Avira Scout: Breaking some eggs

Flash and proprietary codecs

I would love to block Flash in our browser (since I believe in security being more important than convenience). That’s why the Browser will have no Flash installed. I really hope that this move won’t break an awful lot of pages. But we definitely will break some. If we start to break too many I will have to find a way to run Flash as securely as possible (other browser vendors have figured out some smart solutions for the Flash problem, but sadly none of them is perfect).

There are other proprietary codecs that cause trouble. Proprietary is just not what the internet needs. Take H.264 and the AAC codecs. They are subject to a large number of patents. All in all there are 26 companies or organizations listed as holding H.264 patents. These companies have set up the MPEG-LA, an entity representing the various patent-holders and collecting License fees for this so-called “free” technology that the patent holders want to establish as an industry standard. The same applies for AAC and MP3. Once these technologies are finally established as a standard through a wide adoption by the developers and creators, no one can prevent the collection agencies to raise the fees for the developers and creators as they wish because there will be no alternative left. We decided that we – like other developers ( e.g. Mozilla) – don´t want to be a part of this sneaking commercial monopolization of standard technology. We want to support and develop standards that are truly free because in the end it will be you – the users of music and video replay technology – who will have to pay the price through increased product prices.

Balancing the scale “Convenience vs. Security” towards Security

The first releases of the browser will therefore have Flash and proprietary codecs switched off. This will balance the scale “Convenience vs. Security” towards Security. We hope you will give us feedback if pages break for exactly that reason (there is a link for that in the Browser by the way, so please us it!). We will take baby steps towards “Convenience” and stop 1 step away from the cliff; still on the Security side.

The first few months there will be some of your most favorite pages which will break. Please notify us each and every time that happens. Then continue to use the browser. Wait for the next update and (if you can’t live without them) open these specific pages in another browser you trust in the time between.

I believe that mostly pages that display audio/video content will be affected. Not your run of the mill shopping sites and neither your banking pages which require additional security.

We will work very hard to enhance the browser and reach the proper balance.

Codec overview

Before you think that this all doesn’t sound very promising, here is a small list with an overview concerning the different codecs:

Not integrated in the browser (during the first few releases):

  • Flash
  • MP3 audio codec
  • AAC audio codec
  • H.264 video
  • MP4

Integrated into the browser:

  • Vorbis audio
  • Theora video
  • Opus audio
  • VP8 video
  • VP9 video
  • PCM 8-bit/16-bit/32-bit
  • Ogg container
  • WebM container
  • WAV container

TL;DR:
We carefully move from security towards convenience. Without ever leaving the security region.

Thorsten Sick & Daniel Wollenberg

 

Please note: This article relates to the Windows, Mac and Linux version of the Avira Scout browser.

This post is also available in: GermanFrenchItalian

I use science to protect people. My name is Thorsten Sick and I do research projects at Avira. My last project was the ITES project where I experimented with Sandboxes, Sensors and Virtual Machines. Currently I am one of the developers of the new Avira Browser