Slashdot Mirror
How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust.
Hello? Microsoft? 99% of the stuff on the Internet is unsigned. Downloading software from DePaul University's FireFox mirror doesn't scare me.
What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".
And even if I press no, I *still* get spyware. Why? IE Sucks.
After I finally got rid of my beloved CoolSearchWeb installations, I installed FireFox for good. I've been spyware free ever since, and I download a lot of unsigned data. No IE, no spyware.
Microsoft is never going to get it.
it's against the rules when Microsoft starts flaming back!
Theory of flight?! I'll teach you the theory of fist!!
what about md5 sums? have the install do a checksum of itself?
This sig is definitive. Reality is frequently inaccurate.
A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes.
Simply put, no.
What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate. Why did the poster not take the time to state this very simple sentence?
Well, regardless of the empty implications, the blog posting is not really that exciting. It is really an attempt for this guy to validate his existence as a guy who thinks about security stuff. His job is to say signing software is the only way to really be safe and this is exactly the kind of thing that makes sense when you hear it in a business meeting.
Great, I just want two things from both parties. From the poster: I want an uneditorialized explanation digest linking to a story and from the Microsoft security expert I want actually statistics and case studies on the importance of code signing.
Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate.
Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).
So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?
I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.
Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!
Signed buggy insecure crap, or unsigned open source? Hmmmmmmm - let me think on that....
--- Asking inconvenient questions for over 30 years...
Why not read the source code and complie it yourself????
Can you trust Anonymous Coward
Anyways, anyone notice he was using 7-zip.. Seems to me he's just ranting and likes microsoft too much that he is blinded.
Have you never heard of PGP signatures (Windows, Linux, Mac) or hashes (SHA1, MD5) you cocksucking M$ whore?!
Well the whole premise of the article seems that the UI (dialogboxes, etc) is not very streamlined.
Everybody knows that open source tools do not havy jazzy UI as MS tools may, simply because there are no 60K per year fulltime UI designers.
MS products may be better in this regard, but its like saying that since my steering wheel's heavy and my back view mirror's fogged up, my ferrari is fucked up.
Most when presented with MS code being signed and the other choice of having s ecure product unsigned..choose the latter..
Maybe Ms should try actually ore hours on fixing the MSIE corrupted SpyGlass code they have instead of pretty code signing smoke screens..
MS has $40 Billion to fix these problems..instead they spend more omney on bad PR instead..
Give a finger to Bill todya.. DOWNLOAD FIREFOX AND DO NOT LOOK BACK
Don't Tread on OpenSource
Seen any of these errors? I've installed Firefox on several pc's with no problems at all.
I also noticed this comment:
"and not caring if my Virtual PC image dies a horrible death"
(emphathis added)
Could this person be having a virtual pc problem?
was it me or am i just confused, didnt netscape run a big camppign similar to the one Microsoft is running now? i can really rember i wasnt old enought to really understand what was going on. according to the trends mozilla is gaining huge grown. hopefully ie will follow what nn did.
I open and use IE for 5 minutes and I get bent over and have spyware up the ass with no lube or I use Firefox and worry about a mirror... hmm... that's a tough one.
sure says a lot for IE security, doesn't it?
WTF? How can they even DEFEND IE given its horrible track record? FireFox is by no means perfect (and I'm sure it's got a number of flaws of its own), but how can any pro-Microsoft drone complain about the security of another browser when their own beloved browser has a plethora of problems?
Something reminds me of a certain biblical "speck/plank in the eye" phrase.
he moderates every single post to the blog - no wonder there are onyl microsoft lovers' comments
..trust software created by the biggest monopolist in the history of humankind who has been known to booby trap their operating system against other developers INCLUDING Netscape (who happens to be the developer in question), OR trust an organization that was cheated, destroyed, and screwed over by said monopolist and who has since created a browser MUCH MORE secure than Internet Explorer. If you need to spend more time than it takes to read this post, you need some serious cranial evaluation.
How can I trust Microsoft?
Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.
doesn't mean it's good for you. I recall seeing prompts to install "Web Gator" software and other such junk, all of which were signed by somebody. Despite the fancy certificate though, it was still crapware.
"And now, Frank N. Furter, your time has come. Say 'goodbye' to all of this, and 'hello'... to oblivion!"
I love the blank dialog box. It's just as, if not more informative, than some of the MS dialogs that appear on a Windows machine. Seriously though, most of the issues around IE etc do not stem from the download source, it's the holes that are in program to start with. That's why I don't trust IE.
Some spywares are also signed with Verisign... Gator, Bonzibuddy, etc.
What's the point?
1) Make browser
2) Write article on why other browsers suck
3) ???
4) Profit
One approach might be to have users download an small installer from "firefox.org" (only!) which then verifies the downloaded file (which can come from anywhere). The download site on "firefox.org" should have an SSL certificate good enough for code signing.
If for no other reason, we use Firefox because it is new and hold the promise of a better experience. Too many of us have lived through Windows 95, 98 and ME's contant crashes, penchant for attracting virii and ease of spyware takeovers. Microsoft has never given us a reason to trust them in any way, shape, or form. After paying my hard earned cash to MS for buggy software, I'd trust a room full of monkeys to code a better web browser. Sorry, Microsoft, but history has doomed you and it's too late now.
Of Course he can't trust Firefox, its trying to take his job away. Does a Ford Engineer trust Chevy trucks? Well maybe, but you sure as hell won't see a Ford engineer driving one...
I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all
He sure has a lot to say about something he doesn't care about.
He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.
I download the software again (this time coming from -- I kid you not! -- a numeric IP address [...]
As opposed to what? A graphical IP address? A string IP address? A musical IP address?
I hope this kind of remark does not reflect the technical skills (or lack thereof) of the author, although the content of the lame flamish post seems to lead us to the same conclusion.
theefer
No.
shouldn't people at Microsoft be more concerned with securing their own product and making it a better program rather than just spreading the usual FUD?
Surely by now even the common-folk are tiring of this rhetoric.
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
Yes.
Any more questions? No? Good.
--
Make way Evil! I'm armed to the teeth and packing a hamster!
Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."
I suppose the fact that the link is a mirror posted on getfirefox.com would make most people trusting of it. Then again, I guess we should never trust downloading anything from any organizations that can't afford the massive webspace and bandwidth to allow millions of downloads of a browser.
Only huge conglomerates like Microsoft which can afford to do that have trustworthy software. I mean, the download is coming from Microsoft.com! And that's who wrote it! How much more secure can you get?!
Paying for a commercial entity to "code sign" your software seems much to me like trying to buy someone's trust. IMHO, trust can't really ever be bought. It's something earned.
How can I trust FireFox? Basically, I only trust it because other people who came before me reported back on their success with it, and in my own trials, it has done well for me. (The fact that the source code is available for open examination is a comforting factor too, of course.)
Ultimately, I think almost all of us choose the software applications we run based on how satisfied we are with the results they give us. The fact that a package is "signed" or "unsigned" has very little bearing on my confidence in using a particular program.
Because, hell, did you think Firefox was a non-profit organization or something? Sheesh, naive slashdotters!
Opens Source was designed, like the internet protocols, for people who trust each other - the developers of shrink-wrap executables need to learn to think paranoid when they deal in user binaries.
Don't make the same errors again - if the designers of SMTP had thought about the users rather than the implementers, they woudl have built signature/encryption/sender authentication straight into the protocol and prevented the spam issue from ever arising.
This is not a signature.
That would mean that every piece of software not signed would be bad. The logical definition of necessary is not "provides some evidence", but is a strict conditional. In other words software can be trusted only if it is signed. This is obviously false, there are clearly ways one can trust a piece of software without requiring a digital signature.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
He says himself he's running in in Virtual PC. An emulator. Emulators can cause strange bugs. And only a small number of people actually run XP SP2. Half of the computers in the US are still 98 or below, and only small portion of the other half have been upgraded to/came with SP2. So the vast majority of users won't see the signature message. Should Firefox get a signature? I don't see how it could hurt, and it would help for situations like this.
Mr. Torr uses IE to download Firefox in his blog article. Why am I not surprised that IE has difficulties downloading Firefox? Next thing we know, an internal Microsoft memo will surface recommending that MS "cut off Firefox's air supply."
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?
Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.
These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
"Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!"
So we're supposed to stop downloading programs like this because they didn't pay $400 to release a FREE alternative.
Go ahead and call me unreliable; reliable is just a synonym for predictable.
Personally I trust MD5 hashes more than certificates... certificates give me an impression of false security... afterall, anybody can buy a certificate - or did i miss something?
"Yeah sure, our boat is on fire, sinking and leaking radioactive waste
But look at their boat...
it's got a dent in its hull
also, why spend time trying to break into one car that has its windows rolled up..
when its sitting in a parking lot full of cars with their windows down and keys in the ignition
"If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate."t ion.htmlt y/0,390203 75,39118994,00.htm
He states.
What about expired Certificates or Certificates given out in error?
It has happened before.
http://amug.org/~glguerin/opinion/revoca
http://news.zdnet.co.uk/internet/securi
This Gentlemans Story starts off on a bad foot initially and just stumbles along.
Looks like the Ad, sponsered by Firefox group, stirred up the great MS Blog Machine, and MS is doing some damage control. Not to mention this is on the heels of the MSN Search tool, AP story debacle where Firefox was shown being used instead of IE.
My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
Type "1" in Google and hit I'm feeling lucky. Hint: It's not the IE page. Please don't mod me off topic.
.. I use firefox is not because of the security aspects. Quite honestly the security provided by both browsers are quite adequate for normal users. No-one is secure from their own stupidity.
The real reason is the features. Take tabbed browsing for instance. Just that One feature is good enough for me to keep using firefox.
The real security issue is not so much the browser as it is the thing it runs on... Windoze!!
Gen too.
A couple of years ago there was a security advisory from Microsoft regarding to some vulnerability related to their certificates. Can't remember the details, but the solution presented in their buleting was to remove Microsoft as a trusted signer.
(from the article) First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/. Funny when I went to http://windows.com I got redirected to the real page at http://www.microsoft.com/windows/default.mspx
na!
The article makes perfect sense and the issues are legitimate. The thing is, they are generic issues in the PC world we live in today. They aren't any better if you use Microsoft software.
The average user is placed in situations, probably several times a week, where in theory he is voluntarily authorizing something but in practice has virtually no way to know whether it is safe to click OK or not.
Today's software is constantly giving you scary warnings about things that are perfectly OK, while constantly encouraging you to OK things which are not at all in your best interests to OK.
My favorites are all the Microsoft uninstalls which ask me whether I want to delete QQXXZZ.DLL, without telling me what QQXXZZ.DLL is or what it does or what other applications might be using it. (In fact, it seems to expect me to know that. Hey, the OS might be in a position to know whether some other application uses that DLL, but I certainly am not. And my wife, of course, doesn't even know what a DLL is...
(Now, about that pageful of medium-gray type on a light-gray background that's on the back of the car rental agreement you are presented with, in the airport, with a line of irritable people behind you...)
"How to Do Nothing," kids activities, back in print!
Ok.. so based on what this guy has to say is that anyone using linux cant trust thier browser. Even though all the linux browsers are all installed etc pretty much the same way.
Why doesn't he just run it natively. Firefox is cross-platform.
Have you metaroderated recently?
Maybe he should switch to a Linux distribution with a good package manager that checks the hash of the file after download. Oh yeah, and he's never heard of DePaul, the largest Catholic University in America. Don't trust those christians!!!!
Um... Isn't this basically a new version of the tired old argument that made Verisign rich even as Netscape tanked because Netscape and IE popped up dire (and largely useless) warnings if an https site didn't have a signed certificate?
Code signing might make gobs of money for the signing authority, but it doesn't do anyone else a heck of a lot of good, least of all the developers who volunteer their time to make something good and don't want to be hassled.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
The idiot makes at least one valid point, verifying sources. This could prove to be a weakness later on.
Now I've always just used the main FTP, but with wider distribution and extension usage, it is a valid concern.
There's a couple solutions:
1. Make all certified extensions come from a Mozilla controlled domain (mozdev, getfirefox, mainstay ftp).
2. Instead of "code signing" or some other shit, let's make EXTENSIVE use of MD5 sums or a simple CRC. The biggest obstacle to this is public education and teaching people who just figured out there's something besides IE, how to use an MD5 or verify their file.
Basically, we need a "shorthand" MD5, something a person can look at possibly remember. Get that long string down into something quick and meaningful, or at least comparable at a glance.
Maybe a symbol? Or a series of short words? The whole signed idea in Firefox is good, but it needs to be greatly expanded, as I am starting to see malicious websites try and install stuff through Firefox and extensions now.
Others choose to deal with you, and I respect that. Others view you as a fine organization, and I accept that. But understand that some of us will have nothing to do with you. Ever. If I have to get off the Internet rather than use Microsoft software, I will exit the Internet. If I have to give up computers rather than use Microsoft software, I will give up computers. This is a principle, and it will not change. So give up trying to change our minds. Nothing you say carries any weight with us unless the words are your admission of guilt over past thuggish ways and a promise (backed by verifiable deeds) to be better in the future.
Until then, drop dead.
So first of all why is he running Virtual PC, I always thought that was a emulation program for Macs. Also why is he using 7-Zip. XPs built in Zip software should be *fine*. :)
Sir,
Trust is not a universal concept. Some discretion is required. If you do not trust Firefox, that is your choice. You are not willing, in your mind to take a risk. Personally, I do not trust Microsoft. Despite years of press releases and keynote speaches promoting security as 'Job 1' I have lost all trust in them.
Personally, I see little value in a so called 'signed application'. If I visit my bank, I want to see a 'padlock' icon so that I know the data is not being 'sniffed' en route. Other than that, the certificate is not important to me. But that is the level of trust I am comfortable with. My concept of trust includes the concept of established relationship and earned respect. The value of Microsoft signing something doesn't mean anything to me. They are not trustworthy. After using Firefox for several versions, getting a feel for the neighborhood, I trust it.
I understand that websites use mirrors -- thats normal and doesn't normally raise a red flag. I can verify a file contents with an MD5 checksum if I need to.
Each user should has to establish their own level of trust and should not blindly rely on a certificate to tell them if they trust someone/something.
You ask 'How Can I Trust Firefox'? Well you can't blindly. You have to take a risk. I can only tell you that it works fine for me. Regular backups and common sense go a long way.
There is another reason however--Trust is not as important with Firefox as it is with Microsoft IE. The engineers of IE decided to integrate IE into the operating system with Active Desktop, ActiveX, etc. These made IE much more vulnerable. Firefox doesn't do this. It just tries to be a web browser - not a remote code execution environment.
Have to mention that while he seems happy to complain about having to download Firefox from a "random web server," he has no problem with believing a random site found by Google. "According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content." Also, personally, if I click a link to download something or install an extension, I do want to do that, so accepting by default seems to make more sense. As long as downloads aren't accepted and downloaded by default, it seems to work.
From "How can I trust Firefox article" Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. So lets do a dig on download.microsoft.com... download.microsoft.com. 3600 IN CNAME download.microsoft.com.nsatc.net. download.microsoft.com.nsatc.net. 300 IN CNAME download.microsoft.com.c.footprint.net. download.microsoft.com.c.footprint.net. 230 IN A 63.210.62.190 download.microsoft.com.c.footprint.net. 230 IN A 166.90.248.221 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.30 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.187 download.microsoft.com.c.footprint.net. 230 IN A 206.24.192.252 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.221 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.222 download.microsoft.com.c.footprint.net. 230 IN A 208.172.128.251 download.microsoft.com.c.footprint.net. 230 IN A 4.78.214.61 download.microsoft.com.c.footprint.net. 230 IN A 4.79.74.61 So I went to download.microsoft.com and I ended up at download.microsoft.com.c.footprint.net. I don't have any idea where that place is, and it sure makes me nervous.
Digital signing of code means NOTHING to most end users. Vendors I trust? Why should ANYTHING be installing if I don't want it to? If I want it to, I trust it enought to install it.
If comes down to this. IE is spyware and popup hell. FireFox isn't; and has tabs to boot. It's that simple.
Personally I don't care if FireFox is "signed". I only download FireFox from a link on their website. I trust FireFox's site to only link to resonably responsible places to download from. That all the trust most people care about. Matter of fact, all those "do you trust this vendor" dialog boxes are useless. People will always click yes because they want the software installed.
-Pete
Soccer Goal Plans
The screenshot of the "empty" message box was obviously photoshopped.. If you look carefully at where the program icon should be, you can see it looks a little lighter than the rest of the bar. And zooming in at 8x with paint, you can see the titlebar has been filled it with the same pattern of color, which doesn't even blend in with the rest of the titlebar.
That said, he does have a reasonable point about the NYT ad. While the ad did not mention IE by name, it was pretty obviously targetted at IE users...not so much Opera or Mozilla users who already realize there are better options than IE. It's a safe assumption the target audience is going to use IE to download Firefox if the ad is successful, and that means they're going to see some random variation on the experience this guy went through. And if his experience really was typical, well, I think he's also correct about the number of users who will stop at the "OMIGODWHYDIDYOUSTRAYFROMMICROSOFTYOUMIGHTBEDOWNLO ADINGAVIRUS" dialog. It's just the same problem that OS projects trying to pull users away from M$ monopoly products have to face: assume the users you're trying to attract will compare everything to the M$ product. OO.org faces the exact same problem having to bend over backwards to make themselves Word compatible when it's Microsoft not sharing their file specs that makes compatibility difficult. If OpenOffice.org already had a reasonable market share, they wouldn't have to care about Word compatibility.
From the article:
...
...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
Installing Firefox requires downloading an unsigned binary from a random web server
Installing unsigned extensions is the default action in the Extensions dialog
There is no way to check the signature on downloaded program files
There is no obvious way to turn off plug-ins once they are installed
There is an easy way to bypass the "This might be a virus" dialog
Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
Does anyone recall that guy who thought that Firefox was crap. He worked for the Australian part of Microsoft. Although he admitted to not even installing the program? Anyway, this guy is claiming that the default install of IE blocks unsigned Active X code. So, we can conclude that people who make this are paying for code signing and Verisign isn't looking at it, or people are forging signatures. Aparently the IE camp really does have thumb-up-ass syndrome.
Silence is golden... and duct tape is silver.
While it is somewhat problematic for individual users to perform certainly corporate users could download and verify their own distro copy and distribute to their own users from that. It's more important to understand what the application does and that can only be achieved by examining or at least verifying the code and all of it's APIs.
Why is this important? Because the browser, any browser, is really an enterprise application as pervasive and critical as SAP, PeopleSoft, Websphere, Tivoli or any of the other so called enterprise application suites.
Yet IE is the only one that's not a toolkit, can't be verified internally or altered or tuned or customized in any meaningful way. It's as if you installed an Oracle DB and Oracle told you how many tables you could have, what they can look like and hid all the background processes from the developers, and didn't even publish the full API.
It's a fucking joke what you've been lead to accept. IE is the only enterprise app that's a black box and none of you, NONE of you should accept that.
Microsoft's criticism of how Firefox is distributed is pure smoke screen. They would have you believe you can't trust an app because you can't be sure where it came from whereas you're supposed to trust an app you can't verify, examine or debug on your own.
Now I know the usual answer is going to be "well you can download the source yourself!" or "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother. You see how they already clicked through IE's multiple warnings in order to get Firefox installed.
I'll kick in $20 to Firefox if it goes toward a signing certificate.
Before you mod this too far down, keep in mind I run Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041115 Superunicorn/1.0 (All your Firefox/1.0 are belong to Firesomething)
How am I supposed to fit a pithy, relevant quote into 120 characters?
With the multiple vulnerabilities in IE that allow people to spoof the URL in both the address bar and the status bar, it's amazing that anyone could trust IE again.
Microsoft has gone so far as to recommend people copy and paste a link's text into the address bar, to avoid clicking on links.
Now there's a browser you can trust, use it, but don't click any links...
Saskboy's blog is good. 9 out of 10 dentists agree.
Of course, FireFox won't install any extension downloaded from a site not explicitly whitelisted. It should also be noted that the only site that is whitelisted by default is update.mozilla.org. If Mozilla.org was going to pwn you with a Firefox extension, why wouldn't the save themselves some trouble and just pwn you with TrojanFox?
Was this a deliberate omission? Probably.
Also, complaining about MessageBoxes not working when running software in a non-standard environment (virtual machine) is silly. Odds are that the problem was display driver-related anyway.
that not every one is an asshat(this assumption is based on persaonal experience...it of course may be wrong and during my exstenive travels across this world i may have been butt of a cruel joke by the gods of entropy and only allowed to have experiences the majority of which were of non asshats, but i digress). And that in the OS community that the non asshats outnumber the asshats (again this is based on personal experience). So i trust that if an OS community developed software were to have nontrustworthy coding, the non asshat computer geeks out there will find it and let the rest of the world know. I also trust in everyone's low tolerance level for asshatiness (Dr. Bernstein would be proud or that unfamiliar nosie, but again i digress). Once one encounters an asshat then all are made to be aware of the hasshat, such as "Troll" modifiers here at slashdot (that this post will undoubtedly get because moderators are such humorless as... again i digress ;) adn various other means, and the asshat is then advoided like the plauge. For example, how many people fall for the goat sex link anymore? So the point is, we are all humans, and for the majority we are all decent people. Yes there will always be the mentally unbalanced and the just down and out asshats, but they are the exception not the rule, and just because the exception gets the attention the mass information conduits we need to remind outselves that the information that splatters our news and media outlets are usually of these exceptions of the world, not the norm because they are not the norm. If we could learn to be content with hearing about the boring happenings then maybe we would have a better understanding of the world. Such as: Bob woke up, went to work, came home, cooked dinner, played Halo2, and went to sleep today, film at 11:00. Instead of Bill the homicidal maniac took an ax to his car and went running around town putting babies on spikes while his wife was left at home to count matches. When we becoem bombarded with stories of Bill instead of Bob we start to believe that all peopel are like Bill, when in reality there are millions of people like Bob to every person like Bill. But don't take my word for it, for that's who all this crap started in the first place, go find out for yourself. (but just in case the gods of entropy have a filed day with you bring a can a mace ;)
I only use Mozila/Firefox for web browsing anymore. The only time I use IE is to access Windows update site. Last time I updated I had some crappy spyware toolbar installed. Thanks IE, clean up your own backyard before griping about the neighbors.
There's no shame in being a pariah. -Marge Simpson
(Please pardon the elementary school essay feel of this)
In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.
In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.
In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.
In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.
Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.
Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
Do not look into laser with remaining eye.
No.
Next!
using GPG by a company I trust more than Microsoft/Verisign....
it was signed by Red Hat, and it had an automatic signature verification built into the Yum install.
Ok, move along... nothing more than FUD to see here.
If I used Windows XP SP2, I would be ripping my eyes out if it asked "Are you sure you want to run this program? It might do something bad because the author hasn't paid MS to verify it" Am I the only person who thinks that message is just dumb? Imagine if bash asked you if you were sure you wanted to run a program if it isn't part of the base system.
How about I give you the finger...
and you get lost with IE?
[rant on] To me the obvious question is, would we have all these security problems if MS had just concentrated on creating a stable and secure OS and left the browser in Netscape's then capable hands. In typical MS fashion they had to go and create an insecure browser that was a direct portal into their unstable and insecure OS because they have to have their hands in everything even if their first three attempts are crap and the fourth version is still crap but so much better than the previous three that everyone heralds it as a great achievement. MS likes to conveniently forget they able helped create all these problems in the first place.[rant off]
(imho)
Say I go download the source code for the FireFox search bar extension. Say I'm an ad company and I really wanna target my ads at FireFox users, so I'd like to know what they search for using the search bar extension. So all I do is put in some code that once a month sends the list of everything they searched for to my web site (say I have a really big web site cause I get lots of money from ad companies for doing evil things like this). How oh how will I get these unwitting FireFox users to download my search bar extension from me instead of downloading it from the official site? Well I could just offer it and see how many people download it from my site once Google indexes it. That would work. But more likely what I would do is put it in some random program that lots and lots of people download (say, Kazza) and enter into agreements with shareware web sites to embed it into all the junk people download from them (say, Download.com). When the user downloads the spyware infected shareware it will silently replace the official FireFox search bar extension with my evil snooping search bar extension. But won't someone notice?!! Well no, because the extensions are not signed are they?
How we know is more important than what we know.
Ok im going to try and coin a new term 'FUD-slinging', which is all this is.
Lets look at this MS has added all of these warnings for uses because its their SW that allows things to get installed without your knowledge.
And then they want to digitally sign all of their software so that no one can mistake all of the spoofers for MS.
Now it gets better, as all of these security features are only for win XP, so too bad the rest of you.
Also as for his FF extension issue, well i guess he missed the part where you have to allow sites to be trusted for those extensions to be installed from. And look. update.mozilla.org is in the list. anywhere else you have to add it. SOOOOOOO hes carrying on about mozilla.org having dodgy extensions on their site.
This reminds me of a clip from the simpsons when bart says "i'll start smoking and then give that up!", LIsa says "but he didnt actually give up anything" and homer says "didnt he lisa? didnt he?"
Whats this get to, MS has to assure ppl that SW is authentic and 'secure' as a remedy to all of the MS security problems, and then they expect others to just do the same weather they have issues or not.
I wonder if they expect ppl to walk off a cliff with them also?
Yes. I trust a loaded gun with the safety on more than a gun that's loaded, cocked with a hairtrigger that is being passed from clumsy person to clumsy person a thousand different times.
"hey, could you pass me a paper towel? er.. I mean... DEPLOY ABSORBTION PANEL!"
"First they ignore you, then they ridicule you, then they fight you, then you win."
-- Mahatma Gandhi
Looks like we're in step 2.5..
Don't they offer GPG/PGP signatures for all their official source tarballs?
First off... did anyone notice that his blog doesn't format correctly in firefox? It doesn't validate either.
Second, I like this choice line:
Yes, because clearly all university IT departments are run by a loose group of under 18 teenagers. These are probably the same "kids" that write viruses that use IE security vulnerabilities.Also, note the desperation in lines like "Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!" Wow. That's just pathetic.
Then he attacks " a numeric IP address " (his emphasis) as being the "bastion of spammers and phishers." I'm glad Microsoft doesn't have one [or 8].
Then he gets a series of strange and bizzare dialogue boxes. Now, I recently installed Firefox on my laptop, and had none of the problems he's described. It wasn't served off an unknown unversity site, I didn't have any "7-Zip" error box (probably because Microsoft isn't running my network), and I didn't have a blank dialogue box asking me to click OK or Cancel. I think that someone might want to suggest he reinstall XP. Seriously though, isn't there supposed to be a market incentive for Microsoft employees to be "innovating" better browsers than taking pot shots about the default selection in Firefox? The idea that you would reject Firefox on security grounds, and instead accept IE, is so surreally absurd it baffles the imagination. His contention is that the code isn't signed - nobody knows about it, but Microsoft's closed-source code is trustworthy because there's a corporation behind it, so therefore it's a clear issue of security.
Should firefox start being more security conscious, signing apps, posting obvious MD5 and SHA1 hashes? Of course. But do these really straight forward "innovations" really make up for all of the backdoor security oversights?It's comical to see a monopoly squirm. We just have to be sure they lose.
Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!
there's no place like ~
Visit a secure .mil site some time.
It has always amused me when I get "The authority of this registrar is not recognized" when visiting sites the US Gov or DoD has signed themselves.
Simple Machines in Higher Dimensions
The problem is IE is set at default to install third party plugings, which was handy before spyware and adware came along.
When I try to install extensions or anything else to firefox, I first have to add the site to my trusted sites list.
Knowing what I am installing and where it comes from means more then some signature I can't read.
There are techniques the Mozilla folks could have used to build software that does not require your trust. http://www.scheduleworld.com/itsYourLife.html
Schedule your world with ScheduleWorld.com http://www.ScheduleWorld.com/ (Java Web Startable)
When I use IE, my firewall shows that it is accessing Microsoft sites even though I'm visiting totally unrelated sites.
I'd like to see the IE source code to see why this is happening but I cannot.
At least if something like this happens with Firefox, I can 'grep' the source code to find the reason for such unadvertised behavior.
Stick with Microsoft because they are the kings of security and the kings of all things IT.
I have already helped address part of the problem. I submitted a patch for signtool will allow developers to sign their extensions with a digital certificate. Signtool is part of the Network Security Services project. While the patch was submitted this summer the next version of NSS (3.10 which includes the patch) has yet to be released.
My own FireFox extension is signed by my employer's code signing certificate.
http://www.j-maxx.net/abtrans/abextension.php
Now that they have murdered wise old King Netscape and ursurped the throne, behold, here comes the son of Netscape, "Prince Firefox" on his shining horse promising to free the people from the yoke of IE spyware and security holes.
It really says a lot about Microsoft that all they can think to do is try and cast doubt about trusting this program. Last I knew, they were the company which has screwed over almost every other company that ever confided or collaborated with them, and which has personally squashed more innovation than probably anything in post-modern history. Yeah, trust... I haven't forgotten what they have done.
Clickety Click
you can't compare IE to Firefpx. one is designed to let spyware flow onto your pc freely, while the other is designed to prevent it.
try comparing IE to Gator, or Firefox to OpenSSH. that makes more sense.
For over a year I used IE without knowing some of the side effects. When i finaly figured it out, and I tried to remove some 500 spyware items off my computer, I lost it all, all 50 gigs of music games and movies. It has been 6 months since then and it has taken me that long to amass something close to what i had. I started using firefox and thunderbird soon as i reinstalled windows (Not using linux because i dont know enough about how to use it and dont have time to learn) since then I have has maybe 10 spyware things (mostly cookies or things that came attached to other legit downloads). I WILL NEVER GO BACK TO IE, no matter what, i swear by firefox and i push all my friends to make the switch.
IE does...
They say that Microsoft employs some of the most talented individuals in the industry. At the risk of being overly provocative, might I submit that Mr Torr is perhaps not amongst these individuals? Certainly his knowledge of users and how they interact with software seems lacking.
:)
As others have noted, his rant is totally misguided, pushing the issue of digital signing, a technology which seems only to be employed by Microsoft and the developers of shady/downright naughty ActiveX controls. Fact is that probably over 95% of Internet Explorer users have no idea what security certificates and digital signing are nor why they are important. And, to be honest, why should they have to?
Some of the post's comments note that digital signatures were simply a response to the grand fuckup that ActiveX is. And, as I have pointed out above, the solution was almost entirely ineffective. As for executables in general, far better to adopt a solution similar to Firefox's, where a more deliberate action is required - that of saving the file, switching to the Download window, double clicking the file's icon, reading a warning and clicking OK before it finally runs. Internet Explorer's single click is woefully inadequate.
All that is necessary is to make users jump through certain hoops every time - those hoops must not be overly onerous, but distracting enough to make the user at least think twice before doing something stupid. A splendid but totally unconnected example is the behaviour of the Recycle Bin/Trash on Windows and Mac OS X - the latter treats "deliberate actions" appropriately, whereas Windows makes things overly onerous by offering too many warnings ("Are you sure you want to delete this file?" "Are you sure you want to empty the Recycle bin?" "Yes, enough already!").
That Firefox is, quite simply better, should be obvious. I would invite Mr Torr to witness the before and after states of the countless Windows machines I have repaired - the treacle-like slowness brought about by a cornucopia of porn diallers, spam relays, browser toolbars, "Make this site my home page" requests, startup items, RunServices, adware...need I go on?
Internet Explorer is really - horrifically - bad software. I am yet to hear one complaint about a spyware-infested machine from any of my Firefox converts. And, you know what, I don't think I will.
iqu
Alternatively: How can we trust FireFox if any old fool can go in and install exploits into the source code?
More to the point... how do I know that the unsigned binary Firefox installer, which I'm downloading from a random web server, was actually compiled from the legitimate source code?
I'm a Firefox user and I'm never turning back to IE, but the author of the article does have many valid points.
It's the people that were targeted by the NYT ad that we have to think about.
In its current form, Firefox will actually make running unknown, unverified, and unsigned software seem "OK" to the average user. Think about it, your grandma downloads and installs Firefox, because everybody in her family tells her it's more secure and better, but now she's greeted with "This is unsigned!" and "Run at your own risk!" every step of the way. Those messages (OK, not the exact wording) would be rather scary and intimidating to a first-time Firefox user who doesn't know much about computers. So what do we tell grandma? "Just click OK."
THIS is precisely programmers are not the people who should be the sole ones generating requirements for software that is supposed to be used by "everybody." Things that make perfect sense to programmers can boggle the minds of regular users. Did the Firefox contributors do any usability testing with volunteers who didn't know the software? Well if they didn't get that kind of feedback before 1.0, they will certainly get plenty of it in the months to come.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Hmmm...
I bootleg Fizzy Lifting Drinks.
Hi. 99.99999% of content on the internet is unsigned. So, to only allow access to signed content is to limit yourself to an extremely small part of the internet. Of course, code signing can be faked- easily. You shouldn't need to pay someone to sign your code. That helps only a few people, certainly not any developers. If the default install of IE doesn't allow unsigned code to run, obviously the guys who make the code are getting it signed, or they are faking the signatures. In your clearly anti-Firefox post on your blog, you seem to not be trusting a download from depaul.edu. If you had half a brain, you would realize that this is Depaul University. There are no signed extensions, the reason for this is that 1.) All extensions are made by users and not all users are trustworthy. 2.) Signing is insecure because it can be faked. There is an easy way to turn off plug-ins... have you tried uninstalling them? IE works the same way, except that when the plug-in is malicious, it becomes extremely difficult to get rid of it. Next, the way to bypass the virus dialog, is for the user to set the server that the extension is coming from as "trusted." In short, you present a lot of misleading information by not giving people the whole story. This causes users to become mislead and only helps the malware author. No doubt, you have a biased opinion due to your employment at Microshit and if anyone caught you saying something pro-Firefox, you would be out of a job. However, this is not a reason to twist information to suit goals. If you are going to attack something, find a REAL flaw and give the full and objective story.
Silence is golden... and duct tape is silver.
They are gone now...hope everyone enjoys them.
This is like watching a kid argue with his parents that he should be allowed to eat dessert first. All his points are either universal (which one commenter, his blog of course hosted on ASP.net, suggested was a good reason for total OS lockdown), or petty and childish "It doesn't work like I expect it to work" issues.
I'm not sure if he's desperate or if he's really bought into the white whale that is Microsoft's imagination of what IE is. Either way, if the only arguments against FireFox are coming from Microsoft blogs, I'll trust it just fine, thanks.
Glog!
Taiwan is not China no matter what the mainland says.
Off Topic I know but come on.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
With firefox it is possible to download the source code, read it, and build it yourself. You cann make your own mind up about how secure it is. This is not possible with IE.
The ability to do your own code review of firefox makes it more trustworthy.
The average person will not take the time to *think* about what is behind the "techno-babble". The seeds of distrust are planted. Unencumbered by technical knowledge or the thought process, the great mass of consumers will vote for a known brand. Unfortunately. Open Source does need to address simplicity, trust and the average Joesephine to come out ahead.
Perhaps Geotrust or Thawte will step up to the plate and donate one.
Did you know that Firefox runs on Microsoft systems as well? I know, I was surprised too, to learn that this machine that I'm running Firefox on was, in fact, running Windows. I'm a little curious as to how running Windows 2000 makes me a "Linux pussyboy", but perhaps I lack your nuanced understanding of web browser politics.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
I guess he has never heard of checksums.
My karma is not a Chameleon.
So wait -- Microsoft == Trust, therefore !Microsoft != Trust? False premise? Yup.
Forgive my cynism, but he is ass|u|me|ing that people trust Microsoft in the first place? Does the guy not live in the real world? The reason that I trust Firefox is because I don't have any of the problems that I have with Internet Explorer. I liked IE until my computer became overran with spyware and trojans. Code signing would be nice. But didn't the guy find the feature that only allows software installations from certain sites. I am very trusting of Mozdev, and Mozilla.org. But I am quite glad that www.hijackyourbrowser.com isn't allowed to install software. Code signing is a nice idea, but I trust a whole lot of software that isn't signed. And Microsoft should know that code signing is often ignored. I ignored the driver signing last time I updated my NVidia drivers. Just because something is digitally signed doesn't mean that I should trust it. Heck, according to Microsoft's arguments I should get a new anti-virus (even though I am running Norton Antivirus Corparate Edition) because it doesn't report itself to the OS. And what is to prevent someone from cracking the way things are digitally signed? Again, I get back to the logical fallacy -- he is assuming that people inherently trust Microsoft.
The views expressed are mine own and do not express the views of my employer.
Forget all these mirrors. Just run a couple of dozen good seeds and BitTorrent will populate the planet, all with good MD5 sums.
After all, if the MPAA cannot figure out how to pollute Torrent files, it must be pretty tough.
M$ Exec 1 : Those hippies have raised money !!, real money !!, and they have an ad on NTY !!..
M$ Exec 2 : So what ?
M$ Exec 1 : Many people will switch from IE to Firefox, thats not good for US. Good for them, but not good for US.
M$ Exec 2 : Mmm.. lets attack their distribution systems, you know, make the distribution more difficult, blame them for not having digital certs, for using mirrors, etc, etc.. Quickly, someone write a paper about this!!
Unix its simple, but sometimes it takes a geniuos to understand the simplicity -- Dennis Ritchie
Didn't Microsoft let their signing certificate get out of their hands a few years back. Yeah, I trust them, just like I trust Wal-Mart to help small businesses grow.
Perhaps because I've never seen a dialog like that in my several years of running a variety of applications on Windows 2000? True, I didn't get that dialog when installing Firefox---I find it hard to believe that this guy had all that go wrong at once---but the day we start blaming random application boo-boos on the operating system is... well, it's a very sad day.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
How is this insightful? Digital signing means that the publisher certifies that it is the executable he published. Not that the package is NOT harmful. I think signing one's work is a very basic protection scheme. How hard would it be for Microsoft to slip a micky into the works, then have a field day with a mutil million dollar ad campaign? Jo average would associate Firefox with an erased hard drive, and no amount of convincing from their computer buddies would convince them otherwise.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Longhorn's not done 'til mozilla won't run?
You see? You see? Your stupid minds! Stupid! Stupid!
I guess he's hoping for a Christmas bone-arse from Bill Gates.
Did I make FIRST POST?
Beat that person. Beat them with a metal stick.
Not a Twitter sockpuppet... but I wish I was.
Wait, there are IE-targeted sites now that have some sort of 'you must click yes' mousetrap? I don't remember that. Maybe some jerk programmer got smarter since I switched to Firefox a few months ago, but could you provide an example?
--grendel drago
Laws do not persuade just because they threaten. --Seneca
Can trust my business partner? Who developed a website and we can exchange information with some ActiveX stuff. Maybe I can.
But do they trust me? I don't know. Can they look into my computer via ActiveX? Yes.
So can I trust my business partner? Can I trust ActiveX/IE?
There is a spark in every single flame bait point.
It's not even remotely funny how many readers here missed other valid points: redirection to numeric ip, 7-zip error and that empty message box. I saw the last two myself - weird behavior for such well known, thoroughly tested and peer reviewed OSS project.
As for "Trust the Source!" Well, how many of Firefox users build it from said source? For that matter, how many would care (or know) to check MD5? And know where to get a valid MD5 and trusted digester in the first place?
Obligatory disclaimer: I write this from Firefox with about a dozen extentions and, yes, they are great. Nevertheless, read TFA and above.
My other Beowulf cluster is... er...
I wrote a response on Refrozen... Mr. Peter is an idiot.
If all you need to do is buy some software from Verisign, how does this help anyone. Some malware author can just go get a copy off a torrent. Or maybe by looking at what the code signing does, they can fake it. The only people Verisign helps are malware authors (false sense of security) and- Verisign (they make too much money for not really doing much, like Microsoft).
Silence is golden... and duct tape is silver.
There is a Firefox binary for Mac ..
Unix its simple, but sometimes it takes a geniuos to understand the simplicity -- Dennis Ritchie
That clown's blog is moderated...pffffft..that means the trickle of Pro-MS posts will be up there in lights while the tidal wave of pro-Firefox posts will be consigned to oblivion.
Pathetic.
It's funny how some people have no idea what they're talking about.
If this Torr person (who is he anyway?) wants to get Firefox from a trusted source then maybe he should just order the CDs. That way he can also get rid of Microsoft OutCrook. You know what? Maybe he should just scrap the operating system all together.
Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?
what the hell is he talking about? How did 7zip get to opening Firefox? I haven't a clue. Maybe it's from all the SPYWARE he's been getting by using IE.
People who say he's right just piss me off
Sing a song in the age of paranoia....well maybe not. They just might DRM it
I am going to jump to Peters defence here. There is some serious flaming going on.
1 - I went to Uni with Peter at Swinburne Uni here in Melbourne Australia. (Bachelor Information Technology)
2 - Peter was the best programmer I had ever met, and I think I still haven't met a better one.
3- Peter was genuinely interested in the best ways to do things.
4 - When Peter went left Australia for Microsoft in the US half of us thought he sold out, the rest were in awe.
5 - Peter is a realist and not a nutter, and I would recommend reading some of his other posts. I think he genuinely wants to improve security of all applications, and he is entitled to have a dig every now and then.
So the MD5 and SHA1 hashes are just decorative or what?
Obviously this guy doesn't comprehend the concept of open source. He thinks we need to buy something for it to be good. Be it an Operating System, a web browser, or a digital certificate.
He totally missed the fundamental insecurity of IE. Crapware installs itself with IE, either by exploiting "features" or holes. Sure, some crapware requires the user to click Ok (fuck my browser now) or Cancel (fuck my browser now anyway), but for the majority of it that I've experienced, a couple visits to websites of questionable integrity pretty much does it...
Funny, I've never had Firefox do that.
Really, what the hell does it matter if the software is signed? Some spyware/adware is signed so it looks "safe" by this guy's standards, and some of it just installs without telling you. If your core browser isn't safe from exploitation, there's really no sense in going any further. If you train users to say no, spyware just exploits the holes and installs itself without asking, problem solved. 90% of users are just going to click "Ok" anyway, no matter what it tells them, and no matter how much you try to teach them.
He does have two interesting points, though, that perhaps we shouldn't trash with the rest. Maybe something beyond MD5 hashes should be provided for FF. My dad runs Windows, has no idea how to do an MD5 sum on a file, nor does he particularly need to know that. I hate even suggesting that Verisign is some bastion of legitimacy, because, well, just no. However, we're probably the biggest cooperating group of smart people (okay, some of you may be excused) the world has ever seen - surely there's a way to do it that is both easy for regular users and doesn't support V-evil.
Also, being able to turn on and off various plug-ins wouldn't hurt. Sure, I know about the extension manager, but I'm talking things like Flash and Acrobat (the two things that screw me over most often). It'd be nice if I could just turn them off temporarily. Acrobat the Plugin has to be one of the #1 things that crashes on my Win32 boxes.
He has a good point. I also wondered about why Firefox isn't at least signed by "Mozilla Foundation" or something. And obviously if it was signed by this, it's quite different from being signed by "Gator" or some unknown company. Firefox puts a lot of money into marketing, etc, but they should look at these little details too.
Those hashes are useful for at least two reasons: 1. They let me verify that the file downloaded properly. 2. If I downloaded from a less trustworthy mirror, I can check the hash in a more trustworthy place.
This post written under Gentoo-linux with an SCO IP license.
Unless this "Peter Torr" is in fact Professor Tor Coolguy, then I'm just not interested.
COMPUTER! Whatever happened to Blueberry Muffin?
"BitTorrent".
One approach might be to have users download an small installer from "firefox.org" (only!) which then verifies the downloaded file (which can come from anywhere). The download site on "firefox.org" should have an SSL certificate good enough for code signing.
Isn't that exactly what BitTorrent does? (Not so much the SSL, but it does check hashes) They could follow Blizzard's approach, using a downloader. This has the added bonus of saving bandwidth all around, in addition to being more secure.
I've got more mod points and GMail invi
What is Bejing going to do with my social security number?
And why would Taiwan plant a trojan in IE that sends SSNs to bejing? That would be like North Korea putting a trojan in IE that sends the US super secret data. Why?
My other car is first.
"Office Development, Security, Randomness..." Obviously the post on Peter Torr's blog falls under randomness and not security. The fault of both browsers is that neither belongs to my McSecure program which either could get from me for only a few cents a day!
Here is what i wrote on his site....but strangely, none of it appeared..after that i have posted a test message ("LET THE SLASHDOTTING BEGIN")... and my other test message of ("Hmmm...my comments have not been put up yet....i have posted after that too.....very interesting.... my test message to see if my posts were goin thorugh "LET THE SLASDOTTING BEGIN!!!" ") very strange indeed. Anyway here it is for all your veiwing pleasure.. Face it..all your arguments against FireFox have been bashed by evidence show by the people who have posted above. IE has not been secure for a long time, and the security threats keep on piling up. When FireFox came out, Microsoft came out with the huge SP2, which made IE a little better with its pop up blocker, but still it is the worst browser you can have period. The Mozilla team has worked hard to correct any of the small number of bugs that exist on FireFox. It is updated periodically (Heck, you can get nightly snapshots!) and is very secure. It is also secure, because it is open source (download the source, read it- if you feel it is secure, compile and run it!!). Besides the security issue, FireFox is the Best browser that i have seen (features, ability to customize,etc..). Microsoft is a company that loves to make something and then charge everyone a lot of money for it and then not update it in the least and then flame another product for being better instead of actually doing something to fix the problem (Please-dont tell me about the new pop up blocker- so lame, it could have been coded years ago..Oh wait..there already have been pop up blockers made by people years ago because it was a problem..) FireFox is a much better product in every way than Internet Explorer. BTW, I am writing this from inside Firefox. ;)
-- +
So let's see if I read this bit correctly:
"I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all -- but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
I've always been of the mind that you spend time writing because you have a personal investment in your topic. Does this guy seriously want us to believe that he doesn't care what we run? Of course he does. He's saying not to use it. That it's a BAD idea.
He's like the obnoxious asshole that stands over your shoulder telling you that he wouldn't fix the car that way, but "Hey, it's your car- I do't care!"
Note to a moron. I've been using it for months. Ever since I got wind of it. Every tech person I know worth his or her salt is using it. Glad I'm a part of your nightmare.
befuddled (noun) 1. Unable to create a pithy sig
Let's see... If I don't want to trust the Firefox downloads, what can I do?
how about... Build it myself?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
The thing to look at is the record, plain and simple. And the record shows that, until now, code signing does not address the major security problems that people have with IE. Maybe that will change in the future, but that's the record so far.
Firefox on Windows does not have code signing because the real world has not demanded it so far. If there were enough attacks for which it turned out that code signing was the right solution, then Firefox would use code signing.
Code signing, at this point, is a gimmick because it does not address the major security problems that Microsoft has. It's a solution to a problem that is not at the top of the list of problems with Microsoft software. And because Microsoft focuses on gimmicks, Microsoft keeps failing to address the real security problems Microsoft products have.
Maybe Microsoft will eventually get serious and real about security, but Peter Torr's commentary illustrates that ignorance still reigns supreme at Microsoft.
Microsoft: Firefox Sucks!
Slashdot: Microsoft suxX0rs!!!!!111ONE
Microsoft suxX0rs!!!!!111ONE
Microsoft suxX0rs!!!!!111ONE
Microsoft suxX0rs!!!!!111ONE
Microsoft suxX0rs!!!!!111ONE
Come on guys, any pro-Microsoft people around so we can really have fun? I promise I won't bite O:)
Microsoft can solve this problem by distributing Firefox alongside of IE with Windows. That way it comes in the box and you don't even need to use potentially insecure IE to download Firefox and get hit with a malicious website.
BTW, I grabbed Firefox via ftp.exe so I didn't need to use IE and there was a nice MD5SUMS on the ftp site to validate.
-weld
Here's the Bugzilla link https://bugzilla.mozilla.org/show_bug.cgi?id=2487
Perhaps firefox could do with a method of checking MD5 sums (when available) while downloading files?
perhaps allowing a mirror site to tell the browser where to download the official md5 sums to compare against?
For the small, one off apps, checking signatures is irrelevant as any spayware co. could (and often do) sign their apps. But for checking against a master copy of a popular download I could see this being useful.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Firefox doesn't bufferoverflow and install spyware on illicit web sites. I trust both IE and Firefox, but IE is weak to websites. Also IE doesn't have a popup killer.
God spoke to me
I think, unless he yanked his RJ-45, that we can safely blame either the virtual or actual MS OS that was used to attempt an install of Firefox.
I can hang an unpatched copy of Windows on the internet for a few minutes and then attempt to install Firefox and experience the same crappy bugginess... but it isn't Firefox's fault.
This is like blaming the ground for causing 100% of all airplane crash related deaths.
...But I digress. TREMBLE PUNY HUMANS!ONE DAY MY SPECIES WILL DESTROY YOU ALL!
While I was still using Firefox 0.10 I noticed strage behavior with Firefox constantly trying to access somwhere in Asia. I assumed this might be part of an extesion trying to update itself so I told Norton to allow it access. While using a packet sniffer I noticed that this activity could not be decoded by my packet sniffer and assumed even more so that this was an extension trying to update itself. I have yet to find out what the real reason is behind this and I updated Norton and therefore the logs are no longer on my system. I ask, "Really, how secure is Firefox compared to IE?" The article definitely makes some very good points to lacking security with Firefox installation and use.
Name: GAIN
Publisher: Claria Corporation
The publisher was verified so you should install and run this software.
I fail to see how signatures fix anything that is wrong with Internet Explorer. Automated downloads via ActiveX are going to be a problem if they are signed or not. What a moron this guy is (and I'm normally a MS softie). He should be fired if he works for MS as he is exactly the type of thinker that got us into this problem.
More
... I could accidently download an exploit by loading an ad (1). IE interface to install the exploit is *so* much more user friendly.
a dserver_attack/
1. http://www.theregister.co.uk/2004/11/21/register_
Yeah, I can *trust* IE, riiiiight. :)
But if we are serious about that - yeah, not everything is perfect and some security layers could be improved in downloading Firefox. However, in reality, it is all that bad - no common user will take any security checkings according to that. Solution? When 'Spreading Firefox [tm]' be sure to inform users about OFFICIAL sites and mirrors to be sure about legimity of dowloads.
So as someone before already said - author could be in some part right, but for my opinion, it doesn't hold very much water to be disscussed here, in Slashdot (ohhh, yeah, Firefox is bad, some kind of sensacional journalism, heh), so it is better simply to suggest that as bugs in
Bugzilla.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
He could have used any of those, or all three. I don't see what he's complaining about. If you have a decent package management suite, it runs the checksums for you.
All's true that is mistrusted
This piece mainly addresses the issue of potential security threats from files (like Firefox or Flash Player) that the user decides to download voluntarily. While there are potential risks here, it seems to me that the main issue is users inadvertently installing spyware and adware. I doubt that many users encounter problems from software that they were actually trying to install in the first place.
From the article:
>Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?
This is a work of art. I'm sure these guys tampered the Firefox intall SO BAD (unplugging the network at critical moments, etc...) so that they achieved their desired results.
In other words, they're portraying the Firefox WORST CASE SCENARIO.
Now. Would you like us to portray the IE6 worst case scenario?
ActiveX using code-signing for its security model. We all know how secure that is. Microsoft, as always, just doesn't get it.
..IE is teh debil, M$ is lamez. Firefox is god.
Verisign is not the only company that does certificates.
take a look at the uptime of this silly server...
Netcraft
sheesh. can't even get a nice plump uptime like most linux boxen....
We're like rats, in some experiment! -- George Costanza
Let's break this article down a bit. Basically, it's a Microsoft noobie saying this: WTF R MIRRIR!! OMG I HAV 2 READ WTFOMGBBQ?!?!? HAHA IT SAY MOZILLA.ORG BUT IT NOT HAHAHA U R DUM But on a serious note, he doesn't seem to realize the simple truth: Joe Homeuser that doesn't read messages isn't has never heard of Firefox, much less use it. And Joe Homeuser also has no clue what Verisign code signing is, either. And to get even more specific: "There is no obvious way to turn off plug-ins once they are installed." Apparently he means Flash or Java, but if he means extensions he's probably thinking "any way besides the 'Disable' option." "There is an easy way to bypass the 'This might be a virus' dialog." Because anyone with a brain doesn't have anti-virus. Now, we could go on all day about the default choice being wrong, etc., but if you're hitting Enter as soon as possible when installing an extension, you know what the dialog says. Am I at least right on that point?
Your ad here.
I love Microsoft to death (with the exception of Internet Explorer). But... excuse me, what the hell is this guy smoking? If he was a half competent user, he wouldn't have installed Service Pack 2 for XP to begin with. I havent, my computer is still spyware and virus free.
He encountered a very rare problem installing Firefox, all of which could have been faked. Who cares? Internet Explorer has FAR too many problems reguarding security. People get spyware by just VISITING web pages, you prick. I mean seriously, how many of you have ever went to a webpage in IE and a box popped up asking if you wanted to install 'spyware.omg.kill.computer'? NEVER. EVER. In my LIFE. Internet Explorer is a piece of crap. Microsoft needs to stop pretending IE is worth half a shit (please excuse the language).
Microsoft needs to get their crap together and build a web browser with security as the primary focus. Forget UX (User eXperience) and all that other fancy crap, just get the code secure and then work on the beautification.
My two cents.
-rico
-Eric Smith
ah yes, a geocities site.. such a reputable news source
You still must trust the source. So if you try to download firefox and it is signed by "The Mozilla Foundation" and the certificate is verified then you know you've got an official release of firefox. This assumes you trust Verisign to only issue a certificate under the name of "The Mozilla Foundation" to The Mozilla Foundation. Even Verisign is likely to be able to perform this kind of rudimentary verification before issuing a certificate.
Furthermore, if Mozilla DID get a certificate and you knew this from visiting their website then you would know that the certificate is correct. You would also know that no one else can impersonate them under that identical name with a valid certificate that uses Verisign as the Certificate Authority.
So the point here is that a certificate doesn't mean that your program is benevolent...who is the judge of that really? Instead it just verifies that it was signed by entity X and has not been modified.
"Normal disclaimers apply. I am not responsible for anything, and neither is Microsoft."
Looks like he has had to turn comments off too. I wonder why?
Unsigned code, signed code - either way you're placing trust in someone you don't likely know. So you have your choices:
1. Trust the company that broke half the internet with Sitefinder, and would probably start digitally signing viruses tomorrow if they thought they'd make a buck and get away with it.
2. Trust the company that didn't see a problem with executing any attachment arriving in your inbox, by default. Nothing could ever go wrong with THAT.
3. Trust the group of programmers that is seemingly not motivated by profit, gives their efforts away, and has their advertising paid for by.... users? WHAT? No Profit?!?
Hmmm, I hate these tough choices.
Is this not irrelevant? The point is knowing that you are running the code the Mozilla people have steered you toward. This colorful anecdote suggests if I were interested in spyware, I could confidently know who was infesting my computer if I used the supplier you mention.
tone
EOM
Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."
Google for "windows update error" and you'll see that many users have to go figure out what their x803833828 codes actually mean from sites other than Microsoft.
Here's what I got as a result of clicking a Microsoft link in a search for "download IE":
http://www.gravito.com/sheepdot/IE1.gif
Why do I get cookies from Microsoft websites other than the ones I'm going to?
http://www.gravito.com/sheepdot/IE2.gif
Don't get me wrong, this guy has somewhat of a point, but it's lost in the fact that he's using IE to download Mozilla. Microsoft won't even let Mozilla users download IE. I think that it's pretty obvious that they don't have any intention of getting people to switch, let alone "switch back". I currently use a program called "nLite" to strip IE and IE core from my XP installations. This only started recently due to the lack of a fix for an iframe crashing bug that allowed spyware companies to bypass all those fancy "don't run the exe" windows and just drop malware into the stack. Two weeks for a fix, Microsoft. Two weeks! Mozilla devs have had serious issues like this resolved within a day, sometimes in hours of the first report. The heap overflow in rendering images is another example of how seriously open source developers take security risks.
Lastly, the Flash and especially Java install with IE is a quagmire as well. What happens when the mirror takes longer than 30 seconds to kick in? Well, I click the link and it asks if I really wanted to run/save the EXE. Who cares about signed content, Spybot isn't signed and I need that. Nor is half the open source software. But Gator is signed. Hell, somewhere around 10 to 20 percent of spyware is signed!
Also, the double security windows issue regarding downloaded EXEs in IE is more of a hindrance than a help. Especially when it's been shown that malware authors can write ActiveX to just run it outside of asking the user if it is okay anyway.
>>Microsoft's reputation rides on the quality of the program.
Microsoft's reputation rides on the quality of its marketing.
-- My Weblog.
Well, technically, I have no argument with you. That's, of course, the technical reason why code signing is a "good thing".
I guess I was trying to say, though, complete (or near complete) confidence in knowing the code you're downloading really isn't "tampered with" is a relatively minor issue for most people.
99% of the computer users I encounter really don't have a good grasp on the significance of signed certificates in the first place. In the "real world", confidence that you're downloading "what it says it is" comes more from folks getting the software from well-respected sites (such as download.com).
Microsoft is really grasping at straws, trying to punch holes in Mozilla/Firefox credibility, by bringing up relative non-issues like this. The fact remains, people are much more confident they have a "safe browser" when they use Firefox than when they use IE, and this is because of everyone's actual experiences using both products and witnessing the results others are reporting.
(EG. If I use IE, code-signed or not, I know I've got some security holes/issues in my browser. If I use Firefox, I may have that small risk it's been tampered with, but it's a much LOWER relative risk than using IE is.)
...why does $DIETY continue to let you breathe?
Dude, tell me your thoughts on the grassy knoll and whether or not Mikey died from eating poprocks.
If so, then let me see if I got it right:
- Mozilla does not sign Firefox.
- But Microsoft signs IE, and all the bugs that come along with it.
Well, this is a hard one.
- Please, ignore everything written above.
I wrote my list of why this article was wrong on my weblog. Here is the link: http://jmweirick.blogspot.com/2004/12/why-i-trust- firefox.html
'cause I get it from Debian.
"It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?"
:-)
;-)
In fact, like many others before me already said: Firefox requires the user to explicitly state that he/she wants to even start the install procedure of a plugin. If the very same person then does not even read what's displayed and acts accordingly, it's his/her own fault. I have a strong feeling most people - running IE and related products - are used to be clicking OK in dialog boxes without care for there are so many, popping up in all kinds of situations, not saying anything understandable for the non-techie/MCSE or anything reasonable at all. A default (in my opinion) is not an security issue if it does not automaticly become effective as long as the user does not say so or is informed beforehand! (Which is not the case for IE's default setup!) There might as well be a box where "OK" and "Cancel" where switched by an already installed worm, right? Stupid (I know), but very possible!
And how come I am not told were my windows update tool get's his data from? Why do certain updates seem to not do anything for minutes while they happily download further data from servers that sometimes might not even have a registered domain? On top of that, they install additional (to me) unknown stuff not even asking the me if I really wants to or for what reason! The worst thing about this I will never know what happened even if I were up to research, as I would most certainly end up violating some licenses that I have agreed on previously.
Another problem I see is that when I tell IE only to run ActiveX controls and other kinds of programs on userinput, why I only can say "Yes", I want to or "No", I do not? Why doesn't it tell me where that script came from at least? Or let me even browse its source (if available) without auditing previous (somtimes heavily) hirached HTML before???
Yes, I do agree when some people say, that they do not trust Verisign either. Sincerely, I do not understand what would make the enduser, not knowing what PGP or even encryption is, suddenly care for signed software products? The decision wether he/she trusts a package or not should always be left in his/her hands as it is his/her computer he/she bought and has a right to use it, for whatever (legal or not) thing he wants to, in the way he/she likes it best. Of course he/she should be aware of the responsibilty that requires as well. Instead of teaching these things from the start, some products available per default, seem to trick the unaware person into thinking otherwise easily.
Best regards from a happy KDE 3.3.2 user who trusts the Archlinux package repository, knowing where the source is available from, who wrote it, where it was downloaded from, who maintains that package per name and e-mail, how it was compile, which patches were applied and could even easily refuse to trust those and make his own in a breeze! Not only for Firefox...
But clearly, users don't give a shit.
Ever install any freakin' piece of hardware on Windows? Nothing is signed. I've seen printed instructions that show a pretty picture of the unsigned-code warning dialog box, and tells the user to press the yes please install this dangerous driver that might destroy my computer button.
This is not from Bob's Network Adapters 'n Peat Moss. This is Samsung. Lexmark.
So, as far as Joe Average is concerned, that dialog box is just another stupid thing getting in the way of scanning these nice pictures to send to Aunt Tillie. He's being trained to ignore security warnings.
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
because 99% of exploits out there specifically target flaws in IE. There's no doubt in my mind that Firefox has just as many flaws but I would much rather have the lesser known more obscure implementation. When Firefox gets enough market share to attract exploits I'm moving to Opera.
Beware "Mozilla Corporation", though.
Regardless, the last version of IE I ever used was IE 5 for Mac OS 9. Back then I chose to switch to the Mozilla betas simply because they worked better than IE 5. I grew tired of IE's memory leaks. MacBU may have fixed the memory problems with the Mac OS X versions but I wouldn't know because by then it was too late. The problem existed so long without being addressed in the OS 9 version that I saw no reason to willingly use the X version.
Every other browser would have to suck royal before I would consider going back to IE.
Yet in the screenshots, IE allows the user to "Run" the executable.
Also...
"But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs."
Obviously didn't try very hard... how about looking in Edit, Preferences, Downloads and then select the Plugins option. From here you can see what plugins are installed and disable them individually.
Last I checked IE doesn't provide a list of Browser Helper Objects that you can individually enable/disable - In fact, the user has no way of knowing that a Browser Helper Object has been installed and worst, has no way of being able to remove or disable it.
Finally, installation of Windows software follows this paradigm, in general. A lot of 3rd party utilities, games and applications can be downloaded and most are not signed. In fact, the Windows Installer does enforce any form of signature or hash.
This is a fairly good point. I was never a big IE user but Internet Zones is a good idea. Is there an extension for FF that allows this?
I know about the block flash extension, but just speaking in general terms, the ability to label some sites as most trusted than others to a fairly low level is a good function.
Isn't checking against an MD5 from a trusted site good enough?
thank God the internet isn't a human right.
oh well, at least Apple got it right on that one ;)
/bin/fortune | slashdotsig.sh
There are other Cert providers. I'm surprised no one hasn't mentioned CACert yet.
So they are playing devil's advocate... Not like /. doesn't paint Microsoft in the same light regularly.
This is just an opportunity for Firefox. The installer needs to fail more gracefully and intelligently for such things. You need to have the system not just function, not just good enough, rather it needs to be SO good that it makes people go out of their way to switch and stay switched.
It's british slang for to look at in amazement, I googled that young girl across the way.
...and is therefore not trustworthy.
> This guy makes some good points. His main point is that the distribution process for FireFox is very insecure.
Unfortunatly, since he doesn't appear to know his arsehole from his elbow WRT security, his entire argument is invalidated.
> The "traditional open source approach" of voluntary mirrors (perhaps with manual MD5 checks) isn't good enough
No, it's not. That's why mozilla.org (and most other projects) provide digital signatures of their source archives, and (if distributed) binaries.
> for high-volume end user products.
What the hell does that mean?
> The FireFox team needs to work out a much more secure install sequence.
No they don't. Users need to learn how to check digital signatures.
> One approach might be to have users download an small installer from "firefox.org" (only!)
Thanks for breaking the way files are normally distrubuted accross the 'net. I goddamn *hate* programs that think they are *so good* that you can't actually download them yourself... you have to download a special downloader program that is invariably a buggy piece of crap. I'll stick to wget, thanks.
> The download site on "firefox.org" should have an SSL certificate good enough for code signing.
Feel free to pay for it. In the mean time, I'll continue to check the signatures with GPG.
If you want to talk about facts don't link to a geocities website. Any website on geocities is untrustworthy as to how reliable the information is in my opinion. I'm sure that isn't the only website that has the information, so it's ridiculous to link to something as unauthoritive as that.
I posted this on their blog
"Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous."
Hmmm, wait a minute. I was on this one site and it had a link to www.microsoft.com so I clicked on it and showed www.microsoft.com in the url bar...but for some reason after I downloaded this one file I got a trojan on my computer and my security was compromised.
Yea, I just love my built in phishing exploitable webbrowser that still isn't patched yet!
way to go microsoft!!!!!!
and you whine about a mirror for file downloads hah!
There is no such thing as absolute trust. The singular notion of trust is really an aggregation of many smaller, specific trust relationships that are evaluated over time.
... but history has shown us that like death and taxes, we can trust these to be the way life works.
How can you trust Firefox, you say. Well, how can you trust that the sun will rise in the east tomorrow? How can you trust that trees will grow new leaves yearly to replace the ones lost? How can you trust that Microsoft will spend far more time and energy marketing their products rather than actually making them good? It does not have to be this way
in The Monkees?!?
I'm perusing comments on this article, only to see people saying things such as, "Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!" and, "Microsoft is never going to get it."
Hopefully, most people will look at these comments with a slightly more level-headed point of view, realizing that just because you work for Microsoft doesn't mean you don't know anything about security, or that Microsoft's recent approaches to improve the security on their browser doesn't mean they'll never "get it."
How about somebody from the OSS community try and think of ways to take one person's (slightly judgmental) observations with a grain of salt? How many times have we read/heard/stated opinions regarding Microsoft's ineptitude, chiding the company for it's lack of effort in the security arena? Now that Microsoft is actually trying to make a difference in their software security, why is it so hard to take some criticism regarding OSS security? Is it just easier to think that nobody else could be as correct as you?
Really, people, there's a much better way to handle this type of opinion: try and benefit from it. When everyone stops acting like the only opinion that counts is their own, then they'll see how they can better themselves (or their software).UNIX: Find it, fsck it, forget it.
Can we rate Peter's blog a 5:Flamebait? Despite the few good points he makes, he has tunnel vision on slight problems that his computer have [dialogs], his lack of knowledge [plugins], and open-source [hates mirrors and does not seem to get the concept of community oriented programs such as FireFox]...
_
Free 27" Sony WEGA TV
My God man.
'millions of Western eyes', how the fuck do you think Microsoft was created if it wasn't at the hands of the west, oh and what about Cuba, you know that place where western America sent all those people to be tortured.
The subtle point that I'm getting from Peter Torr is that, you can trust Internet Explorer more because it is already installed on your computer. If you buy a new computer, it should already have IE on it and you can avoid the "scary" problems he lays out.
He knows that Firefox isn't going to be installed by default on new computers anytime soon, and you have to download it for all your older computers. So the 'trusting where your download from' issue will be there up to the point when they release their next browser in Longhorn of 2006 (well, maybe 2006).
So, this will be an issue that they will attempt to exploit in the meantime, as they try to catch up in the other areas that they lag. They have so few other advantages to go on, this will probably be one of their primary ones. The only other advantage they appear to declare, is that they can run the ActiveX packages out there. It seems to be a well thought out piece of FUD.
I personally don't think it would work. Especially when the community finds a way to elegantly tackle most of the issues that he laid out.
--
Brandon Petersen
Get Firefox!
Damnit and all these years i thought you could run IE with the native windows install. I should have known IE has to be run inside a VPC enviroment! stupid me! SO by runing IE in VPC on My PC I wont have any spy ware! hmm now where do I get a free copy of VPC to use as a condom for IE? (wine?) eh screw it I'll just use firefox. Looks like someone is hell bent on making a fool of them selves. If you're going to try and prove a false point at least have the balls to try it out as intented, without VPC. Looks like someone is very scared.. thats right, you're scared. maybe you should look into job secrity.
This guy seems to like the idea that every user is a complete idiot. There are some idiots out there, you say? Then let them use IE.
Don't blame me -- I voted for Roslin.
To me the paradox is in the topic itself. "How can I trust Firefox?" What the hell?!@?@? Has this guy become one of those folks who downloaded "precision time" once and had to have one of his 'expert' friends inform him that it was bad? Maybe it was worse and he did it at work; who knows. It's obviously fud from the dark side.
Some of his points are valid, I think. They aren't sufficient reasons to stay away from FF and keep using IE, but I think he's doing the open source community a favor by writing a critique of Mozilla's potential security problems. Don't say "your problems are worse so we won't fix ours", try to address his concerns so he can't say "I told you so" when somebody does actually exploit a flaw FF has that IE doesn't.
In fact, the Web site provides the links to the original Western news sources. So, if you distrust the names of the Taiwanese spies identified on the web site, you are free to click on the links to the original Western news sources like the "Los Angeles Times".
The question then becomes, "Who is lying? 'Los Angeles Times' or an anonymous 'aussie a' on Slashdot'?" I believe that the "aussie a" is lying.
Anyone who doesn't agree with me, has not used firefox enough to see.
Firefox freezes out of the blue at times, on multiple machines. As a experienced programmer, I would not recommend firefox yet, too many problems with stability right now.
Quit believing all the firefox fanboys on slashdot and neowin, they do not know what they are talking about when they say firefox is the best.
As someone that just got nailed by an IE DSO exploit, I have no qualms downloading Firefox from an official mirror. Signing with a trusted GPG key would be a trivial undertaking, so maybe MS should go back to the drawing board and forget their potshots at a wonderful project.
The right way... My product is great, it can do this, and this, and it's secure and you'll love it and....
The wrong way... Their products bad, use mine instead, oh and did I tell you how bad their product was, you must be a fool if you use it... did I say fool, I mean genius for switching to my product.
People generally don't trust someone if all they have to say is how bad the other person is.
thank God the internet isn't a human right.
Nothin' to see here. Just keep movin' folks.
Trust me. This is an inactive account. Regardless of what the
I have to use the computer for that
/bin/fortune | slashdotsig.sh
Bill, you can take off the mask now.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
"Of course, the obvious question is 'Do I trust Firefox less than IE?'"
No, asking your self this question is just down right stupid. This is the same as saying I do not trust something, but accept that level of trust because one of your other options is less trustful.
If you can't trust something DONT trust it. Im fucking suck of this American style of thinking our goverment and the media has us stuck on, the fact that if you have only shitty choices (presidents, tv, music, etc) then you should only choose from the shitty choices.
In fact the best choice in most cases is to not choose at all.
TruePunk | Games
You are insane. Taiwan is not China, and Taiwanese programmers would probably not be sending code to beijing. Your sources are flawed and you are a troll.
Read jack phelps dot net
So these are the people that are working at Microsoft... it all comes together now!
It is so ironic that someone from Microsoft is critiquing the "problems" with Firefox... I have no clue where his errors came from- I have installed FF on at least 10 machines without one problem.
This blog is yet another Microsoft PR nightmare-- and yet another reason I am proud to use a Macintosh.
I'd like to apologise to everyone who read my post for feeding the troll. He's just copy and pasting the same flame-bait.
I have posted on numerous ocassions my less than glowing feelings about Firefox. I run IE (well, to be fair, Maxthon) and am very happy doing so, haven't had problems in I don't know how long, and just in general I'm not especially thrilled with Firefox.
But this blog entry is beyond ridiculous.
First, I have installed Firefox on a number of ocassions, recently and beta builds in the past. I have done so on a couple of different versions of Windows, a few Linux versions some of which were running under VMWare. I have NEVER had ANY problem installing it. Certainly I've never seen a blank dialog like this guy claims to have.
He raises some interesting concerns about the download locations I think, legitimate concerns, but beyond that it's a bunch of obvious FUD drivel. The security warning dialogs he mentions, while legitimate issues for novice users, are a result of the way IE handles potentially unsafe content, NOT the fault of Firefox. I would bet most people downloading a new browser can probably handle these dialogs without too much trouble, and again, they are from IE, not Firerox. He's right, signing the Firefox download wouldn't be a bad idea, but it's hardly the big deal he seems to think it is.
Look, I think there are legitimate gripes about Firefox (just like there are about IE by the way)... I don't think either side needs to be making stuff up. I find myself sometimes defending MS against what I see as unfair assessments by the OSS community, but seeing posts like this blog entry makes me feel like an ass for doing so. BOTH sides need to be mature and compete fairly, may the best product win. It's annoying when crap like this sneaks through.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
I guess I was trying to say, though, complete (or near complete) confidence in knowing the code you're downloading really isn't "tampered with" is a relatively minor issue for most people.
Which is a HUGE problem. Blind trust in software you download from a random location is a very, very bad thing. Think of the other system which depends on blind trust in the internet community that is in common use today: SMTP. Get much spam lately?
Microsoft is really grasping at straws, trying to punch holes in Mozilla/Firefox credibility, by bringing up relative non-issues like this. The fact remains, people are much more confident they have a "safe browser" when they use Firefox than when they use IE, and this is because of everyone's actual experiences using both products and witnessing the results others are reporting.
He isn't saying Firefox isn't a safe browser. He's saying you have no way of knowing if you are using the real Firefox in the first place!
You guys jump all over an article spreading FUD about OSS, yet the editors feel the need to post the same FUD about PSP multiple times.
Here's what else DePaul offers in CTI
And thats just for undergrads! I can tell you this: Any graduate from CTI in the past 20 years must be smarter than all of the programmers what's left of the Internet Explorer unit combined!
Maybe if Microsoft, oh, didnt let IE atrophy into a piece of garbage then maybe he wouldnt be whining to internet.
Also, there is no way your Firefox install was that torturous. You can quit bullshitting people.
Mock Firefox if you will, random microsoft blogger, but since IE is the proverbial hare to Firefox's turtle, we'll zoom ahead of IE in the code signing area soon. Little incremental improvements instead of trying to hit a home run.
Peter shows us screens of blank dialog boxes, crashing installers, etc. Well what the hell do you expect, it's Windows ! And he blames it on Firefox. What he proved is that the Windows installer is a bug laden pile of crap, just like the OS. Thanks Pete !
TheOpenCD.iso has a embeded checksum. K3B Tests disk image against the embeded checksum. Note it is able to download just the checksum from a iso because it is in the sameplace in a file so you can compare all isos to there master. This is education.
Also they provide a torrent file. This is a checksum and download file. It is about time someone put out a torrent to master file compare that normal users can use. Ie no point having a md5 when you can have a torrent that reduces load on server as well as providing a way to check the file. Note the Iso still has the internal check sum.
I have to ask. Assuming Firefox does digitally sign the browser, waht prevents someone from faking the signature. Obviously, someone co-signs it using a crypto key like Verisign or other party. OTOH, what prevents anyone from making a dummy signature. Someone will think "hey, its signed" so it must be good.
For many non-crypto experts (like me) looking at the signatures under the keylock doesn't tell me, or reassure me much when I'm shopping or banking.
Also, what prevents a dummy signautre from installing software on IE. "Trusted computing" (LOL, nice oxymoron!!!) is going to play a role in this in the future. Seems, like it doesn't require *ANY* signature to date. You get tons of spyware.
At least Firefox blocks most pop-ups and software install by default. I have 0 spyware just by using Firefox. 2 years now.
Ok, tell them they are using firefox. The window says firefox on it in case they forget.
But set the firefox icon on the taskbar to the IE symbol. That way "people" can still use the internet. "The red and blue what??? I just need to use the internet and I can't find the internet button."
Saying that everybody is content with IE and doesn't want to give it up is actully assuming they know what IE is!!! To most users there is this "e" shaped button "that starts up the web." And they don't waste time worrying about what a program is, and how "using the web" is somehow different if they switch one of those program things. Thats the kind of nerdy crap that you involve yourself in.
When you tell them that they will be more secure using Firefox they let you install it because they have no idea what you are talking about and don't want to "be unsafe." They might notice the window looks a little different, but pretty quickly they realise you didin't "break the internet" and they forget about it.
One more time for the record. Most computer users have no idea what anything is that they are using. They have been trained to click on the right icons/propmts to the point where they can do what the need to do, and after that they (rightfully?) don't care, are not interested and think you are a loser if you try to explain any of it.
I am not trying to flame here. I happen to be a computer programmer, but I write software that gets used in-house by non-technical people, and after a while you realise that they just want to click as few buttons WITH PLAIN ENGLISH LABELS as possible so they can just get their job done.
-- http://thegirlorthecar.com funny dating game for guys
I will trust Microsoft when they take their bug ridden trash off the market.
How many copies of XP did Microsoft sell between the publishing of the nasty flaws in IE and SP2?
It was 6 months or so.
And they dare even mention the word trust?
Let me repeat. I will trust Microsoft when they have a track record of recalling, refunding, stopping shipments of known faulty (insecure) software.
Derek
any Mozilla products. I don't have to. I just download the zip file, decompress, and run it right there if I want. However, I do move the decompressed folder to my "Program files" folder just for consistancy. This is the beauty of Mozilla et al. It doesn't require installation, just like old Mac stuff. If I don't like it, or when I download a newer version, I just toss out the folder and...done. What could be better? All programs should be so easy. Does this Microsoft guy have stock in Verisign or something? Is Microsoft going to buy Verisign?
What?
Of course I have my students install Mozilla in the classes I teach (no Firefox or Opera though).
After all it is running on the most vernable OS on
the market today.
and thinks "kids" are running the server farm. ... so, these are the people Microsoft employs, eh?
LOL... do you thrust some bloated-crap-stupid-useless-spyware SIGNED by the gator corporation (or whatever their name is by now...) ?
NO !!!
The author delicately neglects that the most common way people get spyware on their computer is not through downloading bonzi buddy from the website, but by visiting infected websites, which until recently used to be deliberately set up malicious sites. With recent bugs being exploited between IIS and IE, this is instead been legitimate websites such as a large trusted bank who happened to be running IIS and infected scores of it's users with the gift wrapped bug of the day.
even if US don't think so, Taiwan is a Republic Of China.....
Perhaps to demonstrate to the world the type of people who use Microsoft products?
"I'm not impatient. I just hate waiting." - My Dad
That is not entirely truthful. You can also download the source from ftp.mozilla.org directly if you are paranoid, and build the release yourself. Most, if not all mirrors also carry the source code, so you can also validate the source on the outlying site against the original if there is any question in your mind.
So it does not 'require' an unsigned binary at all. In fact as the author of the blog admits, having a signed binary does not prove that the code contained in the archive is free of malicious code at all.
The issue of redirecting the download to another site - a University for example - is represented as less safe than downloading from a verisign registered site. This is hogwash, and avoids the critical argument that Microsoft wishes you to ignore: with a CVS snapshot of the source code I don't have to depend upon pre-compiled binaries and verisign to do my thinking for me. I can run the following command:
diff mysource.c questionablesource.c
- and know immediately if something has been tainted or not. If I must have a binary, I can always validate a checksum of the questionable binary against one provided by Mozilla. Sites that aren't on the up-and-up, or have poor security quickly lose credence in the community, and fall by the wayside.
Finally, most products of open source developers are PGP (Pretty Good Privacy) signed - which serves the same purpose as Verisign - without the attendant costs. A developer publishes a public key used to decrypt a signature encrypted using his private key. If you can not validate the signature - then it did not come from who it should have.
All arguments regarding security of OSS can be countered with the same argument on the closed source side - save one: OSS source code is free to peruse (and diff) as you desire - thus providing the trump card closed source shops can not duplicate or argue effectively against without some subterfuge. The fact is Microsoft wants you to be tied to costly closed security solutions, because then you will only be able to 'trust' a few (rich) closed source shops for your software needs - and small OSS projects will die from lack of patronage. Thankfully they are mistaken in their analysis of your willingness to accept their lies without question.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
The lack of signage upon install, weakly-related download sites, and unsigned extensions with a default option to install (they may be whitelisted somewhere, but does it tell the user this?), all conspire to make it look like a bit of a sloppy job. It sets a bad example of how to behave on the net. People are saying that most of the software on the internet is unsigned. Well if most of the software on the internet made goatse-man pop up every 30 seconds would you want Firefox to do that too?
;)
If you want better security on the internet, you need to get people to behave more securely, and these things he points out, the ones I have mentioned at least, do ring true. Probably not too hard to fix either, so I don't see this as something to get worried about. As long as the Firefox team does think about it and decides to do something about it, IE will still get its ass kicked.
(It's not bad to have people like him pointing out all the problems, that's how things get fixed, enjoy the free feedback!)
And let's not even get into my rejected story submissions.
How am I supposed to fit a pithy, relevant quote into 120 characters?
What, like www.windowsupdate.com points to v4.windowsupdate.microsoft.com?
Firefox isn't perfect but please, bitch about one of it's few real problems and some bullshit ones. Someone please show Mr. Torr a clue-by-four please?
"And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
How can anyone trust Microsoft? How many _ANTITRUST_ lawsuits have they gone through and lost? It should be well known by now that if you plan on doing any sort of business with M$ you better have some KY with you because you will be ass raped. Do not throw stones.
I'm a Student Ambassador to Microsoft, and promote VS.NET on campus. I think this guy is quite nieve (even if from Microsoft) or being deceptive. A few pointers:
1) At least when you post, do a similar comparison between both browsers. I want IE so when I search Google for download internet explorer, then the first link is "www.microsoft.com/ie/" which REDIRECTS me to http://www.microsoft.com/windows/ie/default.htm which again REDIRECTS me to http://www.microsoft.com/windows/ie/default.mspx
Can someone tell me if that is the same Internet Explorer? After all, Microsoft is a big company. I just wanted the regular IE.
2) Watch what you quote - when you wisely point out that Secunia has found (gulp!) 3 security advisories, did you know that only one was moderately critical and the rest were minor? Then, I noticed the advisories for Internet Explorer 6 (the most secure IE browser) - only 53 advisories from 2003-2004 (same timeframe), of which 42% (or around 24) were either highly or extremely critical! Oops, let's not compare using that website.
3) Then, there's the whole issue with downloading extensions - when I click on a link to download my XPI (no clue what it is, as naive user), it waits a few seconds (no surprises) and then asks me to install now or cancel. Oh, and horror of horrors, the Install Now is default! That's what I wanted anyway...and this isn't ActiveX that installs/runs immediately or whenever, but explicitly states that it starts on restart of Mozilla. So, I can even uninstall before reloading Mozilla if I have second thoughts! Hmm, sounds secure to me.
4) I've seen too many web sites that have Versign and a bunch of other BS images that give me no more trust than another site without them. So, I create a spoofed website with Verisign pictures and have no problem fooling users. But with a Firefox plugin, I'll know I'm on a spoofed website. Personally, word of mouth is the biggest way to increase trust, and that's why I recommend Firefox using word of mouth the most - I'll tie my name to Firefox because I use it and trust it. (Even carry it on my USB drive).
5) Why not fight for some real change and migrate AWAY from ActiveX controls and Microsoft-specific mangled HTML code (and even links) that I can't even run in Firefox? And build in some Firefox-like security rather than pretending the fire is under control!
This sig donated to Pater. Long live
(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more.)
Man, he is right about one thing...
How did I ever get "persuaded" to run anything (from) MS?
Firefox has been the darling of internet news media lately, not just on the internet but on television and print too, and all for free. Even grandma - who with her one good eye uses the internet for her genealogy - knows Firefox by now.
SEO Copywriter. Just Say ON
Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software." Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you! OMG! he's such a fucking moron! =3
Please explain the significance of this kumquat thing.. i foudn it quite humorous
The author of this blog entry linked to a Secunia page that listed 4 Firefox vulnerabilities, one of which was listed as 'Moderately Critical,' and the rest of which were listed as less than moderately critical. Curiously, the Secunia IE Page, which of course was not mentioned in the blog entry, lists 74 IE vulnerabilities, many of which are ranked "Highly Critical." Isn't it odd that the author didn't compare the two?
Item in tools menu called "manage add-ons...". Select it. It will list all browser helper objects installed. You can disable them individually. You cannot remove them from there.
Windows installer can be set by the administrator to not allow you to install anything that isn't signed. Most do not sign it that way.
This wouldn't be Slashdot if people who didn't know what the heck they were talking about didn't complain about MS software errantly and get modded up for it...
Isn't it ironic that Eminem calls himself 'the real slim shady' because of idiots like you who want to be just like him? I'm sure Marshall Mathers reads slashdot. Right. Couldn't you have gotten even a little creative? Call yourself TheFakeSlimShady or TheNerdSlimShady or something? fucking pathetic.
Why can't they just whip themselves up a self signed root CA with openssl, call themselves the firefox signing authority, and use it to sign extensions that way?
Like it or not, the computer-dummies are spot on here! They just want to look at a webpage. A browser acts like a 'window', that lets them see that webpage. The users don't care about that 'window', they care about what they can see through it: the webpage. And that's how it should be.
They don't know what "IE" is? Doesn't matter, as long as "IE" shows their webpage. They don't know what "Firefox" is? Doesn't matter, as long as "Firefox" shows their webpage. And the worst part is they dont care? Doesn't matter, as long as [whatever browser is used] shows their webpage. And that's how it should be.
I do exactly what parent said, install Firefox and remove all IE icons, and tell them the icon to get on the internet looks different now.
That is a good idea. "The icon has changed, because the program used to view webpages, has changed. Some navigation buttons may look a bit different, that's all". Simple, logical, easy to understand, even for computer-dummies.
Gets me the sources, checks the md5sum, which came from a different and trusted mirror server from the one which hosted the source. Builds those sources into the binaries which I then run.
Do I trust the Gentoo Portage system? Yes I do, absolutely!
TFA refers to the 10 Immutable Laws of security.
The first few are very insightful of Microsoft.
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Corollary: If Microsoft is a bad guy, it's not your computer any more.
IE security holes tend to sink into the OS, making breaches potentially worse.
Still, Mozilla must sign its Windows release software to enable users to trust the binaries. It doesn't need expensive certificates, all it needs is a PGP/GPG key posted on pgp.mit.edu (and/or other places).
I'm a long time Mozilla/Firefox user and supporter, and have used MSIE only infrequently for the past four or five years (basically on when I'm stuck using someone else's machine). So don't construe this as an attack on Firefox/a defense of Internet Explorer....
But Firefox has a couple of hurdles to overcome to supplant Microsoft in terms of browser share. Most users have been weened on IE, and are familiar with the various eccentricities of Microsoft's browser. Furthermore, it's already there, easy and ready to use. Firefox's small window of opportunity comes as a result of Microsoft's poor record on security concerns. The Microsoft FUD machine only needs to shed enough doubt on Firefox's touted security improvements to make Joe User decide that what he sees as a only a slight improvement in terms of security is offset by the familiarity of IE. The question isn't "Do I trust Firefox more than IE," it's "Is it worth messing around with Firefox when I'm already used to IE?"
Firefox is, IMO, easily the superior browser. But I'm already a convert. While I'm sure Microsoft would love to have me pick up IE again, what matters more to them is stopping my friends and family from flocking to Firefox at the expense of IE. And it's those people (still 80% of the market, at least) who are the target of this "is Firefox trustworthy?" talk.
Sean Daugherty "I have walked in Eternity -- and Eternity weeps."
Gee, the code's not signed. Too Bad. Signed code is safe, right?
b ulletin /MS01-017.mspx
...
Anybody remember this?
http://www.microsoft.com/technet/security/
"Microsoft Security Bulletin MS01-017
Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard"
"Impact of vulnerability:
Attacker could digitally sign code using the name "Microsoft Corporation"."
Yeah, signed code is safe. Especially if it's from Versign and says "Microsoft".
(Note: There has been a patch issued for this, I'm not implying this is an open hole. Just that code signing is not a panacea.)
One thing I've been wondering is how exactly closed source software can be legal. I mean, for all I know, Windows might actually have Linux code in it (wouldn't that be funny), but we will never know because only Microsoft sees the code. Is there any way to be sure that the new BestGreatestThing(TM) from a closed source software company doesn't contain code from my open source project?
The other thing for anyone paying attention of course is that all signing attempts to do is tell you that the code was written by the person who claimed to write it. The author however could still be the archetypical militant, sociopathic IRC dwelling 14 year old from Vladivostok, and so if automatic downloading/installing of *signed* code is still turned on without you eyeballing the signature, all having code signing in that instance would mean is that your computer had just been infiltrated by a 100% certified, gen-u-ine evil h@XX0r d00d. What a reassuring thought.
Let me also make a counterattack of my own here. Firefox doesn't experience problems with "browser hijackers." Why? Because only IE had the <sarcasm>ingenious</sarcasm> idea of storing the homepage address in the system wide registry. What a truly innovative idea it was, too. It made it possible for such wonderful people as the authors of MySearchBar and the truly inspired souls responsible for Bonzi Buddy to first of all point IE at their pages by default, and then automagically download and install their own home made ActiveX malware, thus allowing them to proceed to thoroughly rape/0wn your system.
Of course, I can well understand, given that, why nobody in their right mind would want to use any browser in existence other than IE. I mean, why would you want to miss out on all the fun and entertainment listed above?
"Huh -- http://www.heinz.co.uk/ is completely broken... says I don't have a "modern" browser, even when I set IE security back to the default settings. Oh well, at least they make good condiments!" Read the rest of this guys site! For a man who touts the wonderful abilities of IE, it is very amusing that it doesn't function in certain areas of the internet. I just found it amusing that he mentioned this happening on his website which is insanely pro IE.
You gotta hate those proprietary GPLed KDE apps.
Jeremy
Looking for a Python IRC bot?
However, the University site for getting student details requires IE to get into. So even though I installed the User Agent Switcher extension and taught them how to use it to fool the site into thinking they are IE - they forgot how to do that, and next time I was there there was a "Shortcut to IEXPLORE.EXE" icon on their desktop.
:)
They don't blame the people who wrote the site either. They blame the browser for not working with the site. Even if I explain that the people who wrote the site are locking others out for no reason (it's not like it uses ActiveX or anything, the site works perfectly in firefox).
Next time I go there, I will see an IE icon on the desktop again. *sigh*
Can I get rid of executeable permissions on IEXPLORE.EXE without horrific consequences?
-- The doctor said I wouldn't get so many nose bleeds if I just kept my finger out of there!
Is windows for stupid people or does using windows make people stupid?
Why are you hanging out with people who are that dumb anyway? In this day and age not to know the most basic thing about the internet and computers seems preposterous.
evil is as evil does
Crappy editorial decisions like this make me glad I'm not a subscriber.
Microsoft's efforts with digital signing are very noble and they make some very valid points about Firefox here. Why does Firefox suggest having signed plug-ins when they don't sign their own program?
[Being a Linux and Firefox supporter, I cannot understand that]
But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user - and the thought of understanding it well is probably too technical for many technical computer users. SSL has similar problems.
Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren't signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".
So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You're going to go download it and all of it's spyware.
If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you're going to ignore every Unsigned notice error you get to see it run.
The goals of Microsoft are Noble - and Firefox needs to follow it's own recommendations, but I don't believe digital signatures will ever be the solution to the problem.
The masses just want their computers to work. They don't want to have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what - it's russian roulette.
So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.
You'll just end up with lots of people creating their own signing certificates and the users will have to get a pop-up saying "I don't know the Certificate Authority that signed the signer certificate." Yea, guess what... the average user has no idea what a CA is.
--Twivel
Ditch the ... command-line interfaces, and maybe Linux will be ready for the desktop.
a ha hahahahahahahahahahahahahah
NO, I WON'T! I just got the "terminal app" (Qterm) installed on my Zaurus and I realize that it's what I've been missing all along. Now I can finally _move_files_ to/from the CF card into the "Documents" directory which is the _only_ place the "Text Editor" can open anything from. Now I can finally delete all those backups that filled up my old CF card. Now I finally have some interaction with my machine beyond the point & drool interface. Now to get some tiny emacs emulator into it, so I'll have a REAL editor!
I DON'T CARE if the laiety is 'intimidated' by "bash:~$", I UNDERSTAND IT, I LIKE IT, I WANT IT, AND YOU'LL GET IT AWAY FROM ME WHEN YOU PRY IT FROM MY COLD, DEAD FINGERS!!!
No, wait - not even then - because I HAVE THE SOURCE CODE!!!!!!
In fairness, the gooey _is_ improving, and is nearly "fully functional". I've been using (I think) metacity for a couple of weeks now, and there's a buttload of stuff available on the menus and it all seems to work. But where's grep? gzip? They're probably there somewhere, but WHY should I have to look down five layers of silly menus when I KNOW all I _really_ need to do is type `modconf`? You want user-friendly? Turn on filename completion, there's user-friendliness for ya.
To get somewhere near the topic, there are some real gems in that article, like:
"Immutable Law of Security #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more."
Someone's already pointed out that that Bad Guy == Bill Gates.
"This is what the `Secure Deployment' part of Microsoft's SD3+C campaign is all about; we design and develop secure software..."
hahahahahahahahahahahahahahahahahahahahahahahah
Oh, stop. Please.
"I personally don't care if people choose to run Firefox or Linux or any other software on their computers..."
Bwahahaha I bet you don't. You may not personally, but the public stance of your employer is that that awful GPL has gotta go.
"...we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea."
Hehe. I'm writing this on a machine which has had practiclly ALL of its software (_including_ Mozilla, Firefox & Thunderbird) loaded by apt (which I assume checks the MD5s, for download integrity if nothing else) from us.debian.org, non-us.debian.org, & security.debian.org, ALL of which I trust one helluva lot more than msn.com & microsoft.com! This may not be the majority approach, but it works for me, I'm certain there are at least a couple of other guys around here doing the same, and I advocate it to all.
None of the "unsigned code from random websites" seems to work on my system, so I don't bother with it. This locks me out of a few websites I guess, but I'd rather have a computer that I can trust.
Exceeding the recommended torque is not recommended.
I hate to break it to you, but any site found on the internet is untrustworthy.
Don't blame me, I didn't vote for either of them!
I can tell you this: Any graduate from CTI in the past 20 years must be smarter than all of the programmers what's left of the Internet Explorer unit combined!
Exactly. Any graduate from DePaul knows what Micro$oft is, and if a Micro$oft employee doesn't know what DePaul is, well that's purty damn dumb.
Exceeding the recommended torque is not recommended.
Simply, I installed it, tried it, and found it to be better. Before Firefox I would have to scan for adware/spyware, at least once a month or more just to make sure my system was safe. Since Firefox I scan for problems when I feel like it.
I did a scan with both SpyBot and Ad-aware while writing this and they found 9 problems all of which were cookies. The last time I scanned would probably have to be about 4 months ago. Had I been using IE for the last 4 months the number of problems found would have probably doubled, tripled, or even quadrupled in number.
Firefox is the only browser for me.
(1) Digital signatures are inherently trustworthy and unfakeable. Some versions of the firefox install can be obtained without such signatures.
(2) If you're an idiot that just presses enter repeatedly to get through dialogue boxes, then you will end up with a bunch of unwanted nastiness on your computer.
While I lack the expertise to judge claim 1, it seems to me that claim 2 is a valid point... as firefox becomes more popular, the fraction of users who are careless or just plain mentally inferior is going to increase, so measures are going to be required to more effectively idiot-proof it. Of course, the system will never be quite as idiot-proof as windows because windows if based around the idea that you want the user to be unable to easily access any of the workings of the system, while firefox runs in the opposite direction.
Then again, peer-review/open-source seems to in some degree safeguard against idiot designers just as it slightly increases the impact of user idiocy. A worthwhile trade, in my admittedly unprofessional opinion.
Just my 2 cents, eh.
...it's really a sad day for America when we require a goddamn ACT OF CONGRESS to make our DVD players work properly. ~
And last, but not least in the run of nonsensical corporate identifiers ... EBay.
The name of eBay is easy to parse: "e-" meaning electronic (as in e-mail), "bay" meaning auction venue. Xerox is short for "xerography", a process used in photocopiers and laser printers.
Want to solve the problem of distribution and get rid of the need for mirrors? pull an AOL. Give out millions of CD's everywhere. Every random Joe and Tom will pick one up at compusa on their way out. And Grandma will get one in the mail. Then I can rebuild the cd-mirror on my wall that fell down when my roommate slammed the door too hard :]
Yeah, I'd be more inclined to pay attention if you weren't loosely implying that "western" eyes were somehow more just or fair.
"Interesting", indeed. Interesting to a racist, perhaps.
There is only one true enemy of peace.
bash-3.00$ uname -a
SunOS panda 5.10 Generic sun4u sparc SUNW,Ultra-2
The fact is, it's a piece of cake to sign FireFox, and that's what Microsoft wants.
That way they can guarantee it's distinguished from the millions of other Windows programs out there and sabatoge random functionality in it (while in execution), but in a way that is impossible to effectively debug.
What does firefox actually mean? Is it a reference to illusory lights like the ones obtained from reflections off of marsh gas (foxfire)? Or did one of the designers have an accident involving gasoline and a furry pet running into telephone wires?
It's a pretty cool name, just wondering where it came from.
...it's really a sad day for America when we require a goddamn ACT OF CONGRESS to make our DVD players work properly. ~
this from a company that has a browser named Explorer and its file manager.
Ask anyone in tech support how often that question comes up even though its usually in a faq.
Doesn't his whole argument fall apart at the 7-Zip error? After all, 7-Zip is GPL software distributed under a similar model, and he trusted it. I'm started to wonder how much other GPL and freeware software he has installed on his machine...
What websites [designed only for Microsoft Internet Explorer] are these?
Windows Update, but that was a given. Try playing an ActiveX based game such as Cartoon Network's Codename: Kids Next Door outside of IE. (That you do not have elementary-school-age children is not a defense.) Try using Trend Micro's ActiveX-based HouseCall virus scanner outside of IE. (Trend Micro claims to offer it as a Netscape plug-in as well, but the Netscape plug-in installer refused to continue because it couldn't find my Mozilla 1.7.x installation. It's probably for old-ass Netscape 4.x.)
And, I guess, in the US, where there are more than 5 banks
Sure, a decent-size city such as Fort Wayne, Indiana, has branches of Bank One, Wells Fargo, National City, and Fifth Third within two blocks of one another, but when I lived in Terre Haute, Indiana, for four years, it was either Terre Haute First National Bank or a $4 ATM fee ($2 to the bank and $2 to the ATM owner) for every withdrawal.
The users don't care about that 'window', they care about what they can see through it: the webpage.
Either that, or a "This browser does not support ActiveX" error when you try to run, say, Trend Micro's HouseCall.
Download the source, check the source for whatever your curious about and COMPILE IT YOURSELF. If your that untrusting, then you can be as paranoid as you want. Besides, last time I downloaded "trusted" IE software, I got some spyware....
That's how many Spybot found on my father's machine after I installed it this past weekend. And the funny thing was he was initially less concerned about the malware that IE had silently allowed to install on his machine than the constant popups that IE allowed. I used Spybot to rid him of the malware and installed Firefox to 1) make sure he wouldn't get nearly as much malware in the future and 2) block all those popups. He's really happy now.
Anyone notice the article stopped soon after he started using firefox? Not much to talk about after you have it running? The article just ended. I wanted him to write about how great a web experience is when you have i.e. set to the highest security level.
So is the lesson to only use what Microsoft gives you?
No, that wouldn't help at all. Spyware could just as easily install itself as a VBscript in a Word document, if memory serves me right. Only kiosks are really safe, then.
Don't thank God, thank a doctor!
Signing can help in that people who trust a certain publisher can be assured that the software arrived from that publisher in unmodified form. Of course, the software used to verify the signature must also be trusted for this to work...
Signed software is very convincing but it would not necessarily help if the manufacturer overlooked a security hole or if someone at the manufacturer tampered with the software before it was signed. There was even an incident where Microsoft code-signing certificates were successfully obtained under false pretenses. (Notice the comments about revoking the certificates and about people overlooking expired certificates.) If something bad happens with signed software, there is the question of going after the manufacturer. For a situation like a security flaw leaking personal information, no amount of legal action may be able to expunge the information from Internet sites. This is where sandboxing of software and secure programming techniques are important, even with code signing.
A lot of software on the Internet, including security-related software, is distributed unsigned. Remember that a lot of this software is distributed by individuals, possibly at no cost. A lot of people likely go ahead and use this software despite the issue of it being unsigned. Interesting...
When VCR's are outlawed, only outlaws will have VCR's.
...who's behind the "Warning: Your computer is broadcasting an IP address" banner ads.
Hello? Microsoft? 99% of the stuff on the Internet is unsigned.
MOST of the not-signed messages I get are when installing MICROSOFT's own updates. It just amazes me that Microsoft bothers to have a policy setting to enforce rejection of non-signed software, and it's one of the biggest offenders.
The md5 is only as secure as the file, but the Certificate is only as secure as the Certificate Authority. Read other comments here, and you find that Verisign isn't that trustworthy.
Firefox is signed with Mozilla's PGP key, which is just as secure as a certificate. The difference is, you need a secure way to get the public key to you first, so it's not much more secure than MD5.
But, someone could just as easily have handed you a forged Windows install disk, or forged one with your computer, which had a public key for their own spoofed certificate authority, and thus undermine the whole thing.
The point is, you want to reduce the points of failure as much as possible. I think "Download one PGP key and hope it's good, then download anything from mozilla.org and know it's as good as that key" is better than trusting Verisign (and Gator and BonziBuddy).
Don't thank God, thank a doctor!
"blindly ahead, I download the software again (this time coming from -- I kid you not! -- a numeric IP addres..." I didn't actually know you could get non-numeric IP addresses. Even in Hex, its still a number. I think the thing he means is URL, go back to school buddy.
PGP is the more trustworthy, for my money's worth.
So how do you verify the chain of keys from you to Mozilla Foundation?
"I'm getting board"
Board, bored, nuance.
Words mean things.
Writers imply. Readers infer.
We can't mod articles as -1 Troll.
Your flaw is that you have not considered that maybe, just maybe, the mainland chinese spies are just better at NOT GETTING CAUGHT!!
Poke that in your fukstik and smoke it!
Would you like us to portray the IE6 worst case scenario?
Sure. The other day this site tried to install some Active-X compo*&!&&^%#^@!((NO CARRIER
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
you don't "e"migrate to somewhere... you "e"migrate from somewhere, ass.
This is their response to the NY Times ad. Someone at MS finally sat up and took notice, so they sent one of their writers to cool the Fire from Firefox.
The general tone fo responses to this article is somewhat alarming. It mostly consists of "how dare they criticize us?".
Let's make no mistake: IE is a mess and does a lot of things wrong. Firefox makes a fairly good attempt at avoiding IE's errors. However that doesn't mean that it can't be making other mistakes.
The original article is by a MS employee, and there is no doubt that he has his own agenda. Notwithstanding that, he's made some valid criticisms and to ignore them would be downright stupid.
I guess that the use of mirrors is unavoidable. Given the demand for Firefox, it could not be hosted in a single place. However it does create a possible security problem. How does a (possibly non-technical) user know that a mirror is safe? This is particularly troublesome if the mirror has only a numeric address (like 207.126.111.202).
If any mirror is untrustworthy, they could easily produce a hacked version of Firefox and distribute it widely.
There are many possible approaches to this problem, but it is certainly worth some research. Users need to know that they are getting a safe version of the software.
The dodgy dialogs sound like bugs. Rather than getting offended, it would be better to contact the author and try to repro the bugs. Maybe the bugs are in IE or in Virtual PC, but they might be in Firefox. It would be foolish to say that Firefox has no bugs.
One of the biggest criticisms of MS is their arrogant (lack of) response to user feedback.
Let's not be like them.
In Korea only old people download unsigned software.
Why not? After all, eastern eyes are prettier than western ones, at least on the girls ( which are also prettier than the western ones).
And believe me, as a laowai (foreigner) in China, I am the victim of constant attempt of fraud. So in general, I tend to trust western eyes more than eastern, at least when it comes to money transactions and trade.
I would argue that a PGP signature would be more appropriate than an MD5 sum for this purpose.
So how would you verify that what is purported to be Mozilla Foundation's PGP code-signing key actually belongs to Mozilla Foundation without knowing another PGP user who often rides an airplane?
" Most developers are benevolent. People have tried to create exploits with the Linux kernel, but they have been weeded out."
The ones that have been noticed may have been weeded out.
Newbies...paranoia can't be soothed.
Writers imply. Readers infer.
Doesn't TLS involve an annual payment to VeriSign, which bought Thawte? And isn't VeriSign the bad guy?
It's not quite what you describe but maybe it could be expanded.
There is software such as the GnuPG utility which can verify digital signatures. The GnuPG software can be downloaded at no cost and can be freely used by everyone. There is an issue in making sure that the GnuPG software itself was not tampered with. A signature on the Web page does not help unless the page was obtained securely with SSL encryption, a trusted browser and a trusted OS... The GnuPG site has an Integrity Check section on verifying the download. They mention the use of a SHA1 calculator (which would have to be trusted.) Of interest, they also mention comparing the SHA1 hash to the ones provided by multiple sources. Presumably, it is less likely that all of the sources would have been tampered with. It is possible to contact a trusted party (but not using e-mail) and to obtain an SHA1 hash or a copy of the GnuPG software (i.e. on a CD.) This might involve some cost and going to some trouble. Perhaps parties could sell copies of the GnuPG software on CD-ROMs. It would be convenient if computer systems included copies of software such as the GnuPG utility. Presumably, the computer manufacturer would verify the software before including it.
With public-key encryption, there is also the "web of trust". It is necessary to have at least one trusted public key (or certificate) or a trusted fingerprint for a public key. This lets the user verify other public keys and files. Having more than one is better.
And keeps my system running stable
Err, forgot: Do not run Any code signed software at all, everything runs linux (and a lost bsd machine from apple)
My wife's sketchblog Blob[p]: Gastrono-me
- Firefox: Theoretically insecure.
- Internet Explorer: Theoretically secure.
Gee, if only IE were available for my systemIt seems to me that the biggest argument this person has is the lack of a digital signature. But you go off and say this:
: .
"just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty;"
There has to be some level of trust that you put in Firefox homepage.
For being so paranoid about installing it you spent no time at the Firefox home page learning about the product.
The extension was a problem for you to but you get your extensions from firefox you can read that in the big FAQ link at the extension page titled "How do I get my extension or theme listed?" refer to step 5. -RTFM
As far as the advertisement in the New York Times. The only people that should be mad about this is Microsoft and Microsoft ** employees.
The 7-Zip error is rather amusing because the error is not related to firefox. Yet the author makes it seem like it was Firefox to blame. And the icing on the cake is that 7-Zip is licensed under GNU LGPL.
When you downloaded that were you this paranoid. http://www.7-zip.org/
This quote was priceless - The truth comes out from th e msdn.com URL:
This is what the "Secure Deployment" part of Microsoft's SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.
What I hear
We know we screwed up in the past but were trying to fix it now. We help nonqualified people be administrators
Another useless sentence:
So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from,
Who the F*&^ is WE?
What are WE trying to stay clear from:
Open source software solutions that are free.
Open source code that any one can modify and fix to suite their needs.
Don't go there - I know what your thinking. Try to get a trojaned version of Firefox to link from the Firefox site.
Disable the "Flash" specific plugin has to be an option for the next firefox version. Because you can disable most of the plugins from "Tools" - "Options" - "Downloads" - 'Plug ins"
Thanks for the feedback - See this is how Open software works.
This article should have been titled.
Can Mike and Robert be trusted to do follow up work.
Remember this tasty nugget of joy:
Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either.
--Really
Or does it seem all the FUD articles coming from Microsoft employees carry a tone similar to that of an abusive/controlling evil boyfriend? or something like that? It's weird..
If only my wireless card worked under Linux...
Oh well, Christmas is coming soon and the family always gets me gift cards from electronics retailers. So the best part about Christmas this year is a Macroshit-free house for New Years.
In the meantime, since I'm having to use Winblows to write this while I'm on the can...
Hnnnnnnnnnnnnn... PLUNK!
That's what I think of your enlightened analysis of Firefox, Mr. Torr.
Firefox is going to need more than one add in a regional paper to get the word out. When they come out with a U2 version complete with nauseating add campaign I'll agree you have a point.
What? You mean all those horny housewives really aren't glad to see me?
*sniff* I'm going to die alone and unloved. (Oh, wait, I'm a Slashdot poster. That was already a given...)
Kierthos
Mr. Hu is not a ninja.
Yes, somewhat, but also, it would give comfort to half-clueful users who noticed that Firefox was inexplicably being downloaded from mozilla.trust-us-its-the-real-thing.cx. If a certificate would prevent even a small percentage of users from aborting the installation due to fear, it would be worth it.
One of the simplest way to enhance security on the Windows platform is for the OS to require the users password for ALL software installs.
While it would not prevent people from infecting themselves if they OK the installation it would stop programs from installing themselves without the user knowing or by clicking a simple link on a web page or email.
As far as digitally signed drivers go it would be nice if companies actually use them.....most don't. This is one of the funniest parts of my MCSE course...they really harp on driver signing for a stable system....it would work because you would not be able to install 90 percent of the drivers out there!
Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!
It's you isn't it? It's ok to admit. Slashdot folks tend to be a rational, caring, forgiving bunch....
Dont feed the troll...
?
He has a very Microsoft-centric point of view, and many of his observations are quite academic.
But his main point is that the whole Firefox installation experience on Windows is not very Windows-like.
I think that's a valid and valuable critique and that Firefox could gain more supporters by addressing this.
(Even if its from some frickin' capitalist windows zealot.)
How can we trust his blog post? I bet he spoofed all those dialog boxes.
Can we get an MD5 on this please?
I trust FireFox because thus far the organization that provides has proven itself to have a very credible track record in providing me more secure and better functioning software than its competitors.
It's been decades since I keep up with the technology enough to know if Microsoft's pretty shield icon or FireFox's obscure SHA-whatever are better technical solutions.
But Microsoft's pretty shield icon, as warm and fuzzy a sheild feels, is tainted by the decades of reckless disregard for my computers security shown by it's organization - while Firefox's is backed by a responsiveness nearly unmatched in responding to problems as soon as they're reported and solutions known.
I don't claim to know what caused his problems since I have not experienced them, but they were not due to the blogger using the wrong decompresser. He downloaded the exe, not the zip.
The files inside the .exe installer are compressed in the 7-Zip format, so the Firefox installer is responsible for the decompression. In earlier Firefox installations, I think "7-Zip" was actually displayed in the title bar of one of the dialog boxes. A third-party 7-Zip program could not be used even if you wanted to use it.
It's because windows driver signing costs $100 grand. Per driver revision!
(I think)
Why do we even entertain these kinds of diatribes? He's obviously incredibly one-sided with a good financial reason to be so. Screw him.
1) go to Tools -> Extentions
2) Click the extention you want to get rid of
3) Click uninstall
Lets compare that to uninstalling programs in windows shall we?
1) Go to Control Panel -> Add/Remove Programs
2) Click the program you want to get rid of
3) Click uninstall
Now, if he wants to pretend that theres no obvious way in firefox to remove extentions, and thus is bad - he should concede that windows has no obvious way to uninstall programs - and is thus bad.
$ gcc browser.c :)) /* browser.c /
:))
Line 1: Syntax Error; Unrecognized keyword 'MicroSoft_Rocks'
#define MicroSoft_Rocks 0
#define Firefox_Rocks 0
#define Opera_Rocks 1
if (MicroSoft_Rocks){
printf("Microsoft Rocks. Use Internet Explorer !!");
}
else if (Firefox_Rocks){
printf("Firefox Rocks. Quit using IE !!");
}
else if (Opera_Rocks){
printf("Opera is the king of all browsers");
}
To continue my benevolent fairness, I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. If Mr. Torr is able to traverse through the less then positive feedback he's received on his own blog site, hopefully, he'll get over here to /. to check out the (mostly) kind words people have to say about IE.
I won't even touch on the "benevolent fairness" part of the sentence. Obviously, this is a tongue-in-cheek piece.
Of course you may sign your product to guarantee it is exactly the product you claim it is. In this respect signing Firefox could be desired in order to provide an easy way to identify a spoof.
...heard about the extra NSA key found in Windows betas that would allow NSA to access any encrypted content?
In case of Microsoft you know you're downloading a spyware-friendly, virus-friendly software. Where's the difference whether it contains a virus already or not? It will anyway, within next 4 minutes. So what good is signing MSIE for? You sign a TRUSTED content.
Of course there's the ultimate security/legitimacy proof possible with Firefox. You can just download the source, audit it and then compile. Doesn't guarantee the code is from "original firefox" but guarantees it's clean.
WHAT ARE YOU SIGNING, MICROSOFT?
Anagram("United States of America") == "Dine out, taste a Mac, fries"
By signing the (windows) installer, the user can very easily verify that the software he downloaded from whatever mirror server (or e.g. via BitTorrent or another P2P network) is actual, unmodified mozilla code.
Since you get the source code of Firefox, it would be relatively easy to include whatever malware you'd like in the browser, and roll your own installer without giving the user any(*) chance of checking the integrity of the package.
The author's point in this case: with a minimum amount of cost and trouble, the Mozilla foundation should be able to create an installer that plays nice with the existing windows security features and would give the user extra reassurance when downloading the software from an unknown source.
So yeah: the guy is pointing out a number of functional flaws in Firefox, and IMHO he raises some very valid points. It's not a firefox-bashing-session, but a (well-written) summary of his experience installing Firefox with major focus on his pet peeves. Whining that "IE sucks" (even though it does...) does not make the raised issues any less worthy of investigation...
(*) Yes I'm aware of the MD5/SHA-1 checksums, but 99% of the target audience on the windows platform doesn't know what it means, let alone how to perform such a check.
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
What's an mp3?
They ask themselves who you can trust Firefox when they haven't answered: How can I trust ActiveX?
In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download.
An ActiveX control with no signature can also be harmless and useful. Most are actually unsigned and most aren't spyware-related. And I'm sure companies like Gator, or whatever they're called today, have already made the money to be able to sign their ActiveX controls. I can't see how these are related to security at all. It's more related to money than anything else.
How are you supposed to tell which are harmful or not until after they're installed? Wouldn't it be best to make them able to do less? You don't *have* to use ActiveX for stuff like Windows Update hardware identification. Why not replace it with a standalone installer app?
Beware: In C++, your friends can see your privates!
No, it's okay. The geocities page was digitally signed.
End User License Agreement
i. By reading this text, you agree to mod it as insightful due to its illustration of the problems with the argument against unsigned media.
ii. By reading this text, you further agree that it is relatively entertaining material, given the number of hours the posting individual has been online without rest, before contriving the post.
You mean all those horny housewives really aren't glad to see me?
No, but take heart in the fact that their pimps are particularly glad to see your money.
Don't blame me, I didn't vote for either of them!
- The complaint was about Flash
- Flash is a plugin
- Plugins are DLLs (in Windows; EXEs when downloaded) that import functionality from other programs on your computer. Examples: Flash, Shockwave, Java, Real Player, QuickTime
- Extensions are XPIs, which add functionality into the browser's own code, much of which is simply XUL (XML) and JavaScript.
- Firefox has an extension manager, not a plugin manager
Supporting paragraph (bold is in original; look familiar?):I laughed so hard I cried.
3cx.org - A truly bad website.
But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example).
Secunia lists 74 security advisories for Internet Explorer...
step 1. dual boot with linux (fc2) step 2. never access the internet through windoze. bingo.. have been free of nasties ever since. seems obvious to me but.........
10. If a large coporation can fuck you out of a penny, they will.
y /columns/security/essays/10imlaws.mspx
9. Corporations will break anti-trust laws if they can make more money than adhering to their letter and spirit.
8. Corporations are prone to the blind following of rantings and ravings of men who have an immature needs to feel important.
7. #8 is only true because a) real people with real-sized egos have to feed their wives and children OR b) the employee is also an asshole with an overwhelming need to feel important.
6. Corporations just don't give a fuck about anything but making money.
5. Corporations will shift the blame onto consumers they create if they think the can get away with it. See Microsoft's 10 Immutable Laws of Security: http://www.microsoft.com/technet/archive/communit
4. In the coporate world, there is no truth, just good PR and bad PR. If good PR and the truth coincide, it's by coincidence only.
3. The people who rise to the top in corporations are those who are best at and enjoy playing mind fuck games with those they perceive as mentally inferior. This includes making people feel appreciated when the reality is they are actually kind of despised for being so dumb as to actually feel appreciated.
2. Corporations (and the men with small penises that run them) have created the cynical environment that cause people to despise them so much.
1. Corporations are not a panacea. By themselves, they cannot change the world and can quite literally destroy it if there is no oversight of these powerful entities.
---Technology will liberate us if it doesn't enslave us first.
1) Some of his gripes include a wierd dialog with no text which is apparently caused by a bug in McAfee virus scanning software, and a 7-zip error dialog which is nothing to do with Mozilla.
:) Again, nontech people will ignore the address that shows up anyway, and tech users were already going to follow my suggestion if they are smart. On the other hand, ever visited windows update? They could download whatever they like from god knows where and you would never even know, because they don't tell you! Now that does give some trust issues doesn't it
2) Although digital signing is all well and good, not many people really care about it. The non-tech people I know of (an entire college full of them) all seem quite happy to ignore the dialog box that pops up telling them the file might be nasty and just click OK for anything they are asked. The tech geeks are all happy with md5sums, and generally from the look of Slashdot don't trust digital signing, and definitely don't expect it (most stuff on the web isn't signed). Firefox will also be including digital signing before version 2.0 apparently.
3) The default selection on dialogs that he complains of are kind of irrelevant if you are using a mouse don't you think? How mant people use the keyboard for that kind of thing? At least firefox attempts to force the user to READ the warning it presents.
4) He is either stupid, or just plain lied about not being able to find the option do disable plug-ins. Not only is the option there, but it is BETTER than the IE "option" he claims to be able to have. If I want to disable flash, I just untick flash. In IE, up until SP2 (which is not available for all OS's yet") there is no choice but to disable all extensions and introduce the other annoyances "High" security level adds, and hope it works. I can't say anything for SP2 version of IE as I don't have SP2 (I use 2003).
5) Although most extensions are unsigned, the site you are downloading it from has to be whitelisted before you can install.
6) Mirrors: if you don't trust the mirror, download the md5sum from mozilla.org. Easy, solved
So far the only real point I see in there is that you can tell it never to ask again about running excecutables, but then again I never use the download manager to open the files, I save to desktop and then double click it the old fashioned way. I am sure many others do the same.
And even if you consider all of his points, what will show the true advantage of firefox is that their next release may just address all of these issues, wheras it took Microsoft HOW long to address them?
Actually the parent has a good point. WoM, and customer happiness is better than marketing. Not to say that marketing has no place, but once a good amount of people know about your product, if it is worth it's weight in salt, it will sell iself. But we the uberconsumer culture have forgotten this, in our climate of mass marketing for substandard product.
/.er) told me it was a good program. A good portion of my freinds got FF just because I told them that it was good. I bought a Mac, and an iPod because people I knew and trusted told me they were quality, and let me play with them. The point is, if your product can't sell itself, it isn't worth a damn.
I trust what my freinds tell me (within their expertise) more than what corporate flack tell me. I downloaded (what was then) Phoenix because someone I trusted (and fellow
If your mechanic/auto-afficionato told you X car was better you would trust him more than they guy at the Ford lot.
Now that FF has more mass recognition, it just becomes easier to get people to consider, informed users are still need to sell it.
Sure Buttwiper spends more on advertising, but I still drink real beer, just because it is better, and people who know their beer reccomend it.
A patriot must always be ready to defend his country against his government. -edward abbey
...get the code, read, and compile it yourself. Do likewise for extensions. Then sign them yourself. Then code up an extension to check new extensions for your signature.
Firefox may look like a browser, but it's really a platform. If you think the default sucks, change it.
1. Off an official website, hashed, with checksums to make sure you're safe.
2. No, it's not.
3. Yes, there is. There are several internet standards, including MD5 hashing. Question -- why doesn't Firefox show the MD5 has automatically for any files it finishes downloading (in the download box?) Perhaps some good can come from this troll for hire.
4. Just because he didn't look doesn't mean there isn't a way.
5. As opposed to all the multitude of ways IE spyware can bypass user intervention alltogether? Right.
I wish I could get paid to troll the intarweb. Maybe Somethingawful's hiring.
I think not!
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
What's this guy have against DePaul University ?
Probably nothing at all, oh parochial one. Have you ever considered that people who aren't originally from the U.S. might not have a clue who the hell "DePaul" are?
If I said "UMIST" to you, would you know who they were? Or would you think that I was calling you a bad juggler? (Clue: They're the UK's equivalent of MIT).
Torr's from Australia (IIRC - he may also be Kiwi). So give him a break.
Coming soon - pyrogyra
I installed firefox by having the portage system download (wget) the source from one of many gentoo mirrors and having it md5sum the source against approved md5sums. And before any of you cry md5 hash collision, the attack is very limited in how much one can alter the origional message.
I still don't see whats wrong with I.E. I don't have any spyware, I don't get any popups, I don't get viruses. I use Internet Explorer or exploiter or exposer or whatever monicker has been created for it now with no problems after installing the Google Toolbar a year ago. Perhaps the question isn't when will the internet explorer users wakeup to security, but when will open source nerds wakeup that sometimes good enough, is good enough, and the ability to in real time debug javascript in a web browser just isn't important to more than a handful of web developers.
most fucking idiotic "poll" I have ever seen.
at first click u dont even know its a poll. the fact that IE is the first link makes people think that clicking it tells you why IE could possibly be better.
then clicking on the other two links gives me the message "xxx.xx.xx.xx has already voted"...
WTF??? I voted for IE???
Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software." Huuu... how scaring depaul.edu, who wouldn't be nervous?! That's pure marketing: Microsoft knows FireFox is much better than IE... or maybe no, wait, millions of users can't be wrong? Right?! ;-)))
Why isn't firefox a signed application? Well first there is the technical point: You can buy a verisign certificate, but it only tells You are the mozilla corporation. It does not tell you that all the source in firefox is OK. It is nothing more than a fancy MD5 hash. And i wonder if a signed executable is portable to other OS'es?
But then who is going to apply the ditital signature, is there still someone who understands ALL of foxfire's code? No jsut as there is noone who understands all of i.e. code.
Do you trust mozilla foundation more than MS? As ptorr explains there is no reason to. So what is this signature worth in the end?
But he does have SOME valid points.
Wouldn't BitTorrent go a long way towards making the distribution process more secure? Each of the current mirrors could asked to seed instead so that the central Moz servers wouldn't be any more taxed than they are now.
.torrent link hard-coded into it.
The "more secure" part would come from the fact that every piece of the distributed file would be checked automatically against its SHA1 hash (part of the BitTorrent protocol). So given that everyone would be getting their installer from multiple mirror sites (and other downloaders as well), it would be harder for any one person to do anything malicious.
The "small installer" you mention could be a simple, self-contained bit-torrent client with the
"Don't blame me, I voted for Kodos!"
One of the biggest flaws of third-party plugins and activeX controls is the ease with which they are installed. All you see is a popup prompt asking if you want to go ahead with it. With IE, you even have a checkbox saying "Trust all controls from this company".
And all that's required to get the plugin installed is a press of the spacebar. Often times I'll be typing in another window (IM usually), when the popup hijacks the focus and jumps out at me. It scares me sometimes that a mistaken press of the spacebar would be all that's required.
Instead, they should make it so that:
1) Installing a plugin requires more than just a space bar press. More like, type in a string or sign it with your name.
2) Allow the user to specify a white list, so that only plugins from XXX companies can be installed, PERIOD.
eTrade SUCKS
Signing doesn't mean sh*t. This guy needs to stfu.
Don't take life so seriously. No one makes it out alive.
Setup the parents and siblings with Firefox - Thunderbird - AVG over Thanksgiving and now they only call to chat instead of complaining about slow computer performance. I have not had to walk them through cleaning the machine over the phone since. Thank You Mozilla Team :)
Isn't this article just classic FUD from MS? Find some issue at which your product gives the impression of being better and attack the competition with it. Play on the "you can't trust these open source people" angle and indirectly equate them with spammers. Throw in a couple of spurious error messages caused by a corrupt download and his anti-virus software, make a few complaints about "missing features" that aren't really missing at all, just not immediately obvious.
It all adds up to a classic piece of FUD, sowing in the minds of readers just enough doubt to make them think twice before switching.
People in glass houses should not throw stones - perhaps they should ask the question how to repair the loss in trust people have in IE before casting uncertainty about other browsers.
Here one very good reason why we can "trust" firefox over IE
We have the source code - and as such it gives confidence that the firefox team have no evil to hide - and that any software bugs can be repaired by anyone who cares.
Electronic Music Made Using Linux http://soundcloud.com/polyp
Here they are, flaunting this "code signing", and all it does is decide whether the Evil Bit is set or not!
- Go to Firefox site.
- Download source tarball.
- Thoroughly inspect and analyse source code {you may require expert assistance with this step}.
- Build binary from source code.
- Install the binary you just built yourself.
This way you can be certain that the package does what the source code says it will do. The trustworthiness of the package is dependent upon your own independent analysis of the source code.The slightly less secure way:
- Go to your OS distribution's home page.
- Download binary package for your architecture.
- Write down MD5 sum shown alongside package.
- Compute MD5 sum of downloaded package.
- If MD5s match, install binary package. Otherwise, notify your distribution's security team.
Note that this is presuming that your distributor has carried out the "most secure" method correctly. As a general rule, the better-known the distribution, the more trustworthy any packages are likely to be.The not-at-all-secure way:
- Go to some unknown random website.
- Download binary package without MD5 sum.
- Install and run binary package.
Of course, nobody would ever actually do it this way in real lifeJe fume. Tu fumes. Nous fûmes!
No download is ever safe...people can put out malicious software under any name! if you search good enough, you will find versions of Microsoft Windows that are totally hacked to include zombie, spyware, ftp servers and anything you name in the installation!
The empty Firefox dialog he showed has never appeared for as long as I use Firefox (from version 0.7 and onwards).
I never had any problems with Firefox extensions, simply because I never needed one. The most important "extensions", popup blocking and the search engine bar are intergrated in Firefox.
Microsoft must really feel the heat of open source software...some may say that Microsoft has the right to complain, just like the rest of the world is complaining about their products. The difference is that open source supporters complain because they like quality software and Microsoft isn't of the expected quality; Microsoft complains because it sees profits going down and market share lost...
Let me punch him. Really. The earlier versions of the Windows update automatically downloaded a WHOLE bunch of useless MS stuff (e.g. Outlook) that W2K WOULDN'T LET ME DELETE- yes I know I'm shouting). It filled my disk up, which through a chain of events crashed it and I lost a bunch of stuff. There computer. Bastard.
The only way to answer his question is by asking the similar question "How can I trust Internet Explorer" and see what answers he gives.
...etc. I'm not an expert on this sort of stuff, so this list is by no means exhaustive, however, I'm pretty sure the approach is sound.
Obviously in this case it isn't much help, because he just says "because I work for MS", so obviously his answers are going to be biased.
But it does help for people who don't work for Microsoft. Ask yourself why you trust IE. Quantify it. Once it's quantified, we can then discuss whether or not Firefox can be trusted.
Obvious questions to ask are:
- if I need to check the code for security issues, back doors and so on, is that possible?
- was the code written by convicted criminals, and whichever way this is answered, is it more or less likely to contain the aforementioned back doors?
- how easy is it for hackers to exploit, referring to historical records (not opinions or FUD) of successful hack attacks, the number of 0wned zombies out there and so on.
Oh, sure.. I'd love to see an installer that can gracefully and intelligently fail from a corrupted download and bugs imposed by outside software.
Next step after that: the Firefox installer becomes self-aware....
How about we compile a list of /. suggested improvements?
I have one, not a deal-breaker, but still, nice to have if you need it:
1) File menu's Save Page As function should save with correct line breaks when selecting to save as a text file.
IE appeared to be ahead here, when I last tried.
Here is some of his reply to the comments
Publish MD5 or SHA-1 signatures for the distributed files in a secure (https) web page. That is an easy to implement and elegant solution that solves the verification problem.
Is this microsoft article in response to this http://www.emarketer.com/Article.aspx?1003182&type =resources
?
Chris ,
Php Programmers.
Mod up!
When I try to post a comment to this artivle on the MS site, I get this :
n Url=/ptorr/archive/2004/12/20/327511.aspx
http://blogs.msdn.com/ptorr/Moderation.aspx?Retur
"Moderation
Comments on this blog are currently being moderated. An email has been sent to the owner with the details of your comment.
Click here to return to the original post or article"
Nice !!!!!!!!!!!
The government on the mainland is not legitimate. The government in real china (aka Taiwan) is elected.
One of the biggest pain the arses at work for flooding our network is Hotbar, and it's a Microsoft Certified Partner according to their site, so our users think "that's OK, I can trust them". Well, they did until we blocked hotbar and all it's subdomains. (evil laugh) Microsoft seem very two faced to me. Jonathan
It's very easy to say that Firefox is not safe because windows does not recognize it as a trusted application, they wrote both windows and IE, of course IE has a security mechanism compliant with windows. What I would like to see is MS implement an open security mechanism that anyone can implement.
http://www.halcyon.com/mclain/ActiveX/Exploder/FAQ .htm
Better to be unsure how much more secure your browser than 100% certain that it is not.
Incidentally, signed code makes no real difference when the signing does nothing to ensure the security of the code - only that it is a genuine copy with nothing added or removed. In the case of IE the signature means:
"This is a genuine MS security hole."
-- $G
Simply put, because I can't trust IE.
Join the Slashcott! Feb 10 thru Feb 17!
If he doesn't trust the mirrors;
i re fox
http://www.mozillastore.com/products/software/f
The originating web site could post an XML file containing a checksum and a list of mirror sites. The FireFox download manager would take care of choosing a mirror (or asking the user to choose one), downloading the file, and checking the file against the checksum. If the checksum doesn't match, the download gets a big red X through it and the user gets a very serious warning if they try to open the file.
I'm sure someone will point out that BitTorrrent already handles many of these problems, and does it much more efficiently and powerfully. And I agree that it would be great to have a BitTorrent extension for FireFox. But the fact is that MD5 checksums and mirror sites are the de-facto standard for open source software distribution right now, because they're so easy to implement. Why not clean up this system a bit so that average users can benefit from it?
--Stuart
Wow, way to be completely off-topic. If this is one of those rants where not voting is vaunted as some morally superior choice, I'm going hunting for that damn clue-by-four someone mentioned earlier.
...and do "md5sum --check firefox.md5"
That's a Linux command, isn't it? I'm still on Windows, although I'm thinking about removing Win Server 2000 Ad from one of my other computers and installing Linux. I just had to build a web page w/ database for one of my classes, and I tried PHP with MySQL. I had a blast, so I was thinkin' about trying Linux, too. Can you recommend a distribution?
I don't see. Some M$ (yes, that's a dollar sign, so complain) program manager has a weak morning, without his coffee, and pukes out some words, which are really nothing more/less one would expect from anyone from M$. So what we (/.) do ? Start bashing the poor guy, in hundreds of comments, uslessly, because he won't change his mind, no matter what.
So I won't do that [bash'm]. I just feel the same sadness which I've felt for many years now: with people thinking as this one does, working in hundreds at M$, this company still managed to pull so much dollars over the decades. I guess it takes really good braindeads to convince the braindead masses.
Unless such guys are totally schizophrenic, then they really do and live by what they think. And that makes me very happy that I don't know many of them.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
Actually it's the massive tumour growth in the frontal lobe (responsible for reasoning, etc) of Peter Torr. The increased mass on the planet increases the gravitational forces.
The 7-zip error being blamed on FireFox makes me wonder how this guy got his Bachelor of IT (at the same University as myself).
Gee. I guess you wanted to vote for "sex with a mare" instead. No mare for you!
He's an asshole. I would love to see that same critical eye but turned to IE's vulnerabilities.
It's like a sophisticated astroturfing: a blog posting at MSDN saying "hey, maybe Firefox ain't so great"... It's FUD, why do we bother? Fuck him and the IE he rode on.
j.
Does anybody browse the internet with javascript OFF?
You'd be AMAZED at how much crap you avoid even with Firefox.
What if, instead of having the author sign it, all plugins are signed by one or more reviewers? Then you can choose to only use plug-ins who have been vetted by someone you trust.
You'd still have the "know your dealer" problem, but it would be better.
This is not a political statement. This is not legal advice. It's a frick'n Slasdot post. However: I'm Running For
He posts:
Why don't you just use Firefox?
Because my blog doesn't display properly...
It would have been nice if he'd have explained that this reason is due to Microsoft's lack of standards support in its products. But then again, do Microsoft developers/managers have any idea of Web standards (i.e. REAL standards)?
Linux/Open Source/Anti Microsoft News
I quit reading when he countered with blah, blah, next please... as if his opinion is instead fact.
A closed mind should be working in closed software. Oh wait, he's a M$ employee. It shows.
Anyone who dismisses other people like that gets dismissed by me. Next Please.
Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel.
Yea Right You can have the Screen Blinking Red with with sound of the Enterprise Red Alert going in the background. The Robot from Lost in Space Crossing the Screen Going "Danger! Danger! Danger!" And People will still download the file. Because it is like the boy who cried wolf. They see these warnings all the time and learn to ignore them. Every time they Download a little game to play the get that message. Trust Based Security just doesn't work Proven by the Fast that IE is Infested With Spy-ware and viruses. With ActiveX you want to view the page it goes do you want to trust company X Well saying No will prevent you from viewing the page so I guess you will need to trust them. It is that simple. Microsoft has became out of touch on the current user, usage habits, and assume that everyone would only use local administrator access when they need it, that everyone will save their files in My Documents, People know how to use My Computer/Windows Explorer or even the Start Button. That it is a good idea to spread out all the programs to many different location. While the individual is Smart People are dumb, and the more people the dumber they get. And with 90% of the Market Share the people who are using Windows are Really DUMB! And trusting them to listening to the warning is generally a programmers cop-out. (I admit I did it myself) Make a program when they about to do something potentially Stupid Give them a warning, and if they complete it then it is there own fault. Where If I had more time to program it then I would make it so they could revert back after they made the mistake.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
"But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run."
Well of course he didn't care. His virtual PC was already infected with Windows and IE.
. Quit playing Monopoly with Bill. Switch to one of many non-Microsoft products today.
Tor(k)
If FF wants to be a real player, it has to play by the established rules many organizations follow.
I know of quite a few firms, financial institutions, and state government offices which do not allow employees to use anything other than IE; much of the reasoning coencides with what this article is saying. They all use intrusion prevention services and just have the helpdesk clean up the occasional mess caused by a sneaky spyware install or virus infested laptop trying to vpn in.
Said organizations probably have an IT department that is capable of checking something like an MD5 checksum. So they will be able make sure that the browser in question is actually the official version, and make it available for internal download.
At this point, compromised downloads become very unlikely and it is a question of trusting Microsoft to make a secure browser or trusting the Mozilla Foundation to do so. Personally, I have more trust in the Mozilla guys.
And "just have the helpdesk clean up the occasional mess" DOES cost money. If Firefox can cut down on this, it has a real advantage in TCO.
C - the footgun of programming languages
A compromised copy of FireFox is probably more secure than a real copy of IE, anyway. I'll take my chances, Mr. Torr.
Peter Torr has some pretty interesting rebuttals, actually.8 377.aspx
http://blogs.msdn.com/ptorr/archive/2004/12/21/32
Among other things, he clarifies that he's not ranting about Firefox itself and that he was silly to speak of numerical IP addresses. Check it out- not a bad job rebutting considering the numbers are several thousand in slashdot's "favor."
Now I am the last one for conspiracy theories, but, here goes...
Clicked the link to the MSDN page in Firefox, wouldn't load all the images. Hit refresh, got the first image, then nothing.
Copied the page URL to Internet Explorer, hit go. Entire page loaded in 3 seconds, images and all.
Hmmmmmmm.
Well, in one of the cases you mentioned, this is not the best choice. Because if you don't choose, others choose for you.
In general, choosing none is just one of the choices, and then you're back to square one: Choose the least shitty option. Which may actually be the option "none of them", but it may also not be.
The Tao of math: The numbers you can count are not the real numbers.
Well if the Department Of Homeland Security does not trust IE then why on earth should I?
Of course the house you build is only as good as it's foundation and windows is like erecting a house in quick sand.
Got Code?
Everyone here on /. knows how much more secure Firefox is over IE, but I feel the points that the author brings up are valid ones. Think about it, Joe IE user sees the huge two page ad in the NYTimes and decides to check out this software...if he runs into even half of the dialogue boxes stated in the article he might be turned off before even getting the software installed. This would be very unfortunate. If Firefox wants to have a professional image (which I think they do once everything is up and running) they should sign their software and make an effort to have extensions signed. Even for me it seems a little off to go to the official links for extensions only to find that none are signed. Some other posters mentioned that Microsoft does with IE exactly what the author of the article suggested, merely make it seem secure. We all know that Firefox is secure, so why not make every effort for it to come accross to its users that way?
SIGFAULT
Whaddya know? The page loads perfectly in Firefox!
MjM
XKCD:Xeric Knowledge Comically Dispen
If you're a native Israeli who just can't speak English, I apologize, but all evidence from your post shows you can, in fact, speak English.
Ah. I see by the expression on your face that you are confused by my statement. Perhaps you doubt its veracity, but let me assure you, I speak not a word of English.
How can I trust IE when *it* "trusts" every random bit of ActiveX or Javascript code it comes across?
VOS/Interreality project: www.interreality.org
OMG, there is no IE available for me!!!
localhost:/home/anonymousbullard# apt-cache search internet explorer
bookmark-merge - Merge bookmarks from Mozilla, Netscape and IE
camserv - Stream live video out onto the web
wwwoffle - World Wide Web OFFline Explorer
zope-epoz - cross-browser WYSIWYG editor for Zope
Seems that I have to trust firefox...
and mozilla
and epiphany
and galeon
and konqueror
and... you get the picture
even if i have to download them from some "unknown server"...
like: ftp://ftp.fi.debian.org/debian/
...you are free to obtain a FireFox CD direct from the publisher.
I don't know how many times I clicked OK to that stupid question now. Since almost no one uses it, it loses all meaning. People will just click OK
Lets not forget that you cannot trust code that comes from Microsoft, says Microsoft. (For that matter, you cannot trust Verisign either ... read the security bulletin)
Microsoft Security Bulletin MS01-017
http:// www.microsoft.com/technet/security/bulletin/MS01-0 17.mspx
Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
Originally posted: March 22, 2001
Updated: June 23, 2003
Summary
Who should read this bulletin:
All customers using Microsoft® products.
Impact of vulnerability:
Attacker could digitally sign code using the name "Microsoft Corporation".
Recommendation:
All customers should install the update discussed below.
Affected Software:
Microsoft Windows® 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows NT® 4.0
Microsoft Windows 2000
Microsoft Windows XP Beta 2
Fingerfucker is right.
Holding down escape is something that everyone on the planet should know.
Also, browsing the net on IE is generally more secure if the user offers a saccrificial chicken to the computer. (But I think everyone knows that)
(That's actually the first chapter of my next book "IE woodoo")
If you don't know what AltaVista is (was), get off my lawn.
I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...
I've already got IE, why would another backdoor be any big deal?
Come on... file signing.
That's almost fuckin' laughable coming from someone who thinks M$ is doing a good job on security.
Listen you fuckin turd... when M$ embedded IE into the OS then the WHOLE OS, browser included, must now be judged on its trustworthness and security.
M$, Windows, IE and just about every other product M$ produces is be DEFAULT insecure! PERIOD!
Sucks to be M$... and eventually a Fortune 500 company is going to get seriously bombed by one of M$'s famous innovations and the settlement hemmoraging will begin! That is about the only way the world is going to slow down M$... sue them out of existence!
Oh and Happy Holidays...
BUSH the man of the year... please! Whats next FREE elections in IRAQ... oh wait... errr ah screw it...
I've heard people talk about extensions for browsing on Slashdot without the constant rendering errors. Does anybody know of an extension which helps Wikipedia (I edit the English and Swedish versions, to make things worse) render better? All I can find is a Wikipedia toolkit extension.
BTW, I've got v1.0 right now.
From the article: "You should only run software from publishers you trust"
Exactly! That's why I don't run Microsoft Windoze.
Now all of us have to take a step back and look at it from the simple man's eyes. Most people just use IE to browse websites because its already there and has been indoctrinated into their heads by MS. Vanilla IE is a very poor security browser and rarely do I see people in the real world uprgade anything because what they have 'works for them.' After the much of my family's computers have been invaded with spyware i was able to install FireFox on all computers after the extensive cleanup. After that i've had nothing but rave reviews, No Popups, Google/yahoo search bar, tabbed browsing, auto updates, ect. In short people that have little computer knowledge are afraid of change and MS will use every sales/spin trick in the book to slandor FireFox and try to prevent the change of the everyday browser. MS needs to address their issues with IE security before they try to attack another better browser.
"In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls"
And he's saying that Firefox doesn't? Has he ever actually seen an ActiveX control running in default install of Firefox? Maybe he's been on the Christmas sherry a little early.
Suggests that Firefox is better. From the point I started using Firefox exclusively, Ad-Aware haven't found Jack shidt.
Till hackers learn to rip Firefox a new one, I'll enjoy this newfound sense of security while it lasts.
While true, firefox is available from more than one source, it's up to the user to make the right choice, or find out how to make the right choice as far as where to download it from. The best software in the world cannot predict or accomodate all the stupid that humans can do, and I don't necessarily think it should. Software is a tool to be used right or wrong, your choice.
I find Microsoft's dependence on digital certificates hilarious, given that Verisign issued a couple of valid certificates for Microsoft to a hacker a couple of years ago. Makes you kind of wonder about the whole system and value of the verification procss they follow.
What he neglected to mention was that even though IE has ActvieX scripting prompting him Ma and Pa internet would have disabled the annoying little shit notification window by now, or that Javascript would have installed WebRebates and all sorts of shady crap.
Since when does digital signing == security? Yeah, that spoofed website your on has you downloading FATFUCK and you think it's ok because it is using the previous signature from MSN Instant Messenger. So life is ok because "hey it is digitally signed, so it must be good".
Or let a cross-site-scripting bug in all versions of IE, totally ream my pc anally while adding it to the hoards of zombie spam networks. Why not? Conformity is cool right?
The one true statement in the whole article. Although, if I can readily download the full source to Mozilla I can look at the code myself, and check for bugs, or even add something to it should I choose. Scuse me Mr. Gates, um please sir may I have the source to IE?
I think the major point here that the authour neglected to point out that regardless what your using common sense should be exercised. Don't trust a browser to handle your security. Just because a little box says "It's ok". It isn't use your own judgement. If you aren't sure then ask someone you know who knows. I don't trust IE for crap, at teh paranoid security setting you cant go 15 seconds without having to click a window or click OK. If I wanted to click pretty windows all day, Slashdots Widgets would be my first choice. I have donated to Mozilla and used the browser for 4 years now. I have to say that I only use IE when I absolutely have to. I trust Mozilla as much as you should trust any webrowser, but I trust my judgement first.
I am Bennett Haselton! I am Bennett Haselton!
Shouldn't your post be modded "Funny"?
The whole point of the article being discused is that random IP addresses and random university web sites cant really be trusted unless someone verifies them. But we all download Firefox anyway because we believe that it's ok to trust these sites for this purpose.
Now you come along and say "don't trust geocities" but you don't give any more information on why we shouldn't trust them than this Microsoft wonk gives for not trusting a Firefox download.
I think that's pretty funny.
I love it when people tell me who I should and shouldn't put my faith in. Especially when they don't give any better details than "they're untrustworthy". I mean, what if I don't trust the guy telling my who is trustworthy or not?
Why should I listen to the MS guy telling me that Mozilla.org isn't trustworthy? Why should I listen to you telling me not to trust geocities? Should you listen to me telling you not to trust some other guy? You don't even know me, dude, and I have almost as high a user number as you do.
Bottom line: Some geocities sites post unreliable information and some don't. You will not be able to tell which, based on a geocities domain alone. See, some people have the capacity for truth, but don't have the income to justify anything but a free site... Just like Mozilla.org needs to get donations to pay for theirs.
TW
you can use checksums to verify you binary when you download it. by the way my distro packages it and all my packages are signed on my Linux os. can we say the same for windows? this article is nothing but twisted fud.
Make ActiveX that replaces Explorer with Firefox and buy digital signature for it.
Right now I cant trust firefox to do the things I need it to do. Just last night I was trying to get a replacement TiVo remote because I am evil to mine.. and I am using Firefox. I get to the checkout screen of the Shopping Cart and it says "Press the Checkout button" and there is NO checkout button. I played with it a while.. until I brought up IE and went throught he same proce4ss and Lwo and behold a Checkout button.
This is not the first.. not the second.. nor the third time it has happened to me. Mozilla seems to work better yet they are the same ?? engine??. I dunno..
How can I trust Firefox if I cant use it?
I can program myself out of a Hello World Contest!!
In what sense? Well, in the very sense that while trying to destroy FF, what he actually did was provide us with some good insight into some things that need to be addressed. The, the OSS is not stronger because it has 'strong finished products', but rather because it's way of developing software is stronger. Sure, we aren't "there" yet (where ever "there" happens to mean), but you can see under the hood and tell me exactly were YOU think we need improvement. Instead of taking this as a troll, which is probably was intended to be, let's just use it as we would use any other user comment. Fix those issues and we end up with a much stronger app.
:)
Long live OSS
The shortest distance between to points is a chord.
"Tis better to remain silent and be thought a fool, than open one's mouth and remove all doubt."
-Samuel Johnson
"Practise safe computing"
-wise anonymous firefox user
I am struck by the audacity of Torr to suggest that you can trust Microsoft install packages but not Mozilla's simply because of signing.
Signing just indicates that the source validates what is packaged. Simply, signed Microsoft install packages come from Microsoft. However this does not indicate anything about the quality of the package. This is the heart of MS's problems since it was never a question of the package source but the quality of content. They've burned so many not by fake IE packaging but by the fact IE is "junk" in the first place. Anything beyond this (all of the malware, hacks, and bugs) is just a side effect of design and code in IE not of the fact IE is a hacked install.
There are legit complaints about the Moz distribution and install proceedure. I would like to see a "self validating" install to insure the package is legit however alone signing isn't the solution. Signing is only useful for indicating the install package has not been tampered. It never indicates whether or not the software installed works. No amount of code signing from MS will fix IE's damaged reputation for misbehaving.
ps. I'm loathe to think Mozilla needs to fork out money to anyone to prove anything. They should be seeking free (beer and freedom) ways of package authentication.
Just because something is "digitally signed" does not make it secure. In fact just the opposite you are getting a false sense of security. There are bad people out there that have digitally signed Active X controls.
Why do we need Active X controls to begin with? Microsofts idea of integrating the OS with the browser, you are bound to have security issues. Keeping the browser separate from the OS you have a less likely chance of affecting the Operating System.
I've been browser hijacked more than I care to share, even with Microsoft's idea of security through digitally signed Active X controls.
Now I can say I use Firefox/Mozilla, never have had a problem with my homepage being directed some where else, unslightly pop ups, and I know my browser isn't integrated into my Operating System.
I trust MD5 Checksums more then I do a page that says it's signed by Microsoft, Verisign, or whoever. How many of us have to isntall drivers on Windows XP that pop up and say they are not certified by Microsoft? Utter crap. Code signing works the same was as trusting the website you download the code from. If you don't trust DePaul's website, then that's fine. If your really antsy about making sure what you run is absolutely the code being distrbuted by Mozilla.org, you have to know the MD5 Checksum that Mozilla got when it ran MD5. This also assume you put trust into the MD5 sumer you use. Trust is not something that can be readily handled by software. You can use tools to verify things, but if the tool is faulty and gives you the answer you expect, then it's possible you can still run code that is hostile. Even if you say but it has a Verisign certificate means nothing too because even the criminals can buy certificates or even steal valid ones. The only way you can be certain is if you download only from a web site you trust, or put your trust in the Mozilla project that they only have mirrors that they trust or that they verify are ok. Any of these situations or tools like MD5 sumers are not liekly to even be known by the semi computer illiterate. They also would not know or care about signed software either. They do what they do in real life....they trust IBM and other big companioes including Microsoft although Microsoft is gradually loosing their trust if they have not completely lost any trust they had. My brother has even switched to Firefox but not because of the security features.....he switched because of tabbed browsing and faster web page rendering.
Gorkman
So if you choose to run no browser, how did you post to Slashdot? And, as a matter of fact, if most people vote for nobody, it's not the case that nobody becomes president.
mt
...the icon would show WWW, which also sounds internettish. Wolf and Fox are close enough as far as I'm concerned. Problem solved.
Suppose you trust Microsoft to review and sign plugins.
Do you trust Microsoft.com? The name, not the web site.
Do you trust Microsoft, Inc.? The name, not the web site.
How about Microsoft Inc.?
Anyone can pretty much register any name that isn't already taken. All someone has to do is find a similar enough name that hasn't been taken and they're in business.
Firefox's whitelist approach is pretty good. There are sites you trust. It could be improved, but not the way the original article says.
HIS COMMENTS installing firefox requires downloading an unsigned binary from a random web server installing unsigned extensions is the default action in the extensions dialog there is no way to check the signature on downloaded program files there is no obvious way to turn off plug-ins once they are installed there is an easy way to bypass the "this might be a virus" dialog this is what the "secure deployment" part of microsoft's sd3+c campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.
USER COMMENTS:
posted @ 12/20/2004 7:47 pm # re: trust no one (but use firefox) andy habel the simple fact is that i'd much rather trust an open source application where the code is public and subject to scrutinty then a closed source browser known to be riddled with many bugs and security holes, some which still aren't patched to this day
3458 rob davy 4 words - lesser of two evils at least you have to actively choose to install things with firefox, instead of bugs in ie allowing anyone to install things posted @ 12/20/2004 6:30 pm # how can i trust ie/microsoft
From the first day I plugged my PC into broadband internet, things changed. (Win XP Pro retail, default install, about 6 months from shelf to net) Runs slower, searches get redirected, desktop is full of pop-ups I cant get rid of, I can't even bring up task manager with the 3-finger salute anymore. I trusted MS and they screwed me. Now they tell me I shouldn't run software unless they (or Veriwho?) tell me it's safe. They told me the OS and browser package they sold me was safe. All I had to do was plug it in the internet and I get screwed.
Beauty is truly in the eye of the tiger
I happen to run the mirror he was talking about (mirror.sg.depaul.edu) and just have to ask: how could you NOT trust an entity with ASCII-art?
Cheers!
-vxla
Actually, the kumquat is not a citrus. I did a little reading after seeing the FP, and as it turns out, kumquats actually belong to the family "fortunella".
I think the author of the article has some valid points. What could it hurt to start code-signing (at least) the Windows releases of FireFox? The author also has a good point that for the simple cost of a code-signing cert, you could potentially gain the trust of a whole new base of users.....is that bad? I don't think so.
The fact of the matter is that users have been trained (albeit by Microsoft) to be paranoid when they get messages such as those listed by the author. The whole idea behind FireFox is to do things the 'right way'......well, in the mind of the users, code-signing is probably the right way. Also, it wouldn't be terribly difficult to figure out what the top 25-50 FireFox extensions are. Once you've got that figured out, the huge FF developer base could do a code review on them, and sign them using the FireFox code-signing cert. One of the great things about open-source is the ability to see the source and tap into the vast development resources that exist in average 'Joes' such as myself.....why not use that?
Think of your folks in this situation. I know my parents (who are absolutely *not* technically savvy) would be more inclined to trust something that didn't warn them about potentially insecure code. REGARDLESS of the fact that it was IE that gave them the message.....they still got it....which is the point.
--BenA self validating installer is impossible. There is no way to tell if the code in the installer that checks the signature or hash has been modified to say everything is OK even though the software has been modified. It is very similar to breaking game copy protection, it all comes down to a single if, then, else statement which can be changed.
...once and for all, digital signatures do NOTHING. Once a user wants to install something, they will click 'yes' to whatever it takes. We all get a million warnings a day that we click 'yes' to with no ill effects, so what's one more? Call it "the boy who cried wolf" syndrome.
We wouldn't *need* all these warnings in the first place if MS hadn't allowed two extremely popular programs (IE and OE) to run executables with no user intervention. If they would have stuck with the ORIGINAL design--"Code canNOT run until you tell it to"--we'd all be better off. Run all the JS on a web page you want, but NO ONE can run code that affects the LOCAL MACHINE until told to. But no, stupid fucking MS, who didn't even *know* netowrks existed until Win 3.11, jumps into the game with the assumption that "Hey, you're on a network? Well then, you're probably at work, so the network's probably safe." Maybe we can fix the problem by putting up signs on the Redmond campus: "Strangers have the best candy!" and see if that thins the herd some.
How many old-timers here remember telling their new-to-the-net friends "You can *read* any email you want and NOTHING BAD CAN HAPPEN, but always be sure before clicking an attachment!"? And then we had to go and revise that statement.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Did you even read the freaking article? The author didn't say "Don't use firefox, they encourage bad behavior." He had legitimate points.
A few of his points were legitimate, most of his points were FUD and manipulation (eg. the "Ten Immutable Laws of Security").
If firefox wants to sell security, they need to appear secure. Not having the installed signed isn't a good marketing tactic.
One thing he ignores entirely, the installation download is signed. It's just not signed by Verisign's X.509 Certificate Monopoly in a format that is designed to play nice with Internet Explorer's dialog boxes.
It annoys the crap out of me that most (if not all) plugins aren't signed by their authors.
Yes, this needs to be addressed.
This article points out that the perception of firefox's security is less than IE under SP2.
It points it out incorrectly. IE under SP2 is still a security nightmare, and furthermore SP2 is a deployment nightmare.
Note that much of the article is trying to convince the reader that IE isn't as bad as the reader thinks. Furthermore, most of the article is trying to convice the reader that Firefox isn't as much better in security as they might have heard. I think IE has the perception problem here.
This, of course, doesn't mean Mozilla/Firefox should rest on its laurels, but letting a Microsoft Apologist frame the security debate is a recipe for disaster.
Firefox needs to make sure it doesn't poke holes in users security needs. It has to give users the tools they need to maintain good security. It has to give users the information they need to learn about good security practices. It does a very good job at this already, far better than IE. It can do a better job, and people are working on improving this.
----
Open mind, insert foot.
It's an attempt at Googlebombing. It's not going to work unless we all pitch in, though:
kumquat kumquat kumquat kumquat kumquat kumquat kumquat kumquat kumquat kumquat kumquat kumquat
Microsoft actually acknowledges that an Open Source competitor exists! Film at Eleven.
I've noticed a pattern of behavior from MS marketing: they don't seem to want to acknowledge linux, firefox, et. al. as actual products - and so a wry smile crept onto my face when I saw the image referencing the Mozilla Foundation as "Unknown Publisher."
This entry is probably an attempt at "payback" for all those "My Windows Installation Nightmare" anecdotes populating the 'web. However, his story seems just a *bit* contrived. I've installed firefox on multiple PCs and multiple windows versions and experienced 0% of the problems he's describing. Huh?
He reviews the FF browser security and all he can talk about is binary signing?
Is that all they have?
This makes about as much sense as a Word review that criticizes scroll bar dimensions.
Virtually irrelevant to the subject. It's great to hear MS whine about well executed free software, they truly have no ammunition against it.
It may be that it's uncertain whether Firefox is fully secure.
HOWEVER, it's absolutely *GUARANTEED* that IE is NOT secure.
Simple decision.
What's more, Firefox is not only easily the best browser, it's also the future of software generally.
What's really sad is that the guy's article is full of completely valid points. Imagine if Firefox was, overnight, suddenly given the marketshare that IE has. Every one of those security faults he mentions would be exploited, especially unsigned installers coming from numeric IP addresses.
With all the recent exploits Firefox has had, this is another point that hasn't even been considered. In the rabid drive to bash everything Microsoft, people are ignoring these very valid constructive criticisms. Why disregard good advice simply because it comes from someone you've fashioned as your arch-nemesis?
By the way, after SP2, my medium-sized corporate network has not had a single problem with IE and spyware/malware infections. That makes me happy. I think it should tell you something that I wouldn't install Firefox on all these computers, because of exploits that have been announced here on Slashdot recently. And to be quite honest, Firefox simply isn't as user-tested as IE is, being the dominant browser.
True, some of Cartoon Network's games might use Flash or Java technology and thus be compatible with GNU/Linux, but Kids Next Door: Operation Best is a more sophisticated 3D game, and in order to get enough permission to access the 3D card through DirectX, it needs ActiveX.
--"In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download."
Ok, that's Grade A B.S. Right there.
First of all, isn't www.cnn.com a trusted site? If so, why does IE allow Spyware "Avenue A" download on my system.
Second, Verisign cost more money than what's it worth. Hey, if I had $300+ to spend every year so that Micro$haft can grant me it's blessing, that doesn't make my tabloid of a site anymore trustworthy.
Third, You don't know where mirror.sg.depaul.edu is? Give me a break. www.microsoft.com goes to a cluster of machines all across the US. Maybe I'll get lucky playing Russian rolutte one day with a disgruntled MS employee that decides to send an... opps torjan from one of it's sites. Spectulation is a two-edged sword.
Fourth, MS has a 10+ year track record with its greed, its defiance, its manipulation and persussain, and most of all, it deception. Now, knowing this let's apply that Law#1 to the Ten Immutable Laws of Security "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." Seems like I hear this one directed to MS users... a lot.
-my four cents worth.
Before you can become a maintainer for a package with Debian, you have to be known to an existing maintainer.
I've heard people say that it won't scale very well, but it seems to work for the thousands of packages that Debian has, so applying the same practice to Firefox extensions shouldn't pose a problem.
There would have to be a way to disable lost/stolen keys. Some kind of check against a central server. This could be a problem if someone could use a different exploit to add an entry to your host table to re-direct that check.
So a site would still have to be on your whitelist...
And the extension would have to be signed...
And the signature would have to be on your trusted list (or trusted by someone on your trusted list)...
And the trusted signature would have to be checked and verified as current.
Sounds good to me.
I mean, how do I acknowledge with confidence that I "trust" Acme, Inc's new browser companion?
There are thousands of software developers, and if I want to download their programs through IE, I have to state that I "trust" them. Trust them? I don't even know them. I just want to try the app.
Maybe this is a way for MS to keep people web to their apps (hey, we're a big multi-national corporation, you can trust us, so why not download OUR version of that program!)
I don't see how digitally signing something makes it more of less legitimate. I can digitally sign the most dubious piece of spyware ever known, and that doesn't make it any less dubious.
I do not use the "house-call" style apps when cleaning up a PC.
True, one can download anti-spyware programs using Firefox, but don't anti-virus programs cost money to download? And what about ActiveX based games for the kids such as Kids Next Door: Operation Best?
I don't know how Windows users put up with Windows Update only updating Windows and not every program on their computer.
Under Windows, it's considered the norm for each publisher to use its own software update notification system. Windows Update/Office Update happens to be Microsoft's. Popular Windows programs often have a checkbox that lets the user tell the program to check for updates itself. On my computer, at least Azureus and eMule have fetched an update in the past week; Gaim has an update notifier as well.
I'd at least do a google search on UMIST before I complained about it in a flame. I wouldnt say "where the hell is UMIST or whatever and why should I trust it?"
Also, tell you the truth, I didnt even know that DePaul had that server!
Whats wrong with being parochial?
Browser wars, Darwinism, and the SlashDot effect
For reasons many others have pointed out, verifying the Firefox download is worthwhile. It allows you to make sure that the contents of your download are the same as that intended by someone at the Mozilla project, rather than an accidentally corrupted copy, or a maliciously changed copy.
A few people have pointed out that there is a way to verify the Firefox download via GPG/PGP. How usable is this method, though?
I am mainly familiar with GPG/PGP from apache.org and all the developer tools I download from there. Take ant.apache.org, for instance. Their "Binary Distributions" link goes to a page that begins with a suggestion to verify the download, a link to instructions on how to verify, and a link to the main distribution directory where the keys and signatures are available.
So let's say I download Firefox and expect the same kind of experience. www.getfirefox.com takes me directly to http://www.mozilla.org/products/firefox/ where I am given a big "Free Download" link.
Clicking the link immediately gives me firefox-1.0.installer.tar.gz from a mirror site, and my current Firefox browser prompts me to save it. So the download link doesn't point to anywhere with keys or signatures. The page text itself doesn't mention keys or signatures.
Well, there is an "Other systems and languages" link, so perhaps that has a more detailed download page where the keys and signatures are. The link takes me to http://www.mozilla.org/products/firefox/all.html, where I am given a table of "Download" links for different languages and platforms. Clicking any of the "Download" links again immediately gives me the installer file for download rather than directing to a page that might have keys or signatures. And the whole download page has no text about keys or signatures either.
The Firefox download experience seems to totally ignore GPG/PGP. I understand that the necessary info is accessible somewhere on the mozilla.org site, but the point is that the site doesn't relate the tasks of downloading the app and verifying it at all.
Though you can argue that
A) software publishers and users shouldn't buy into the whole commerical Verisign digital certificate thing and should instead use GPG/PGP verification, and/or
B) automatic PGP/GPG verification by the program doing the download isn't necessary, or feasible to apply to every download program,
I don't think you can argue that mozilla.org is effective at supporting PGP/GPG verification of the software it publishes.
So why not:
1. Have the mozilla.org site make the PGP/GPG verification of Firefox and other products as visible and clear as the product downloads themselves? They've done an excellent job with the download process, why not bring the verification process up to the same level?
2. Work on a Firefox download feature that automatically attempts to PGP/GPG verify the download when a signature is available on the server? No matter how the Cancel/OK/Accept/Install/Ignore options are laid out or defaulted, the user would at least get worthwhile info. The browser would say that either "Hey! You have one of mozilla.org's keys and your download checks out according to them!" or "This download is signed by mozilla.org's keys, but you don't have any of them, maybe you should ask somebody for mozilla.org's keys and add them so you can check downloads!" or "This download isn't signed at all, maybe you should ask the publisher to get keys and sign it so you can check his downloads!" or "This download is signed by one of the mozilla.org keys you have, but it doesn't check out according to them, maybe you should check what site you are downloading from!"
Only to those that don't understand the problem in the first place and are too jaded to read material objectively.
Lets look at it obectively:
Firefox does NOT currently lead to millions of pwn3d machines; IE does.
Saying that Firefox is the one not to be trusted because it could theoretically be a risk is purely meant to spread FearUncertainty&Doubt.
You can't take the sky from me...
Is anyone else reminded of Mohammed Saeed al-Sahaf, AKA "Baghdad Bob"?
"Firefox is not safe, I promise you this. They say you can verify the binary with MD5 and SHA1, but I believe in neither of these heathen algorithms. Verisign is the true path, as our glorious leaders have shown us the way to the security that we enjoy every day. They are as a snake in the desert! I can assure you, there are no Firefox users in Redmond! Your faith to Microsoft, we will not be tempted!"
Funny that they're moderating the blog now. Couldn't see that coming.
Kumquats love Kumquats who are Kumquats plus Kumquats but Kumquats kick Kumquats in the Kumquats and hurt their Kumquats without Kumquats feeling any Kumquats. In other Kumquats, Kumquats make great Kumquats for Kumquats and Kumquats. How about those Kumquats? SUCK MY Kumquats! Kumquats Kumquats Kumquats
I like this idea. It's harmless and amusing. Trolls used to be like that before they started talking about gay niggers, dead bishops and penisbirds.
I thought you were gone already. What a coincidence that I change my sig to the one below and then stumble across one of your posts. (I would have posted this in your journal, but there are no more comments permitted there as it is too old). Hope you like the sig.
I'd rather be lucky than good.
rebar ?
Nothing new here. Move along please...
First off, I'm not the slightest bit anonymous. Information about me is advertised readily in my various online profiles. Second, stop posting as an AC and I will give you a very detailed breakdown demonstrating why your sources and analysis are flawed.
Read jack phelps dot net
I'm back until february. Then I'll be gone. I'm home from college until then... my college's IP's were banned from posting at slashdot and my college didn't allow using proxies... so it would have been a bit difficult to post poll troll tolls.
Browser developers, please take notice! For ANY "would you like to install software" prompt from a browser (Firefox XPIs, IE .exe's, ActiveHex etc.) :
Upon displaying the message popup,
a) None of the option buttons should be positioned near, or directly underneath, the mouse pointer. It is a simple matter to detect the location of the mouse pointer, and spawn the window somewhere else on the screen.
b) The option buttons should be disabled against keyboard input for a minimum of two seconds from when the window appears. This is especially true if the user is currently typing!
Under Windows, several commonly-pressed keys (Enter, spacebar, etc.) will activate a menu button; I have personally had error windows pop up and quickly disappear while I was typing in another window (default option chosen by the spacebar I was pressing as the window appeared) and felt that "Crap, what did I just say ok to?" Additionally, there are many users (again including myself) who are not always looking at the screen while typing.
These suggestions could also be good reading for instant-messager developers, as agreed by all of my friends who have received the last few letters of a message intended for someone else...
Caveat Emptor is not a business model.
Ok. You're gonna bitch about running unsigned software from Firefox, but, yet, run an unsigned ZIP PROGRAM called 7-Zip? Where'd you get this from, eh?
Cnet?
I mean, I've used 7-Zip in the past, but you should at least make an effort, in your column denouncing downloading unsigned software to NOT USE UNSIGNED SOFTWARE!
That wasn't me.
I reply under my own username.
Dick.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
...you are painfully mistaken. This wouldn't be Slashdot if the bashing didn't start from the beginning.
AdAware reference file: Build:01R347. AdAware version: 6.181 Personal
Norton Antivirus, version 8.1.0.825, scan engine: 4.2.0.7, virus def file: 12/15/2004 rev. 32
AdAware scan results: 132 items recognized - all are cookie files (which AdAware reports as well)
I don't need AdAware or similar mini-app s**t on my computer any more, the antivirus is taking care of everything.
just because you don't know doesn't mean it isn't there.
If you don't have a point, please just resist the urge to use non-sense logical propaganda, thank you.
MSIE, of course. That thumping sound you hear is me pounding my head into my desk.
A centralised update system would make a lot more sense.
Did you mean "A monopolizable single point of failure would make a lot more sense"? Who decides what apps get into the centralized update system? Wouldn't an update system per publisher contain the damage if the server goes down or gets hacked?
and it would be a "one stop shop" for all the computer updates.
In the meatspace world, the "one stop shop" is Wal-Mart, with all of its alleged negative connotations.
I really think we should /. msdn.
for real.
And, who the hell is Peter Torr? Is Gates using pseudonames?
IE is specified as an interface.
If I write a server I need to control (or understand) the client.
If some random idiot modifies the client, I'm screwed.
MS has tended to preserve APIs, ABIs, etc.
Is this too hard to understand?
Writers imply. Readers infer.
Same as myself?
Not an English degree, one assumes.
Writers imply. Readers infer.
Same as me?
Same as I?
Same as myself was the best choice.
The grammar usage in "Not an English degree, one assumes." is far worse. Think about it...
Okay Mr Blanks, you don't trust any potentially-exploitable browser. So... do you surf Slashdot with wget or with curl?
"If you can't trust something DONT trust it."
This line was the main focus of what I was attempting at point out why the entire topic was flawed. Not trusting something, and not using something are 2 different things completlly.
Its a simple matter of if you dont care about trust in a software application, or if a trust is not important in what your doing, then trust is not a consern.
BUT if security, personal information, etc IS important, but you CHOOSE a program that you do not trust, but trust MORE then other applications, then you should not place your trust in it at all. Not trusting an application but using it anyways is foolish.
I use IE and I do have trust in it. Simply because of the security settings I have IE using, my trust I have in the websites I visit (business PC's are not used for browsing), and my own common sence, I don't download random crap from various sites, I don't randomly browse websites from search engines etc etc.
I have 1 machine that is used for random entertainment, and I have no worries about that needing to be reformatted because it has no personal information in it.
TruePunk | Games
What Peter Torr is saying is just typical Microsoft FUD. If he really wanted to go after Firefox, go after the real problems. Problems like Firefox is still rather unstable, I have had it crash on me several times, that's more than Internet Explorer has ever crashed. It's a memory Hog, the highest usage I have seen is 160,232K used, that is way more than Internet Explorer has ever used.
I'm not trolling, I'm just trying to point out a couple of problems with Firefox that needs to be fixed.