The security community has long had a tendency to focus on the identification and repair of vulnerabilities. There have been significant public debates about the ethics of publicly discussing unpatched vulnerabilities, and coders will happily brag about their ability to have a fix ready immediately after a vulnerability is disclosed. A new study by a pair of Swiss academics and a Googler, however, suggests that much of this focus has been misdirected. They argue that the ergonomics of the end-users' update process has a far more significant effect on the adoption of secure web browsers than any discussion of the severity of a vulnerability.
The authors reached their conclusions thanks to the presence of the Google employee on their team. That got them access to the anonymized search logs for use as their base data set. Since many of these requests come from shared IP addresses and proxies, the authors combined them with a unique ID in Google's PREF setting to distinguish individual end users. Although this ignores users of other search services, three of the four browsers sampled default to using Google. The authors also realize that this probably eliminates the most security conscious of web browsers--those searching anonymously and with cookies disabled--and those with User Agent strings that identify their browsers as something other than what they are. They suspect that this is a small minority.
Ars Technica - John Timmer January 27, 2009
- Ars Techica article