorer will be part of future updates for Windows XP as well as included with the release of Windows Vista (late 2006). The new version of IE promises protection against phishing, and includes an RSS feed reader. The other stress for IE7 is built in search bars, which will allow users to change their default search programs, and tabbed browsing, both features which have made Firefox popular with advanced users.

Security

Security has been problematic with IE since its inception, because its design exposes more direct access to the operating system. The number of known exploits have been greater than other browsers, however, as stated by our security criteria, the number of bugs is less important than the speed of which they are corrected. It takes Microsoft an average of 43 days to patch a security hole.[ 1] This long window unfortunately allows for malicious software authors to make available exploits. The severety of these security holes often allow for the installation of trojan horse viruses and back door or remote control software. IE security issues have lead to some unprecedented warnings for users to use other browsers, even from the CERT Coordination Center. In December 2004, Penn State told its 80K higher education users not to use Interenet Explorer. [2]

Extending beyond standards has been a problem for Microsoft Internet Explorer. Extensions like Active X, clearly outside of published W3C standards, were a convenience for application developers wanting to bring more native user interfaces to web applications. Maliciously written Visual Basic code could be written to execute malicious code on desktop systems. Microsoft has spent significant resources stepping backwards to close doors left open by this design. Windows XP Service Pack 2 is now considered essential to security on the Windows platform in general, and specifically when running Internet Explorer. Whenever a web browser is tied to the operating system, it is absolutely essential for users to keep their operating system up to date.

Microsoft already improved on earlier versions of IE with the latest service pack. Service Pack 2 stopped certain malicious scripts and pop-ups. Also, the Attachment Execution Service program shows the user file signature of any files being downloaded for greater security, and even allows you to block programs from specific publishers.

Standards Compliance

With IE 5.5 Microsoft was actually ahead of some other browsers regarding standards. Since then, however their have been complaints from web developers and users regarding the rate of adoption of W3C published standards. Since version 5, there have been no significant changes in IE's Trident rendering engine. As a result, as of 2005, IE lags behind in support for standards.

An example is the PNG graphic format, a superior replacement for GIF released in 1995, after Unisys announced that it would be enforcing software patents on the LZW data compression algorithm used in the GIF format. In all that time IE has never supported PNG's correctly, causing many web developers to be frustrated.

On the topic of APU developed web applications, it should be noted that IE requires significantly more time to debug. Javascript issues, image handling, and CSS present a resource drain, and the lack of an included javascript debugger interface (such as Mozilla browsers have) limit troubleshooting ability. For some reason, the IMT Support Desk often is required to step the user through the process of deleting cookies and clearing cache for web applications to work properly with IE. IMT web developers will continue to need to make it a priority to thoroughly test web pages in IE, especially because it is so widely used.

"Although each version of IE has improved standards support, including the introduction of a 'standards-compliant mode' in version 6, the core standards that are used to build web pages (HTML and CSS) are still implemented in an incomplete and incorrect fashion. For example, there is no support for the <abbr> element which is part of the HTML 4.01 standard, and there are bugs in the implementation of float-margins for the CSS1 standard. The Internet Explorer box model bug is one of the best-known bugs in Internet Explorer's implementation of CSS." [3]

Internet Explorer has introduced an array of proprietary extensions to many of the standards, including HTML, CSS and the DOM. This has resulted in a number of web pages that can only be viewed properly using Internet Explorer.

An updated beta 2 featuring improvements in HTML 4.01 and CSS 2.0 is expected to be released in the fourth quarter of 2005.

Supportability

From an installation and maintenance perpsective, IE is the easiest browser to support on Windows. It is installed with the operating system, and updates are handled via the Windows update utility (which actually uses IE itself). For our student population all critical updates for IE are automatically downloaded periodically via the Cisco Clean Access Agent, installed on all student machines connected to reznet.

Stability is related to the health of the operating system, which on Windows XP is much improved. Unless there is a problem with a 3rd party extension, or spyware etc., Internet Explorer is reliable. Performance of rendering pages perhaps lags a bit behind newer browsers.

Internet Explorer is easy to use, though many users are looking forward to usability enhancements that IE 7 will bring, such as a cleaner, more simple design and tabbed browsing. Common extensions and addons supporting multimedia and other formats are widely available. The only place where IE falls behind in supportability, is the rate at which problems are resolved. Bug fixes are infrequent, and additional features have been lacking for some time. Obviously, security issues play a factor in supportability as well.

Help is built into Windows, and community support forums and newsgroups are available for advanced users. Otherwise, email support is be $35 per incident.

1. http://www.computerworld.com/securitytopics/security/story/0,10801,100541,00.html

2. http://chronicle.com/free/2004/12/2004121001n.htm

3. http://en.wikipedia.org/wiki/Criticisms_of_Internet_Explorer

Netscape on Mac OS X

Analysis and Evaluation

Adoption

Analysis of Mac Platform Browser Usage statistics

Netscape is used by 3.51% of Mac users to access our University Portal. This is higher than the 1.51% of combined users of both Windows and Mac platforms. This is most likely be due to the prevalence of Internet Explorer on the Windows platform. Before Apple shipped their own web browser, Safari, Netscape was a primary alternate to Internet Explorer. Many Mac users' first web browser was Netscape, as Internet Explorer was not available till later. Now the primary alternate to Safari and Internet Explorer is Mozilla Firefox, surpassing Netscape.

Application Future

The organizational strength of AOL/TimeWarner, which owns Netscape, puts Netscape in a better position than near the close of the browser wars with Microsoft Internet Explorer. However, recent product lifecycle changes are concerning, and greatly affect the future of Netscape on the Mac platform.

Between Netscape 4.x and 6.x, Netscape Inc. decided to open source Netscape Communicator (browser and mail suite). This began the lifecycle of the "Mozilla" browser suite, which coincided with the internal name of Netscape Communicator. The goal for Netscape Inc. was to encourage innovation and development through an open source community, but continue to re-distribute Mozilla advances with a Netscape branded browser.

Netscape 6.x was released based on the Mozilla codebase. Arguably, early versions of Netscape 6.x brought some maturity and stability to the newer parts of the Mozilla codebase. Much original Netscape code was still in the product at this time. Beyond branding Netscape would bundle plugins and software such as AOL Instant Messenger. Many loyal Netscape 4.x users transitioned to Netscape 6, especially those who liked the integrated mail component. But the marketshare was still miniscule compared to Internet Explorer.

From a support perspective, Netscape 6.x and later 7.x were the same product, whether running on Windows, Macintosh, or Linux platforms. AOL recently made a dramatic change with the release of Netscape 8.0. They incorporated the trident Internet Explorer rendering engine, along with the gecko engine from Mozilla Firefox. As a result, Netscape 8.0 is not available for the Macintosh or Linux platforms.

We did not find any specific information about how long AOL will continue to support Netscape 7.x on the Macintosh platform, but obviously this lifecycle change affects the products future on this platform.

Security

Response to security issues with Netscape 6.x and 7.x, while not as quickly released as their Mozilla cousin, were made available. The product made good use of user notification messages to encourage them to upgrade to the latest version.

Without knowing the future of the now "archived" Netscape 7.x for the Mac environment, security updates would be a concern.

Standards Compliance

Standards complaince for this browser would roughly follow the analysis of Mozilla Firefox. However, we would state that the gecko rendering engine used in the Netscape Browser, would often lag far behind the release schedule for Mozilla, thus delaying corrections to existing supported standards and implementation of newer standards.

Supportability

Areas of concern here are the results of the lifecycle concern above. With the likelihood of no bug fixes, or new releases, there is no guarantee Netscape 7.x will even continue to run on newer versions of Mac OS. New advances in ease of use, or even the ability to render many modern web pages will diminish. Extensibility will become a problem as well, perhaps with commonly used plugins no longer being available. Since Netscape had been releasing new versions of the product more recently than the stale Internet Explorer, it probably could continue to be supported in the short term. However, without commitment to security updates, it would be at risk.

Ultimately, Netscape on the Macintosh will no longer be supportable.

Netscape on Windows XP

Analysis and Evaluation

Adoption

Only 1.51% of our University Portal users, representing our constituents (students/fac/staff), use Netscape. The figure is marginally higher (2.73%) for Outlook Web Access, which currently only faculty and staff have access to. This could be because we are currently pre-loading Netscape on on faculty and staff workstations and notebooks. There may also be a greater familiarity with Netscape among faculty and staff, than the younger aged student population.

Netscape represents 1.3% of accesses to our university web site (www.apu.edu). This group would consist of the extended community and general Internet users. This might imply that on-campus use of Netscape is slightly higher than off-campus.

One of the problems with the statistics gathered from apu's own web sites, is that they were recent snapshots only. General Industry Browser statistics we found are more helpful in comparing trends between the most popular browsers.

Statistics from WebSideStory show a downward trend from 2.83% to 2.23% for the 5 month period of Dec 04 to April 05. This is for Mozilla based browsers, such as Netscape, other than Firefox. Perhaps this combining of other Mozilla based web browsers with Netscape is why the percentage is higher than our own stats for www.apu.edu (1.3%). During this same period, Firefox usage rose from 4.6% to 6.75%, and IE declined from 91.80% to 88.86%. Dramatic perhaps, is that IE had 95.48% browser share in June of 04.

Trend analysis then would present the following facts. Firefox and other web browsers (Safari included) have seen increased adoption, while Netscape and Internet Explorer have seen a decrease. Firefox has taken away market share from both the original Mozilla suite, as well as Internet Explorer.

Application Future

The organizational strength of AOL, which owns Netscape, puts Netscape in a better financial position than near the close of the browser wars with Microsoft Internet Explorer. However, AOL has cut back on Netscape's browser investment, drastically reducing the size of its development team. For a while now, it appears that their investment is based on providing a unique brandable browser for their AOL customers. Perhaps that is the reason for their most recent product change.

Netscape 8.0 was released on May 19th, 2005 (during our on campus web browser standards investigation). Here is a good product summary which describes the significant design changes:

America Online launched Netscape Browser 8.0, the first major update to its flagship browser since Netscape 7.0 was released in 2002. Based on Mozilla Firefox, this latest release can render pages using either the Gecko or Internet Explorer layout engines. Other new features include Site Controls (per-site security settings), the MultiBar (a toolbar for personalised content), a new way of automatically filling in forms and a quick way of clearing private data like the browsing history. Unlike previous releases, Netscape Browser 8.0 is just a Web browser (no email application, newsgroups client or Web page editor), though it does include an integrated AOL Instant Messenger and ICQ client. As AOL laid off the Netscape browser development team in 2003, most of the programming work for version 8.0 was outsourced to Canadian firm Mercurial Communications.

Source: http://www.mozillazine.org/talkback.html?article=6662

Netscape 8.0 represents a significant shift for AOL.

Integrates Mozilla (gecko) and Internet Explorer (trident) rendering engines

Switches layout engine for each website based on predefined trust ratings, which are downloaded every hour
Includes per-site security settings to mitigate spyware etc.

Based on Firefox instead of the original Mozilla suite
No longer includes a mail client
No longer supported on Mac or Linux
Significantly different user interface

It is not clear how these changes will affect the browser's future. Will users adopt a browser that combines firefox and IE? Can it be a better firefox than firefox and a better IE than IE? Will it be able to keep up with architectural changes in firefox and the upcoming IE7? What is AOL's commitment to the product? Will they continue investing in its development if it continues to decline in popularity?

The pattern has been that Netscape 6.x and 7.x, which were based on the Open Source Mozilla browser, were less popular than Mozilla itself. It may follow, that a combined Netscape browser based on IE and Firefox, would not supercede "the real thing" either.

In any case, there is some element of risk in this product's future.

Security

Netscape 7.x has only been as secure as it has kept up with mozilla security patches. It has a good user notification system, reminding users to upgrade as fixes become available. As it doesn't extend itself into the operating system with proprietary extensions, it shouldn't suffer from security by poor design.

Netscape 8.x is unique as far as security goes. It has added several new security features including per site Trust Rating System. This is a good feature for identifying secure sites, and known malicious sites. However, its only as good as its lists of known sites, which gets updated by Netscape's Trust Partners. There is a high level of site trust controls that can be manually set as well.

What's not clear, is whether including the IE rendering engine 1) causes the browser to be vulnerable to IE exploits, or 2) adds an additional layer of complexity that could be exploited in the bridging mechanism.

Standards Compliance

Netscape 7.x would be as compliant as the latest version of the mozilla gecko rendering engine on which its based.

Netscape 8.x arguably would have the aggregate compliance of mozilla firefox and internet explorer. They specifically support both so that the most number of web pages will render properly. Basically sites on the white list, according to the trust partners, will render with the IE layout engine (trident), and all others will render with the Firefox layout engine (gecko). However, this might cause some confusion due to inconsistancies, and has already caused one problem, which was fixed in 8.0.2.

Supportability

The user interface is a radically different design, and could present a learning curve for users and support staff. It is a weighty application, with several additional components which increase memory usage over both IE and Firefox. While there is one interface for both the IE and Mozilla rendering engine, they failed to take into account that there are "in page" user interface differences depending on which rendering engine is being used. If you have used both firefox and internet explorer, think about the differences in the way that they behave. For instance, a right click brings up a context sensitive menu the contents of which are different in each browser. You could imagine all the things that would behave differently depending on which engine was being used (finding text on a page, print preview, auto-complete, even the rate and smooth-ness of scrolling). This random change of behavior simply based on which site you were visiting, would be considerably confusing to users. Apparently, there are also a few design decisions that break the expected behavior of a Windows application, (e.g.The main menu is on the right hand side).

Supporting netscape 8 could be troublesome. The fact that it can act like IE or Netscape could cause confusion when dealing with known issues at the support desk.

Browser Usage Statistics (Summer 2005)

Browser usage statistics are just one part of considering Adoption as part of our browser evaluation criteria.

The following stastics are broken down by customer group as much as is possible:

APU Users - Cougars Den Browser Stats

By generating some statistics on http access logs on APU only services such as Cougars' Den we should get a great sample for which browsers our constituents are using.

APU Employees - Outlook Web Access Browser Stats

Access log statistics for Outlook Web Access to determine which browsers are most used by faculty/staff etc.

APU Extended Community - www.apu.edu Browser Stats

Statistics on our outward facing website demonstrates browser usage by the broader APU community.

General Internet Trends - General Browser Stats

This is good to determine the market share held by each browser in general, and trends over time.

Mac Platform Specific - Mac Platform Browser Breakdown

Narrowing down browser stats on this platform is significant.

Cougars Den Browser Stats

	Browser	Hits	Visitors	% of Total Visitors
1	Internet Explorer 6.x	699,467	15,874	75.36%
2	Firefox	64,257	1,848	8.77%
3	Safari	42,010	1,316	6.25%
4	Internet Explorer 5.x	34,386	899	4.27%
5	Netscape 7.x	10,800	319	1.51%
6	Mozilla	2,534	74	0.35%
7	Others	538,177	734	3.48%
	Total	1,391,631	21,064	100.00%

	Operating System	Hits	Visitors	% of Total Visitors
1	Windows XP	696,836	15,876	78.11%
2	Mac OS	73,701	2,132	10.49%
3	Windows 2000	39,612	917	4.51%
4	Windows 98	29,634	672	3.31%
5	Windows ME	13,549	321	1.58%
6	Others	534,483	317	1.56%
7	Linux	861	28	0.14%
8	Windows NT	1,502	26	0.13%
9	Windows 95	1,115	26	0.13%
10	Windows Server 2003	338	10	0.05%
	Total	1,391,631	20,325	100.00%

Outlook Web Access Browser Stats

Outlook Web Access (APU Employees) - first two weeks in May, 2005:

	Browser	Hits	Visitors	% of Total Visitors
1	Internet Explorer 6.x	3,571,255	10,580	66.18%
2	Firefox	89,054	1,327	8.30%
3	Internet Explorer 5.x	101,154	1,071	6.70%
4	Safari	41,222	666	4.17%
5	MSRPC*	15,431	619	3.87%
6	Netscape 7.x	30,686	436	2.73%
7	Mozilla	12,102	173	1.08%
10	Others	19,076	1,115	6.97%
	Total	3,879,980	15,987	100.00%

* Represents access from Microsoft rich client applications

	Operating System	Hits	Visitors	% of Total Visitors
1	Windows XP	3,328,367	9,994	66.79%
2	Mac OS	174,450	2,218	14.82%
3	Others	183,535	1,371	9.16%
4	Windows 2000	85,514	594	3.97%
5	Windows 98	71,440	501	3.35%
6	Windows ME	28,046	185	1.24%
7	Linux	1,665	36	0.24%
8	Windows CE	3,141	31	0.21%
9	Windows 95	1,435	13	0.09%
10	MSN TV (WebTV)	786	12	0.08%
11	Windows NT	863	6	0.04%
12	Windows Server 2003	738	2	0.01%
	Total	3,879,980	14,963	100.00%

www.apu.edu Browser Stats

www.apu.edu browser stats May, 2005 (APU Extended Community)

Off Campus

Browsers	Hits	Percent
MS Internet Explorer	13614006	89.4 %
Firefox	783325	5.1 %
Safari	402464	2.6 %
Netscape	200030	1.3 %
Mozilla	138375	0.9 %
Unknown	59922	0.3 %
Opera	18179	0.1 %
WebTV browser	2816	0 %
Konqueror	1855	0 %
Camino	1682	0 %
Others	4150	0 %

On Campus

Browsers	Hits	Percent
MS Internet Explorer	14366161	95.5 %
Safari	274131	1.8 %
Firefox	203930	1.3 %
Netscape	157411	1 %
Mozilla	18638	0.1 %
Camino	3874	0 %
Firebird (Old Firefox)	2917	0 %
Opera	1846	0 %
Unknown	1182	0 %
NetNewsWire	353	0 %
Others	162	0 %

www.apu.edu operating system breakdown

Off Campus

Operating Systems	Hits	Percent
Windows	14243660	93.5 %
Macintosh	831053	5.4 %
Unknown	127505	0.8 %
Linux	19718	0.1 %
WebTV	2816	0 %
Sun Solaris	1226	0 %
FreeBSD	645	0 %
OS/2	92	0 %
Unknown Unix system	34	0 %
CPM	33	0 %
Others	22	0 %

On Campus

Operating Systems	Hits	Percent
Windows	14484709	96.3 %
Macintosh	538147	3.5 %
Linux	5988	0 %
Unknown	1626	0 %
FreeBSD	135	0 %

Statistics kindly provided by APU University Relations.

General Browser Stats

WebSideStory - latest report has firefox going from 4% to 7% in the last year, while IE, Netscape & original Mozilla decreased.

U.S. Browser Usage Share — All OS

Browser	4/29/05	2/18/05	12/3/04	6/4/04
Internet Explorer	88.86%	89.85%	91.80%	95.48%
Firefox	6.75%	5.69%	4.06%	*3.53%
Non-Firefox Netscape and Mozilla browsers	2.23%	2.47%	2.83%
Other	2.06%	1.90%	1.25%	0.95%

* WebSideStory did not track the Firefox browser separately until Oct. 2004. The June 4, 2004, figure includes all Netscape and Mozilla-based browsers, including Firefox.

Update: November 2nd, 2005, OneStat.com ( www.onestat.com ), the number one provider of real-time web analytics, today reported that Mozilla's browsers have a total global usage share of 11.51% and 14.07% in the US. Safari usage also seems to be increasing, escalating to 3.55% in the US.

The most popular browsers on the web are:

1.	Microsoft IE	85.45 %
2.	Mozilla Firefox	11.51 %
3.	Apple Safari	1.75 %
4.	Netscape	0.26 %
5.	Opera	0.77 %

The most popular browsers in the USA are:

1.	Microsoft IE	80.73 %
2.	Mozilla Firefox	14.07 %
3.	Apple Safari	3.55 %
4.	Netscape	0.76 %
5.	Opera	0.77 %

Source: http://www.onestat.com/html/aboutus_pressbox40_browser_market_firefox_growing.html

Mac Platform Browser Breakdown

Mac Platform Browser Usage Breakdown - Cougars' Den May 15-16

Browser	Hits	% of Total
Safari	625	54.78%
MSIE	407	35.67%
Firefox	52	4.56%
Netscape	40	3.51%
Other	17	1.49%
Total Mac Hits	1141	100.00%

IMT Supported Browsers

List of currently supported browsers by IMT

Windows XP

Internet Explorer
Netscape

Mac OS X

Internet Explorer
Netscape

Proposed list of IMT supported Browsers (Fall 2005)

Windows XP

Internet Explorer
Mozilla Firefox

Mac OS X

Safari
Mozilla Firefox

APU NetID Guidelines

Background

It is increasingly important that identifiers be made coherent and consistent throughout the enterprise. Many systems use different names for the primary identifier used along with a password to authenticate access to a resource (Login, Logon, Username, Name, UserID etc.). When APU started providing central authentication services, which coincided with the release of the üdeupa portal, we established "üdeupa username and password" as the name of this identifier. With the portal name change, we realize that we need a way to refer to an APU Network Account independent from a particular service. For this reason, as well a desire to adopt higher education standards, we are renaming these identifiers.

Summary

The Central Authentication Service requires an APU Network Account consisting of an APU NetID & Password to verify identity. Any system which makes use of the APU Central Authentication Service, should use "APU Network Account" to refer to the account. "APU NetID" should be used to describe the principle identifier. "APU Network Password" is used to refer to the password explicity if needed. Systems that have the capability of modifying the prompting for these identifiers, should be changed. Over time, all user documentation and communication should be updated as well. We should no longer refer to "Windows Login, or "APU Domain Login", but should use the term "APU NetID".

Change Matrix

Old Title	New Title
üdeupa Account	APU Network Account
üdeupa Username	APU NetID
üdeupa Password	APU Network Password
üdeupa Username & Password	APU NetID & Password

Use Cases

Centrally Authenticated Services:
Any service which authenticates against APU Central Authentication Services should state that the service requires an "APU Network Account. Alternately, "APU NetID" may be used to specify the credentials required for a particular service. If password is not explicity stated, APU Network Password is implied by association.
```
This service requires an APU Network Account.

or 

Anyone with an APU NetID may use this service.
```

Referring to the APU Network Credentials together:

APU NetID & Password

or

APU NetID and Password

Referring to the APU Network Credentials explicitly:
```
APU NetID
APU Network Password
```

On Login Screens:

APU NetID: ______________  Password:  ______________

or

APU NetID: ______________
 Password: ______________

Non-Centrally Authenticated Services:
Systems which do not authenticate against the APU Central Authentication Service, should refer to their credentials by the name of their system. Example:
```
IFAS Username and IFAS Password
```
Even if a system's initial username has the same value as the APU NetID, it should not continue to be referred to as APU NetID. Equivalent value is not equivalent title. For example: If a user was activating their account a new system which pre-populated usernames to match APU NetID, they could include the following instructions on first login: "Your IFAS Username is the same as your APU NetID, please select a password." Future logins however, should prompt for "IFAS Username" not "APU NetID". Once exception to this, is a service which may require an APU NetID, but not prompt for a password. Such a service, can continue to prompt for APU NetID. (current example: Link+ Library Loan Service)

Notes

The APU Central Authentication Service does not exclusively refer to our implementation of Yale's CAS, an Open Source application for web authentication. APU CAS refers to the centralized authentication services provided by IMT in order to verify identity of users of primary network resources, portal and workstation access etc. APU CAS is supported by IMT's Identity Management infrastructure, consisting of Microsoft's Active Directory and OpenLDAP.