Monday, March 07, 2011

It's long past time that IE6 died

Over the last few years, your humble Devil has been working for a small web software company in Surrey. I was hired as a second-string website designer and—mainly due to the fact that I just won't shut up when I see things that need sorting out—I have swiftly moved through various jobs within the company: from second-strong designer, to Project Manager, to Head of Marketing*.

My current role, and the one that I hope to stay in, is as Product Manager. Despite the fact that I have seen the company triple in size over my three years with them, it is still a small company and, as such, I do rather more than a Product Manager in a large company would do. I put together the product roadmap, write software specifications, design the workflows, user experience (UX) and user interfaces (UI) for the products, as well as coding a good deal of the actual UIs too.

It's busy but immense fun and, usually, incredibly satisfying.

However, we are a web software company and, as such, there are a few things that are massively annoying: these can generally be defined as Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 (I am reserving judgement on IE9, since it looks to be half-way decent), and their prevalence amongst our customer base.

Of all of these, Internet Explorer 6 is the worst: its support for CSS and Javascript is pitiful and its debugging tools non-existent. What that means is that not only does it not work "properly" but it won't even give you a clue as to why. Released in 2001, IE6 for Windows had worse CSS support than (the now defunct) 5.2 for the Mac: as a browser it is slow, archaic and out-dated.

Unfortunately, for various technical reasons—mainly to do with the tight integration with Windows that led to accusations of monopoly abuse, as well as providing massive security flaws—many large organisations still use IE6 and are having a hard time weaning themselves off it.

But the simple fact is that IE6 not only prevents people like me from writing better web software: it is a massive security risk. As one writer at ZDNet put it... [Emphasis mine.]
Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Think that judgment is too harsh? Ask the security experts at Google, Adobe, and dozens of other large corporations that are cleaning up the mess from a wave of targeted attacks that allowed source code and confidential data to fall into the hands of well-organized intruders. The entry point? According to Microsoft, it’s IE6...

This would be worrying enough: after all, there are plenty of corporations which are still using IE6—but at least you don't have to give them your sensitive information.

But, as I know from personal experience, one of the areas most resistant to upgrades is the NHS—and they do have plenty of your most personal details on file. Yes, they are behind the N3 network (which brings a whole new set of challenges to those of us working with them) but it only needs one entry point to compromise the entire system.

Many NHS organisations believe that they are supposed to be using IE6; many of them believe that the Spine applications that they need to access will not work on anything other than IE6. This is not only untrue, but these organisations are ignoring a very clear Directive—issued over a year ago by the Department of Health—to cease using IE6 and to upgrade to IE7 as a minimum.
The Department of Health has told trusts using Windows 2000 or XP to move to version 7 of Microsoft's browser.

In a technology bulletin published by the department's informatics directorate on 29 January 2010, it advised NHS trusts using Microsoft Internet Explorer 6 on either Windows 2000 or Windows XP to move to version 7 of the browser.

"We've advised NHS trusts to upgrade to IE7 as early as possible," said a spokesperson. The guidance said that IE7 works with the department's Spine applications, and provides additional security.

The notice also recommended that organisations that continue to use IE6 should apply a security update patch from Microsoft to all affected computers, or if this is not possible apply mitigation methods suggested by the vendor.

Microsoft reported a significant security problem with IE6 on 14 January which could compromise a computer's operating system, although the browser was already known to be less secure than newer versions. The new vulnerability could act as an entry point for hackers to a network, allowing sensitive information to be stolen, according to the DoH bulletin.

Some weeks ago, I raised this issue with a number of NHS organisations, and asked—given the sensitive nature of the data that they hold—why they are still using this browser. Most have said they will look into it, and that is the last that I have heard of the matter.

It is hardly surprising that government organisations—not known for their ability to keep our data safe—are still using this out-dated and flawed browser. It is bordering on the criminal that they continue to use IE6.

Now, Microsoft themselves have set up a new website—IE6 Countdown—which seeks to encourage the death of this shitty piece of software. Naturally, M$ do not put it in quite those terms—they seek to push the benefits of upgrading to the latest version of IE rather than pointing out that IE6 is crap—but the message is the same: don't use IE6, especially for security-critical systems.

Perhaps, with IE6's own manufacturers seeking to kill it, those who risk the integrity of our data every single day might pay some attention.

And then we can take some small steps towards a better web experience too...

* At the moment, we are desperately looking for friendly, enthusiastic people to fill two roles: that of a web designer/front-end developer and that of first-line tech support. Please drop me a line if you would like more details...


Xopher said...

"Please drop me a line if you would like more details..."

I'd love to have more details but I fear my confusion with the BBC Micro might prove limiting!! ;<}

Wombat of Sin said...

There are some challenges with the NHS upgrading, not least GP's computers, that I can sympathize with. Built a system that needed to use vector graphics, and was forced to use VML as the cost and effort of rolling out either an SVG or Silverlight plugin was too much.

Plus I think Lorenzo still hasn't been signed off for non-IE6 machines.

They need to look introducing a custom browser, that way they can lock down functionality and have an internal upgrade system not reliant on the main browsers. Forking Chromium (a la Iron) would be a start.

Ryan said...

IE7 is the new IE6. And Vector Graphics, NHS, Manchester. That's pretty scarily close to my current life :)

Ryan said...

IE9 has pretty good CSS3 support (it ticks the boxes at least, not used in anger). But it is missing web sockets and web workers, both very handy for complex web applications. Comet applications will still need flash hacks in IE

Shaun Pilkington said...

The MOD are sticking with IE6 until 2014 or so...

And that's meant to be the data that secures the nation! Gibber!

alan said...

I agree that using IE6 is criminal these days.

A problem is vendors use browser versions to force upgrades to newer products. Which can be costly in both upgrading and licensing. Gov departments should force vendors, as part of the initial contact, or by threatening to move suppliers, to provide upgrades/patches to existing products to support newer browsers.

The other problem is its very difficult (impossible in any sane way) for a machine to run ie6 & ie7. So if you have one major app that only supports ie6, then you have to stay with ie6 for all apps. This is a major fault of MS IE strategy. An easy fix for this is to allow other mature browsers (firefox, chrome etc), sadly too many IT depts only allow 1 browser.

If an IT department only supports IE6 today then they are incompetent. And in secure areas (mod, nhs etc) they are criminally negligent IMHO.

microdave said...

How long before we discover that the Census is being handled by computers running IE6?

Anonymous said...

hahah NHS IT is a massive fail. The problem is that most doctors are complete numpties when it comes to computers, otherwise it would have got sorted out ages ago. In one trust it takes 15 minutes to log on because they use something from novell that apparently protects the bios. but then the doctor leaves the room while it logs on and anyone can come in. Don't know what the N3 thing is but the main problem with IE6 is that it is slow. Wondering why your fracture clinic appointment is 2 hours late? About 1 of those hours is the doctor waiting for everyone's x-ray to load. I have seen a radiology department use Linux but have sat through a whole meeting watching a hapless techie trying to get red hat 9 to boot while trying not to be noticed by the rest of the room.

-med student who has earned brownie points by showing doctors how to edit tables in m$ word.

Matt said...

I'm afraid the DWP are riddled with hundreds of IE6 based apps as well. They are now looking to move to Win 7 / IE8 but they have a mammoth task ahead of them and I would think it will be at least a year before they get there, probably longer.

For those interested, one potential solution out there is the Unibrows product these guys make:

No, not

It's essentially a configurable plugin for IE8 that allows IE6 based pages to display and work correctly. The demo I saw looked pretty slick and if it truly works as intended it will be very useful for performing a phased migration from IE6 to IE8.

Apparently the guys behind the company are ex-Microsoft and have a fair degree of backing from MS. I believe it should be out of beta any time now, and they will provide demo copies for interested parties.

I'm not affiliated with them in anyway, it's just something my company has been looking at lately that I thought might be useful, especially for those dealing with more stubborn customers like the NHS.

Devil's Kitchen said...


That's really useful, thanks.

I have also been pushing Chrome Frame: all of the control over IE6+ that IT admins want, and only kicks in if the application/website is enabled for it—then the user gets the Chrome CSS/Javascript rendering engine.


Anonymous said...

Nationwide Building Society uses IE6 - and they have a load of personal data lying around

Road_Hog said...

Perhaps if the software companies produced browsers that were not bloatware and didn't constantly steal ram so that they had to be restarted frequently, then people would be happier to upgrade.

Richard said...

But then you want to write fancy webpages, so get upset if I don't have a browser that will read your fancy webpages.

I just want something that works and doesn't clog up my aging laptop.