> A fascinating set of circumstances led to Internet Explorer’s dominance in Asian markets. First, early browsers had poor support for Unicode and East Asian character sets, forcing website developers to build their own text rendering atop native code plugins (ActiveX). South Korea mandated use of a locally-developed cipher (SEED) for banking transactions, and this cipher was not implemented by browser developers… ActiveX again to the rescue. Finally, since all users were using IE, and were accustomed to installing ActiveX controls, malware started running rampant, so banks and other financial institutions started bundling “security solutions” (aka rootkits) into their ActiveX controls. Every user’s browser was a battlefield with warring native code trying to get the upper hand.
Wow. That's... a rather unconventional security architecture.
I'm Korean so I glad to see someone speaks out this.
Actually it was rather inevitable, partially because of the U.S. gov that time. The Korean gov wanted to grow e-commerce/e-banking in 1999 but the American gov did not allow to export cipher higher than 40 bits. As a result the Korean gov had to develop its own 128 bits cipher (SEED).
It was even before AES/SSL/TLS were introduced so the whole crypto stack was implemented using ActiveX.
I would say it was quite pioneer in 1999 but since then the gov don't even dare to replace the crypto policies. Now we are stuck at this in 2020.
What I think is kind of interesting is that South Korea arguably had/has the technical know-how to have built it's own domestic browser with SEED and good Hangul/Hanja language support built into it and ended up with a very siloed alternative web. As an example, I'm thinking of the ubiquity of the Hangul Word Processor over Microsoft Word (which apparently has been around for over 30 years!) which gained near ubiquity in its domestic market.
However, I think the present situation is possibly the better one as a siloed, South Korea only web, separate and distinct from the rest of the Web, would end up being a much harder one to eventually migrate to the regular global web ecosystem vs. the current problem of just getting banks to stop using SEED and moving users to modern browsers.
> As an example, I'm thinking of the ubiquity of the Hangul Word Processor over Microsoft Word (which apparently has been around for over 30 years!) which gained near ubiquity in its domestic market.
There are two major factors in the ubiquity of HWP:
1. Its use of the de facto standard format in the SK government (the de jure standard is the ODF since 2007, but its use is virtually nonexistent). This stems from the fact that it was the most viable word processor supporting Hangul the script back in 1990s.
2. Its excellent support of table-based layout. HWP is a decent word processor in comparison to MS Word, and in some cases it is even superior. Koreans used to produce lots of documents based on tables [1] and HWP's UX was specially tailored to them. MS Word lagged behind for a long time, probably because this use case is not common in English worlds.
[1] You can search for "이력서" (résumé) to see what I mean. Even a plain document tends to be styled in this way.
> I would say it was quite pioneer in 1999 but since then the gov don't even dare to replace the crypto policies. Now we are stuck at this in 2020.
AFAIK, the government removed the SEED-only policy some time ago (in the early 2010s) but it’s the price of the system infrastructure that makes them keep using the old, ActiveX based systems.
I’m personally thankful for smartphone’s to come, as the banks started to consider implementing support for other operating systems. If it wasn’t the abundance of smartphones, I believe there might have not been any non-windows/IE support. Its much better nowadays, with multiple startups in the finance space like Toss, Kakao, etc...
Don't you fear running into the trap that instead of IE/ActiveX you end up with only support for Android and IOS¹? That's not quite as bad of course, but it's still limiting in terms of software freedom.
1: Or, more probable, support for modern web browsers on any OS, but with (2FA) authentication handled through proprietary and required Android or IOS apps.
> Or, more probable, support for modern web browsers on any OS, but with (2FA) authentication handled through proprietary and required Android or IOS apps.
That’s actually a pretty accurate explanation of currently what’s happening, but it’s much better than before as macOS/Linux support is also coming too.
> That's not quite as bad of course, but it's still limiting in terms of software freedom.
I’m not the person who hates programs that aren’t open source or “free”, so for me just being able to tell my friends to use macOS or Linux is a pretty great progression.
I'm not as much bothered by the software being non-free, rather making the ownership of either an Android or IOS smartphone a requirement for digital citizenship too solve the 2FA puzzle is something that worries me.
We're moving in that direction in the Netherlands with our national citizen's accounts (DigiD: mandatory if you want to file taxes, gain access to your health care records, or handle your insurance digitally).
SSL had been available in IE since version 2 with Windows 95 it was just the high encryption pack that was export blocked and needed for higher bit ciphers until 5.5 released in 2000. I'm just guessing it was easier to do everything through ActiveX than trying to add the cipher to Windows/IE as a 3rd party.
That's amazing it's still used per policy, I never would have imagined.
Edit: clarification on which parts were blocked and internationally available.
Yes, sorry didn't mean to make that sound like the high encryption pack was available internationally I meant to point out that was the only component of the built in encryption stack export blocked. Updated the comment to clarify.
Yep. I still have a Windows machine for banking and gov websites in SK. Things got much better lately thanks to mobile apps and relaxed regulations, but I see Windows-dependency is still strong on some websites.
NaN seems to be the result of a typo in the JS. They tried to concatenate two strings, but added an extra / character, which causes the strings to be coerced to NaN.
'<table><tr><td width="40" height="40"><img src="images/35x35_information_icon.gif" /></td>' /
+ '<td width="415" height="40"> Microsoft License Advisor is optimized for Internet Explorer 7'
The javascript comments on that makes it even more hilarious:
//shoehorn a iframe to cover our select elemtns for ie6. what a crappy browser....
Clearly whoever made the page hates IE 6
If Microsoft really believes no-one needs IE, why is it still shipping it as part of Windows 10?
Specifically, why is it still shipping IE as the only browser as part of Windows 10 Enterprise LTSC, including LTSC 2019? Yes, that is the version of Windows 10 with an "extended support end date of 9 January 2029"*
Same reason they're still shipping Notepad, or the non-Powershell command interpreter: backwards compatibility with old enterprise software that hooks directly into those specific things (e.g. by targeting the mouse at specific pixels.)
Basically, think of it like: LTSC ships without a browser. If you want a browser, go install one from the App Store. What it does ship with is an ActiveX-enabled-Intranet client.
What you describe is a valid reason for Windows to continue shipping with MSHTML.dll — not a valid reason to continue shipping the actual iexplore.exe GUI executable.
You might be surprised just how much legacy software does something like spawn("iexplore.exe").
And then there are all the internal corporate web portals that are still IE-only, and probably will remain so for as long as IE is supported in any shape or form.
Microsoft should certainly make it easy for corporate deployments to re-enable iexplore.exe — but it shouldn't be available by default on your typical Windows 10 install. (It's already available to uninstall and reinstall as an "optional feature".)
Or at the very least, Explorer and the task bar should do everything in its power to hide the existence of Internet Explorer 11. It shouldn't be listed as a program anywhere by default and it shouldn't come up in search.
So do something like what they did with .NET 2.0/3.0 where it’s a feature that has to be installed? But if it detects it’s needed, asks the user to install it right then? That’s actually a good idea. Why isn’t it like this?
This is probably a good idea. It seems that so many of the IE users I deal with at work do not need IE for any reason, they are just familiar with the icon and continue to use it even if any other browser would work just as well.
Legacy software like pretty much all of GOG's installers when you click the "Download" button on one of the embedded ads that show during installation :-P
Internet Explorer has a COM API which enterprise software (or worse, weird company-specific VBA scripts) can and likely does use to drive it directly. That API launches the actual iexplore.exe GUI executable and lets your code control it and interact with web pages, much like you might do with something like Selenium these days - except that this dates back to the nineties.
From what I recall, iexplore.exe is actually only a small wrapper around mshtml.dll. A lot of software depend on mshtml.dll and related DLLs. So you might think you're not using IE, but other non-browser software you use might be using IE under the covers. If Microsoft doesn't install IE by default, these programs would not work correctly (which is why Wine also implements these DLLs).
Correct, iexplore.exe is itself a small wrapper. But that doesn't stop Microsoft from not shipping that small wrapper. Software that embeds mshtml.dll does not require the existence of the exe file.
(Or alternatively, Microsoft could put some hack into Windows so that attempts to run iexplore.exe are passed to Edge unless the administrator has twiddled with some arbitrary registry key or group policy.)
IE should just be a compatibility mode in edge so you only have one program and a button to say "this page is broken, load in legacy mode". That way everyone else in the world can stop being forced to support IE users.
Many Enterprises run critical legacy apps that depend on IE and it's ability to emulate lower versions. Many large orgs would require $100's of millions to rewrite all of them. No one will fund exercise that until the proverbial gun is point at them. 2029 sounds about right.
Many large orgs would require $100's of millions to rewrite all of them.
My org loaded Chrome on all of the machines for our internal web sites, but according to my logs, almost nobody uses it. They're just too used to clicking on the (e), I guess.
Your org should replace the (e) with a shortcut to Chrome—but with the name and icon changed to match Internet Explorer. Much easier than retraining all the monkeys.
Minimizing their support surface makes a ton of sense for a long-term release, and of course if you just choose one browser for Enterprise you're gonna choose the one people built their internal apps on for the last few decades.
I expect it's not not that MS believes no one needs IE, it's that they know they're stuck with it and would really rather not be.
Well, as someone who installed various versios of windows over the last two decades,I can say that the only purpose of IE is a gateway to Chrome or Mozilla websites.Once they get downloaded it never gets opened again.
My bank in China requires Windows + IE + a custom ActiveX control to use their Internet banking. As a result, I don't use it. One of my accounts can be used via their mobile app (if you read Chinese or have another phone to use camera translation). My business account cannot be, and I am therefore required to visit a branch along with my official chop (seal / stamp) whenever I want to make a transaction.
In every bank branch I've been to, the computers are using ancient versions of Windows and IE. That actually applies to the PSB (a branch of the police) too. I think it might be a while before they get off IE.
Yeah, I thought about it. But I don't know how I could keep the VM secure, so I might end up doing my Internet banking on a malware-infested system.
I wouldn't trust myself to keep the latest version of Windows secure, given that I haven't used Windows in over a decade, so I'm pretty sure I can't be trusted to keep XP safe. (As far as I'm aware, the "security" software that the bank's ActiveX control communicates with only runs on XP.)
> But I don't know how I could keep the VM secure,
It's simple, really.
Set up the VM. Do a snapshot. Every time you need to use the shit website, launch the VM, open the site in IE and nothing else. When you're done, shut down the VM and reset it to the known good snapshot.
Well, this assumes that it won't be compromised during an Internet banking session. Since I have a workaround (use the mobile app for personal banking, go to the bank for business stuff - which I don't need to do often) it doesn't seem worth the trouble and risk.
The bank requires their own ActiveX control and external software which the ActiveX control communicates with, both of questionable quality. Surely that's one of the more likely attack vectors you could have on a system?
> How does once check for the presence of a VM from inside the VM
for example by enumerating the connected PCI devices and looking for common VM vendors virtual devices.
>Doesn't that defeat the purpose of the VM to begin with
that depends on your use-case. If it's about separating mostly trusted applications and/or servers, then absolutely not.
If it's about investigating known-bad code, then, yes, absolutely - malware is often intentionally disabling itself when it detects it's running in a VM.
Theoretically speaking you can make a VM that is indistinguishable to a real computer. In reality most VM solutions do not attempt to do so. For example, many install specialized drivers to communicate to the host that can be readily checked.
Fifth Third Bank in the USA has check deposit software for business users which requires IE with ActiveX, .NET activation, and several security settings laxed in order to work. I've heard no mumblings of it being updated any time soon.
The paranoid part of me would suspect that they've already been taken over, and the criminals behind them are actively preventing infection from visible forms of attack so they can maintain access to a valuable resource.
I'm surprised Microsoft doesn't just revoke people's licenses to use EOLed Windows, such that they're breaking the law by staying on that version. That'd get crufty corps and orgs moving, no?
It would get them moving, but not necessarily in the direction MSFT would like. If they are forced to change OS, they might think twice about moving to yet another OS made by a company that just did the forcing in such a ruthless way.
Mind you, I would totally agree with such a decision, if MSFT decided to enforce it, but I dont think it will necessarily play out in a way that is advantageous to MSFT, hence why they haven’t done so yet.
Keep in mind, Microsoft already aren’t making any money from them. They aren’t quite “Microsoft customers” in any real sense, if they’re running WinXP and Office2007.
Those running WinXP/Office2007 are, in fact, pretty legit customers (assuming they run official registered versions of Windows and require security patches/support). MSFT even has a special payment plan for entities that refuse to update, so they charge them a hefty sum for custom security patches and support, with costs going up significantly every subsequent year.
> I'm surprised Microsoft doesn't just revoke people's licenses to use EOLed Windows, such that they're breaking the law by staying on that version. That'd get crufty corps and orgs moving, no?
I've heard it said that the official OS of mainland China is a pirated copy of Windows XP. IIRC, there are even 3rd-party vendors there that distribute security patches for it. I doubt those people will be fazed by the actions you suggest.
There was a joke that I hard from a friend at MS around the time of XP that people planning how many copies to produce for different regions would only produce one copy for China.
Because they could run nuclear reactors? Or are the only terminal to a ancient water pipe system?
There is a legal element which may allow them to do so, but it is incredible unresponsible to do so. Even the small Win10 migration process break people.
It might seem like pedantry, but generally breaching a contract is not "breaking the law". Microsoft would have to also go to the effort of trying to enforce this, and for what?
The death of IE cannot happen soon enough. Our organization only supports IE11 now, but even that is still a terrible handbrake on our dev process. So many tickets get reopened because of issues found only in IE, and it limits both the features we add to our application and the general polish/look/feel we can achieve.
The Japanese electronic tax filing system's browser support policy is to support browsers that come preinstalled with the OS, period, actual marketshare be damned. This makes them support IE, Edge and Safari, but not Chrome nor Firefox. (While some newer parts of the system do support them, most of the critical parts still do not. Additionally, since the system still only supports the EdgeHTML Edge, the Chromium Edge automatic rollout is delayed to April specifically for Japan, to avoid confusion during the February-March tax filing season.)
The only way to make them stop supporting IE is to have the OS itself stop bundling it - which, like it was mentioned elsewhere in this discussion, is probably never going to happen.
The last great version of IE that I personally used was IE 5.1 for Mac OS 9. It was - at the time - my preferred browser on the platform and really shone brightly.
As a web designer, IE - since 6 - has been the bane of my existence. It's not nearly as bad as it used to be, but it's there.
IE6 was a very good browser when it came out in 2001. People forget how the landscape looked at that time: Netscape 6 was utter garbage, Firefox was still years away and Opera was a tiny, largely unknown niche browser that did cost money and was plagued by incompatible websites which were optimized for IE.
It's just that MS ceased investing more than the absolute minimum into their browser after releasing IE 6 - it took until 2009 until a MS browser passed the Acid2 compatibility test.
I remember Adobe (then Macromedia) Flash only worked well on IE5 for Mac OS 9. Every other OS/browser combination exhibited problems, especially slower framerates and audio/video desync issues. (When Linux got its own flash player, it was the worst of the lot.) Back then, Flash was a tool by and for designers, and it was only tested well on the platform that all designers used -- Mac. Mac OS X was still too new, a lot of designers didn't trust it yet, and it would take time to update the already existing 90s code base anyway.
IE5/Mac was the best browser of the time, hands down. The only galling bug was that it stubbornly cached CSS (at least locally read CSS), so you had to always close and re-start it.
> IE9 was a fantastic, best-of-its-time browser, and I’ll forever be proud of it. But as IE9 wound down and the Windows 8 adventure began, it was already clear that its lead would not last against the Chrome juggernaut.
This is tangential, but I wonder how Chrome got so far ahead, not in market share but in features and quality, even with IE's 10+ year head start. Did Google just throw more programmers at the problem, or was there more to it? I suspect this has already been discussed to death, so pointers to previous discussions would be good.
They used WebKit for rendering and that cut down some of IE's 10+ year lead.
Also, I think they had a fairly good test infrastructure from the beginning ( I think they tested new versions of Chrome against Google's index of top million websites ). Good test infrastructure can give you compounded returns as the project goes on.
> I wonder how Chrome got so far ahead, not in market share but in features and quality
"features" and "quality" are subjective metrics. Win the marketshare and you win the mindshare. It's a big part of why the browsers wars have always been monopolistic. The best browser is always just the one "everyone uses". Even its bugs/quirks/oddities become "features" that other browsers need to support, have to "catch up" on, get encoded into standards eventually as "the way it has always been".
I love doing this. There is something freeing about having a physical copy of the code. For one, it is less daunting because you have a tactile sense of how much there is left to read and digest. But also, you can be more free to take notes in the margin in a way that doesn’t pollute and make the code even more arduous to read (as typing comments in the code would).
It would be great to see Github implement a printer friendly view on codebases for this purpose.
I have done this once before too, with a particularly hairy multi-page function from a legacy system. Spreading all the pages over a large meeting room desk allows you to view the whole code at once, instead of being constrained by the physical size of a computer monitor. And there's something hard to describe about being able to physically manipulate the code (rearranging the sheets of paper, scribbling over the code with a pencil, etc). I hope VR one day allows for that kind of experience without wasting lots of paper.
FWIW, many proof readers and editors still prefer to work in hard copy, and there are still some writers out there working on drafts longhand or on old school typewriters.
Aside from the mentioned advantages about annotations, I find that working with hard copy produces a different mindset, almost as if your brain recognises that this is still a draft and everything is subject to reconsideration. Counter-intuitively, words on a screen seem more "set in concrete".
It also seems that the brain works differently when sat in front of a humming monitor as opposed to literally anywhere else in the world which is where you can edit hard copy.
Being that "a fresh set of eyes" is often so valuable in both writing and programming, anything that can get you a fresh perspective is potentially valuable, particularly with such a low buy-in.
I understand Microsoft needs to continue supporting IE for old websites but my boss a couple days ago used the Microsoft Lifecycle Policy as a reason why we, as website developers, need to support IE11 also. I would like articles saying people shouldn't use IE to also explicity answer the question, "Should website developers support IE?"
To me the answer to that question is another question - "what market share does IE11 still have amongst our target users, how fast is it decreasing, and what's the development effort required to support it?"
We fully stopped supporting IE11. Refactoring code to use ES6 and reducing code size by 20% is proving a big win for the vast majority of customers. If any customers are still on IE11 - they can run Edge, which now that that is Edgium we have even more code size reduction we can implement to improve load time and user experience.
You can even do differential bundles if you want to go to the effort of setting it up. So IE11 users get one legacy build of your JS client, and modern browsers (with module support) get the simpler modern code.
>No. Internet Explorer will remain a supported product until its support lifecycle runs out.
which is pretty much going to be "never". IE's support lifecycle says that a version of IE is supported for as long as the version of windows it shipped with is supported.
Windows 10 shipped with IE11 and Windows 10 is going to be the last version of Windows ever released, remaining in constant support.
Companies on the other hand still force users to use IE11 and they will continue to do so while IE11 is supported (which is forever).
We will have to continue to support a browser that came out in the beginning of the last decade for at least another 10 to 15 years.
I wrote JScript and VBScript for IE 5.X and 6.0 more than 20 years ago. We used ActiveX objects to do things on the client side of intranet applications for a law firm.I wrote a docket calendar that used the date picker control for example. We could only use IE not Netscape and nothing else. Which meant it was not a cross compilable with Linux, OS/2, MacOS etc and people who used those computers where SOL. I tried to talk about JavaScript and Java to make it cross over to the other systems, but I was told it was a Microsoft Shop and we only use MS technologies.
I had to support a really old site that another developer wrote on IE just over a year ago. Luckily I am no longer at that company. Basically 99% of development and sites worked with modern browsers but one needed site required IE6 compat mode. It would have taken months to rewrite and the company didn't want to spend resources on it. At my current job we also have a lot of IBM software that seems to work best in IE although only a few people still use it at work. Doesn't seem like IE will be retiring anytime soon.
The article (and site) from this post is very good.
We would love to, but I'm sure you, like me, has a SaaS Vendor that still needs IE for a portion of their website that they just can't seem to re-write.
I know I'm in the minority on this, but I love the feel of IE, it feels like the most OS-integrated browser I've ever used. Of course, Trident was based off the same layout engine as MS Office, so that makes sense.
I still make my sites work in IE, down to IE4, and probably 1-3 too, I just haven't had a chance to test them yet.
I think that in the retro-computing world, IE will be one of the longest browsers still in use.
I don't know about IE1 and 3, but for IE2 (the one that shipped with NT4) you need at least, from what I remember:
- no name-based virtual hosting (it does HTTP 1.0 but doesn't send Host headers)
- avoid redundant whitespace (it's not collapsed)
- wrap <style> and <script> contents in <!-- and // -->, otherwise they will be visible
I've had to keep an application's webinterface IE2 compatible ("usable") for longer than I wanted to as the initial configuration (opening up ports and IP addreses) was generally done on the NT4 server in IE itself.
(Once initial setup was done, further configuration could be done remotely with a more 'modern' browser, so fortunately only a few pages needed to be usable by IEs that old)
Thanks for the info on the whitespace. I think I have a post-processing solution for that, which may work.
I will work to find an NT4 original ISO and get IE2 that way.
I've been doing the commenting thing, and found out that Mosaic treats >, not --> as the end of comment token, so I had to remove all > characters from my JS. :D
IE is still the best way to copy files in/out of SharePoint. Not to be rude, I have no idea why I would want to try Edge on Chromium or Edge for any reason. Chromium needs more competition than Firefox.
I work in healthcare, our main app runs in an embedded IE10 and this will likely _never_ change. I fully expect to need to support IE for the next 10 years.
VBScript and HTA files (HTML Applications) come to mind. HTAs were actually an interesting direction, once used them to ship a simple application (a very visual FTP upload). It was unsandboxed HTML and JS that could access all the ActiveX APIs. A bit like Electron now.
Can't image there not being a few niches out there that heavily rely (or relied) on HTAs
That's nice. I once wrote a clone of Active Directory Users & Computers (dsa.msc) as a HTA, as I was working on a contract where I was expected to design stuff for the AD, but they wouldn't let me install the AD tools...
If all you have is Notepad, and you know how to write HTAs, the world is your oyster (or something).
I must say, supporting HTA can't be that big of a task, assuming the majority of those do not rely on any ActiveX controls. I guess MS could also probably write some replacements for the most popular ActiveX controls, and license them to their customers.
Wow. That's... a rather unconventional security architecture.