Why some Firefox users choose not to update

The best way for users to stay safe online is to use an updated browser. While most Firefox users get updated quickly, some fall behind for various reasons. We’re looking for ways to increase uptake while still preserving user choice.

Ken Kovash and Eric Hergenrader surveyed users who have update-checking enabled but repeatedly chose not to update from Firefox 2 to Firefox 3. Read their posts: Why People Don’t Upgrade Their Browser – Part I and Part II. It’s great to understand why these people continue to use Firefox 2 even when it is no longer receiving security updates.

32 responses

  1. JB wrote on :

    One way I see people not updating to Firefox 3 or later is people stuck on older PCs with older OSes, like Mac OS X 10.3 Panther for example.

  2. Tyler wrote on :

    The number of people with such old computers (a mac is not a PC) is extremely low.

  3. Larry Seltzer wrote on :

    Next logical question: Why are you running OS X 10.3? No OS updates, no browser updates…

  4. Daniel Veditz wrote on :

    It looks like only 4 or 5% of Firefox 2 users at most are on an OS version that doesn’t support Firefox 3. Statistics are murky, but if that was the only reason holding people back we wouldn’t have a problem worth talking about.

  5. Rick Leir wrote on :

    People who use psi.secunia.com (free) will be more likely to update actively, so let’s promote psi. It’s an excellent tool. (I am not related to Secunia, just a user.)

  6. Terry wrote on :

    “Why are you running OS X 10.3 ?”

    Some older Macintosh laptops do not take any OS
    more advanced than OS 10.2. I have one.

    “The number of people with such old computers (a mac is not a PC) is extremely low.”

    And the number of people going broke trying to have a computer that operates for more than several years (ie does not get outdated & become electro-trash pollution, leaving the person without adequate communicating / info-accessing capability) must be extremely high. THERE MUST BE A RIGHT ESTABLISHED TO HAVE ONGOING ACCESS TO PARTS, SUPPLIES, SUPPORT, WARRANTIES, ETC, FOR OLD COMPUTERS! OR, BETTER YET, COMPUTER MANUFACTURERS MUST BE REQUIRED TO PROVIDE LOW-COST COMPUTER HARDWARE UPGRADES FOR AT LEAST A DECADE, UNDER A TRANSFERABLE WARRANTY PURCHASED AT THE TIME OF THE ORIGINAL COMPUTER PURCHASE. And then the companies must take back the old ones and recycle the “ingredients”.
    Otherwise, both electronic equipment AND PEOPLE are getting trashed!

    UNFORTUNATELY, accurate knowledge as citizens in a democracy has come to REQUIRE a home computer and knowledge in how to use it. (Libraries have limits: there are too many people trying to use too few computers for too little time each.) It has become pretty essential for everyone capable of computer-operation to have a computer AND A DECADE OF TECH SUPPORT. BECAUSE A DEMOCRACY SAYS 1 VOTE FOR 1 PERSON, RICH OR POOR OR IN-BETWEEN, THERE ARE HUGE NUMBERS OF SPECTACULARLY IGNORANT VOTERS BELIEVING INACCURATE OR INCOMPLETE INFORMATION IN THE MEDIA. So who gets elected? The result. Sometimes worthy, too often not. WE ALL SUFFER FROM AN UNINFORMED ELECTORATE. MUCH much of the most important news / information is not on the mainstream media at all.

    I hope – even believe – that we are on the verge of an end to that pattern. How? Via media that makes a practice of getting to the truth and publishing it — ON THE INTERNET.

    Time for enabling all economic levels. (Note: I do not have TV. I get better more complete info on the net.)

    I suggest you google “alternative news sites” or such, & be discriminating as to where to find what is real.


    Want to know where to get news that is established in truth, with a newsbreak every few minutes? Google “alternative news sites” or some such, & check them out. Vast range of quality & bias, and be discriminative about them AND the controlled networks.

  7. Brandon Sterne wrote on :


    I sympathize with users who have a hard time staying updated due to the high cost of new hardware and operating systems. Supporting software, however, on platforms which no longer receive security updates isn’t a good use of resources. OS X 10.2, for example, hasn’t received a security update for more than 5 years. Have you looked lately at any of the free alternative operating systems such as Linux? My primary workstation is Linux and virtually all the software I use is also free and receiving regular updates. Linux runs extremely well on old hardware, too, so it is a great option for those of us who don’t want to have to buy a new OS every couple of years.

    (I totally agree, by the way, about alternative news sites.)

  8. bournel wrote on :

    bonjour modzilla firefox,tout d’abord bravo pour avoir creer firefox et etre d’une performance considerable!j’ai firefox avec un windoxs xp familiale un acer d’origine!j’ai le firefox 3.5.2 qui fonctionne parfaitement mais le fait de rajouter des gadjet met ils les securité du firefox en danger car leurs gadjet ne sont pas tous anodins comme les players flasch,les plug ings sont t’il de nature a rendre firefox modzilla faible et capable d’etre infiltrer!!par des virus ou autre saletes,pourquoi des recommandation venant de vous les createur ne serai pas ajouter au menus firefox ce qui permettrer de mettre en garde vos fidéle utilisateurs et les conseiller sur la facon de parametrer firefox,en french serais un mieux!merci de me lire et je souhaite long vie a firefox”le petit va devenir grand!!by by

  9. Daniel Veditz wrote on :


    Please forgive me if I’m misunderstanding you, but I believe you’re raising two issues. First, you’re saying that Acer is shipping a plugin (“gadjet”?) with their laptops that may compromise the security of Firefox. The only thing I’ve seen recently is the following report
    http://www.kb.cert.org/vuls/id/485961 — that is an ActiveX security flaw which won’t affect Firefox browsing. Most hardware vendors ship extra software beyond the base operating system (unfortunately not Firefox, though). That software inevitably has bugs as all software does, and sometimes those bugs result in security problems.

    Not much to say except choose your hardware in part on the reputation of the vendor, not just price, and in particular on their reputation for quickly fixing the inevitable issues that will get discovered. And disable or uninstall any software you don’t need, especially browser plugins (or ActiveX controls in IE), and make sure you keep the rest updated regularly.

    I didn’t really understand your second point about someone (who?) objecting to adding things to the menus (adding what?). We do have a support site dedicated to helping people with configuration issues, and a lot of it is available in French: http://support.mozilla.com/fr/

    The site can also be reached from the first item on the Firefox help menu.

  10. Laura Mulvaney wrote on :

    Can’t log into capitalone.com because of security update. However capitalone security certificate does not expire until 10/15/2009. Today’s date is 9/01/2009. Their certificate is still valid.

  11. Daniel Veditz wrote on :

    @Laura please visit http://support.mozilla.com for help with your login problem. It could be failing for several reasons and they’ll be able to help figure it out.

  12. Mele wrote on :

    I just had the capitalone problem…two of them. Fx 3 said the cert was out of date but it was the bookmark that had the wrong webpage for servicing.capitalone.com. Fx3 had service.capitalone.com for the bookmark. Fx 1.5 has the correct bookmark so it did not have this problem. The strange thing is that I imported bookmarks to Fx3 from 1.5 so how did the bookmark get changed to be incorrect?

    Fx 1.5 has a different problem now at servicing.captialone.com. It logs in fine with the correct cert but on logout it says the cert issuer for http://www.capitalone.com is unknown. That’s weird for two reasons (1) the issuer is Verisign and Fx just accepted a Verisign cert when I logged onto servicing.capitalone.com and (2) http://www.capitalone.com is not a secure page so why does Fx1.5 think it is? This just started happening. I’ve used Fx 1.5 at capitalone for years with no problems until now.

    As to why I still use Fx 1.5? TBE. That is the main reason. Piro’s new little extensions for Fx3 are not very good but TBE is magnificent and is the reason I got Mozilla and Phoenix/Firebird/Firefox so very many years ago. I have Fx3 on virtual machines but Fx 1.5 remains the finest Firefox version. Fx 2 was horrible even though I got TBE working on it. Fx 2 and 3 have too many privacy problems for my taste. I have to spend so much time fixing Fx 2 and 3 so that my privacy is not grossly violated. Fx 1.5 is the last privacy conscious version and that is the second main reason I still use it on my host computer. The third main reason I remain with 1.5 is because of the horrible piece of junk that replaced the address bar in Fx 3. The attempts to mitigate the problems in 3.5 are not in any way sufficient. Until Fx allows me to have a normal, simple address bar again I will stay with 1.5.

    The only thing I wish 1.5 has that is in ver 2 and 3 is the ability to not loose text in a form field if it crashes, etc.

    I will be turning off any attempts by Fx (assuming I upgrade Fx on my virtual machines beyond 3.0) to tell me I have an outdated Flash Player or anything else. I don’t have Flash Player installed on any browser on any of my computers (as it is a huge privacy risk and security risk) but if I did I would not appreciate my browser bugging me about the version. I am perfectly capable of keeping things updated if I want them to be updated. It is not my browser’s responsibility to play nanny and nag me about things.

  13. Daniel Veditz wrote on :


    Continuing to use Firefox 1.5 is extremely dangerous. If you’re that unhappy with newer versions of Firefox please switch to some other browser you’re willing to update. Seriously. I’d rather have you safe using some other browser than end up blaming a virus infection on Firefox.

    In what way do later versions of Firefox “grossly” violate your privacy? The only change I can think of between 1.5 and 2 that comes even close to that description is the anti-phishing database updates from Google, which we worked very hard on to preserve user privacy and which can be easily turned off on top of that.

    If you don’t have Flash player then we would never tell you it’s out of date. And while an extremely small minority might have legitimate reasons for using an old version of a plugin, when 80% of our users are vulnerable to widespread active attacks we need to do something to help if we can. Hopefully that minority will have the charity to say “thanks for helping to keep my less-savvy family and friends safe” and ignore the warning without getting too worked up about it.

  14. engin wrote on :

    i love mozilla..i think its the fastest and safest.for long time , i didnt upgrade..why? because i had no problem with the old version , finally i couldnt resist pressure of mozilla warning to upgrade :S

    the most annoying when i upgrade my browser is : the change in apperance..Whatever you do in background working does not bother me , but the change in appearance (all) is really annoying for me.

  15. James Dashner Jr. wrote on :

    I’m still running Ubuntu Hardy 8.04 because it works very well with my hardware. The Firefox version hasn’t reached end of life yet, but it will be around on the desktop until April 2011. Will the Firefox 3 end of life effect Hardy if I wait till 10.04.1 LTS is released?

  16. Mele wrote on :


    I will upgrade Fx to the latest version if and when Mozilla pulls the Comodo root certs. Until then, I think the entire notion of security for Fx is laughable. You made some excellent points, and suggestions, back last Dec/Jan in the mozilla.dev.tech.crypto NG. I had high hopes that Mozilla would do the right thing even though I realize pulling the Comodo certs is a blunt weapon and would cause harm also partly since Mozilla has no way to pull a cert without issuing a new version of Mozilla, partly because of the threat of lawsuits, etc.

    Eddy Nigg has a thread in the group about Comodo’s business ethics. His post has been widely quoted on security forums. Many of us who are interested in computer security, and who spend time in security forums, are very concerned about Comodo. I have had Comodo root certs disabled in all my browsers long before I read Eddie Nigg’s post on Christmas Eve. The world has not stopped and my browsing experience has not suffered much by doing this. Although both 1.5 and 3 are buggy regarding temporary disabling of certs so I permanently disable.

    There has been more and more blog and security forum reports in the last few months regarding Comodo continuing to issue certs to known malware sites and the situation becomes more acute and intolerable every day.
    I have been waiting for Mozilla to do the right thing but I don’t think Mozilla has the courage. The entire issue of certificates in Mozilla browsers is a rotten can of worms. There has been little discussion in this area in the NG over the past several months. Did the discussion go underground or is it forgotten? Frank has never even made a comment in Bug 470897 and it is assigned to him.

  17. Rainy wrote on :

    One reason I shudder at all the updates is that they often cause problems, esp with previous settings etc….

  18. Achim wrote on :

    The developer says: “You should update to a new version to avoid security issues.” This is like cheese to catch a mouse. If you update you will get additional security issues because there are new features you do not need or are implemented deliberately in order to compromise your privacy. To make things worse, new features are enabled by default without telling you. After updating you have a very hard job to find out and understand all the new risks and how to disable them in the “about:config” list (if it is possible). An example are the super cookies supported by FF2.

    I suggest you break up this strong connexion: Fix security issues (maybe by a major new version) but enable a new feature only if the user does this explicitly while understanding that he is going into a new risk. Then the user can try new risks just when he is prepared to do so.

    I use FF taking old risks but avoiding new risks. In this way, I am not in a rat-race hurrying for the next version, with new risks, hurrying for the next version, with new risks, hurrying for the next version, with new risks, …

  19. Daniel Veditz wrote on : really?!

    It’s true that new software has new bugs that might be exploitable, but the old software has bugs that are definitely exploitable, known to be so by web criminals, actively used on the web by criminals, and even cataloged for the script kiddies (with working sample payloads) at places like milw0rm and metasploit.

    Your assertion that Mozilla has implemented anything to deliberately compromise user privacy is offensive.

  20. Daniel Veditz wrote on :

    In fact, the “awesome bar” feature that appears to have prompted many people to avoid upgrading to Firefox 3 was a deliberate attempt to _enhance_ user privacy. We found that many searches users perform are to find pages they remembered having read before. If we can find those pages for the user locally then we can save the user from giving more data about themselves to a search engine (and save them some time). We did this even knowing it costs us money when people search less.

More comments:1 2